Processing Activities: Direct Care and Administration

Recipients or categories of recipients of the personal or special categories of personal data

Purpose of the processing and data retention periods

Lawful basis

 

Your Rights

 

NHS Trusts – Hospitals, Community or Mental Health Trusts. 

Personal data concerning your GP medical record may be shared with NHS Trusts in order to enable their healthcare professionals make the best informed decision about your health needs, and provide you with the best possible care if you visit the hospital for routine care and referrals.

Your personal information may also be processed for local  administrative purposes such as:

  • Waiting list management;

  • local clinical audit;

  • Performance against local targets;

  • activity monitoring;

  •  production of datasets to submit for commissioning purposes and national collections.

 

The source of the information shared in this way is your electronic GP record.

In accordance with DPA Part 1, Schedule 1 (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Common Law of Duty of Confidentiality

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21 and DPA Section 99, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

 

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Emergency Services (Ambulance trusts, police, A&E departments, out of hours services, 111)

There are circumstances when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for example, during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate.

Medical professionals have a duty of care to share data in emergencies to protect their patients or other persons. In these circumstances, your GP medical record will be shared with emergency healthcare services, the police or fire service in order to enable you receive the best treatment or service.

 

The source of the information shared in this way is your electronic GP record.

 

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

Article 9 (2) (C) – the processing is necessary to protect the vital interests of the data subject;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

In accordance with DPA Schedule 1, Part 3, (30) (b) the conditions for protecting individual’s vital interests is met where the data subject is physically or legally incapable of giving consent.

You have the right to:

  • Make pre-determined decisions about the type and extent of care you will receive in an emergency, these are known as “Advance Directives”;

  • access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object: You have the right to object to some or all of your personal information being shared with the recipients. You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.

We will notify you at the earliest opportunity where we have shared your personal data in an emergency situation.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

GP Federations (groups of GP practices working together)

 

GP Federations are groups of GPs (patient centered organisation), working collaboratively and developing closer integration with other partners across health, social and third sector partners to facilitate an enhanced delivery of health and care services.

Through various hubs in the community the GP Federation provide direct health and care services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across [select your area e.g. Dartford, Gravesham, Swanley, East or West Kent, Swale, Medway etc].

If you visit receive treatment/consultation on any of these services, personal data concerning your GP medical record may be shared with the GP Federation and their Multidisciplinary Team (MDT) in order to enable them make the best informed decision about your health/care needs, and provide you with the best possible care.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Pharmacists - Medicines Optimisation

Medicines optimisation looks at the value which medicines deliver, making sure they are clinically-effective and cost-effective. It is about ensuring patients get the right choice of medicines, at the right time, and are engaged in the process by their clinical team.

Medicines optimisation enables community pharmacies to request medication electronically from the Practice and view relevant information from your GP record in order to provide you with the best medicines.

 

The source of the information shared in this way is your electronic GP record.

 

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 

Related Legislation:

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Local Authority – Social Services

The [insert your organisation name] works closely with Local Authorities to support and care for people of all ages to deliver the best possible social care.

Personal data concerning your GP medical record may be shared with Local Authorities and Multidisciplinary Team (MDT) delivering social care in order to enable them make the best informed decision about your social care needs if required.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

GDPR Article 9(2) (b) – processing necessary in the field of employment, social security and social protection law;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

In accordance with DPA Part 1, Schedule 1, (1a) the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Care Homes

Personal data concerning your GP medical record may be shared with Care Homes and other Multidisciplinary Team (MDT) delivering care in order to enable their care professionals make the best informed decision about your care needs, and provide you with the best possible care if you visit a Care Home.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

 

In accordance with DPA Schedule 1, Part 1, (2) -health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

 

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Community Pharmacy BP monitoring

 

The NHS Community Pharmacist Consultation Service (CPCS) is a National Programme and was launched by NHS England and NHS Improvement on the 29 October 2019, to progress the integration of community pharmacy into local NHS urgent care services, providing more convenient treatment closer to patients’ homes

If a patient presents at a GP Practice with a minor ailment which falls within the criteria for this service, the patient would be offered a GP CPCS referral and would need to consent to the referral. The patient would then state which Pharmacy they wish the consultation to take place at.

The practice care navigator/receptionist/call handler will then generate the referral.

 

The Data Retention Period

The Standard Care Records retention period will be applied.

All data is held in line with NHSE data retention guidelines

Within the General Data Protection Regulation (GDPR), Article 6 sets out the conditions for lawfully processing personal data and Article 9 sets out further conditions for processing special categories of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate they have met a condition in both Article 6 and Article 9.

Under the GDPR, for processing personal data in the delivery of direct care, and for providers’ administrative purposes, the most appropriate Article 6 condition that is available to all public funded health and social care organisations is Article 6(1)(e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller”.

For work undertaken the relevant condition to rely on under Article 9 is (2)(h): “processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care treatment.” (read with Schedule 1 paragraph 2 of the Data Protection Act).

There is an obligation in s. 251B of the Health and Social Care Act 2012 to share information amongst relevant commissioners and providers for the purposes of direct care.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Kent & Medway Healthy.io Adherence as a Service - at home kidney test for patients with diabetes

Kent & Medway GP Practices

Kent & Medway Healthy.io Adherence as a Service - at home kidney test for patients at risk of Chronic Kidney Disease.

Healthy.io has been contracted by the NHS, via the Accelerated Access Collaborative, to provide an at home kidney test service for participating primary care practices. This project will enable Kent & Medway practices to identify patients at risk of chronic kidney disease through the offer of an at home kidney screening albumin to creatinine urinalysis test. It will also increase practice adherence with the urinary albumin test for diabetic patients, which is one of the 9 NICE recommended annual care processes.

 

The Data Retention Period

The Standard Care Records retention period will be applied. All data is held in line with NHSE data retention guidelines

Kent and Medway GP practices will instruct Healthy.io to contact individuals as part of their provision of care. Due to this, the lawful basis is as follows:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (for processing under a public body contract); or

As the Controllers are health and care organisations, the Article 9 exemption applying to the processing of special category data will be:

Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 201 (2) (d) the provision of health care or treatment

It is noted that the transfer of patient information to Healthy.io by the GP practice in order to involve the Albumin: Creatinine Ratio test in their treatment is compatible with the above lawful basis and consent is not required by the patient in order for this information to be shared.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Community Pharmacy Consultation ServiceKent & Medway GP Practices

The NHS Community Pharmacist Consultation Service (CPCS) is a National Programme and was launched by NHS England and NHS Improvement on the 29 October 2019, to progress the integration of community pharmacy into local NHS urgent care services, providing more convenient treatment closer to patients’ homes

If a patient presents at a GP Practice with a minor ailment which falls within the criteria for this service, the patient would be offered a GP CPCS referral and would need to consent to the referral. The patient would then state which Pharmacy they wish the consultation to take place at.

The practice care navigator/receptionist/call handler will then generate the referral.

 

The Data Retention Period

The Standard Care Records retention period will be applied. All data is held in line with NHSE data retention guidelines

Within the General Data Protection Regulation (GDPR), Article 6 sets out the conditions for lawfully processing personal data and Article 9 sets out further conditions for processing special categories of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate they have met a condition in both Article 6 and Article 9.

Under the GDPR, for processing personal data in the delivery of direct care, and for providers’ administrative purposes, the most appropriate Article 6 condition that is available to all public funded health and social care organisations is Article 6(1)(e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller”.

For work undertaken the relevant condition to rely on under Article 9 is (2)(h): “processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care treatment.” (read with Schedule 1 paragraph 2 of the Data Protection Act).

There is an obligation in s. 251B of the Health and Social Care Act 2012 to share information amongst relevant commissioners and providers for the purposes of direct care.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Kent & Medway Healthy.io Adherence as a Service - at home kidney test for patients with diabetesKent & Medway GP Practices

Kent & Medway Healthy.io Adherence as a Service - at home kidney test for patients at risk of Chronic Kidney Disease.

Healthy.io has been contracted by the NHS, via the Accelerated Access Collaborative, to provide an at home kidney test service for participating primary care practices. This project will enable Kent & Medway practices to identify patients at risk of chronic kidney disease through the offer of an at home kidney screening albumin to creatinine urinalysis test. It will also increase practice adherence with the urinary albumin test for diabetic patients, which is one of the 9 NICE recommended annual care processes.

Healthy.io support Kent and Medway Primary Care Practices to identify and extract a list of patients that have a diagnosis of diabetes Type 1 or 2 or hypertension that have not had their urinary albumin screening test in the last 12 months as required by the practice as part of the patient’s care. The list is generated from the reporting functionality within the Practice’s own clinical system.

Kent and Medway GP practices will instruct Healthy.io to contact individuals as part of their provision of care. Due to this, the lawful basis is as follows:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (for processing under a public body contract); or

As the Controllers are health and care organisations, the Article 9 exemption applying to the processing of special category data will be:

Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 201 (2) (d) the provision of health care or treatment

It is noted that the transfer of patient information to Healthy.io by the GP practice in order to involve the Albumin: Creatinine Ratio test in their treatment is compatible with the above lawful basis and consent is not required by the patient in order for this information to be shared.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Post COVID Assessment Service (PCAS) West Kent Federation

A post Covid assessment service is required for the Kent & Medway Integrated Care System covering a population of 1.9 million and encompassing the following Integrated Care Partnerships:

• Dartford, Gravesham and Swanley

• Medway and Swale

• East Kent

• West Kent

In October 2020 NHSE and NHSI made a commitment to establish Post-Covid Assessment and Rehabilitation Service (PCAS) across England giving patients access to multi-professional advice.

The multi-professional team will provide physical, cognitive, psychological and psychiatric assessments, as well as testing functional abilities, of those people experiencing suspected post-COVID syndrome, so that they can be referred to the right specialist help.

 

The Data Retention Period

Data Retention and Disposal Guidance is provided in the Information (Data) Governance Policy May 2021. Adult health records are retained for 8 years from the point of last consultation or discharge.

Electronic records will be made inaccessible at the end of the retention period and paper records will be shredded and destroyed using confidential records destruction at the end of the retention period.

Initially, Health Service (Control of Patient Information (COPI)) Regulation 2002 will be relied upon.  UK GDPR Article 6(1)(e) and Article 9(2)(b)

However, as the Country emerges from lockdown and the service moves into business as usual the following lawful bases will be engaged. Article 6(1)(e) processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

Access to the information is to provide direct care

Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards

Access to the information is to provide direct care

The lawfulness of sharing/processing of Shared Personal Data set out in Article 6(1) (e) of the GDPR (as above) is also permitted under Section 8 (d) of DPA 2018:

Processing is necessary for the exercise of statutory functions.

Access to the information is to provide direct care.

The lawfulness of sharing/processing Shared Personal Data set out in Article 9 (2) (h) of the GDPR (as above) is permitted under DPA Section 10 (health and social care purposes)

Conditions relied upon for obligations of professional secrecy.

For the purpose of Article 9 (2) (h) of the GDPR, Part 2, Schedule 1, DPA 2018(Health and Social Care purposes) is also engaged

For the purposes of Article 9(2) (h) of the GDPR, the circumstances in which the processing of Shared Personal Data is carried out is subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of professional secrecy). Therefore, in accordance with DPA Section 11(1), these include circumstances in which it is carried out –

(a) by or under the responsibility of a health professional or a social work professional, or

by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Collaborative Practice – Altogether Better Potentially all 196 Kent & Medway GP Practice although initially, the programme has been commissioned for 12 Practices.

Altogether Better are an NHS national network organisation who have developed a nationally recognised, evidence- based approach. They support GP practices to provide better healthcare by inviting patients to work alongside them as volunteer practice health champions to improve the health and well-being of their practice community.

Altogether Better support, guide and mentor staff in general practice to invite and support a group of volunteer Practice Health Champions to work with the practice to create new ways for patients to access support that meets their health needs. Altogether Better have found that if practice’s reach out to their practice population via the use of their SMS/instant messaging system then the practice is much more likely to attract potential Practice Health Champions who do not regularly engage with the practice for their own health needs and who therefore would not be reached via posters in surgery or the practice’s social media.

 

The Data Retention Period

The data will be retained for the duration of the programme (approx. 1 year)

NHS mail and digital files are deleted.

Under the GDPR, for processing personal data in the delivery of direct care, and for providers’ administrative purposes, the most appropriate Article 6 condition that is available to all public funded health and social care organisations is Article 6(1)(e): ‘Public Task’

“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller”.

For work undertaken by the ‘health champion’ is carried out subject to the conditions and safeguards of Obligation of Professional Secrecy Article 9 (3).

There is an obligation in s. 251B of the Health and Social Care Act 2012 to share information amongst relevant commissioners and providers for the purposes of direct care.

In terms of Health Champions providing direct care to the wider Practice patient population - Articles 6(1)(e) and Article and 9(3) together with Part 1(2) Schedule 1 DPA 2018 may apply

Health Champions will be working under the direction of a Clinical Lead in each GP Practice.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Proxy Access – Implementation within care homes across Kent & Medway

All GP practices across Kent and Medway and all care homes across Kent and Medway

Proxy access is a national directive from NHS England, where the plan is to roll out to all the care homes across England. We have been tasked with rolling it out to care homes across Kent and Medway.

https://www.england.nhs.uk/ourwork/clinical-policy/ordering-medication-using-proxy-access/ - More information can be found about the project.

This project uses current proxy functionality via GP online available to the general public when acting as proxy for relatives/friends via a website to access the GP clinical system EMIS. GP practices via GP online services can enable care home staff to order medications in the GP record for the resident’s care. Proxy access was developed to allow someone other than the patient to access and manage parts of their GP online services account. The proxy is given their own online access account (rather than using the patient’s login details). It is often used by the parents or recognised carers of young children, and recognised carers of adults.

Staff have proxy access to patient medication records on EMIS GP system, which gives authorised access to order repeat medication on behalf of the resident

The Data Retention Period

Patient medication records are kept indefinitely in an electronic format in the GP practice. The recommendation is that care homes should keep medicines administration records for at least 8 years after the person’s care ended at the service. After 8 years, review the records. If they are no longer needed, destroy them in line with local policies.

Lawfulness of processing- Article 6 (1) (e) ‘…for the performance of a public task carried out in the public interest or in the exercise of official authority.

• Processing of special categories of personal data Article 9 (2) (h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems’.

• Sharing Personal Data is carried out subject to the conditions and safeguards of Obligation of Professional Secrecy Article 9 (3).

• Sharing is done in accordance with DPA 2018 S.11 (1) by:

- By or under the responsibility of a health professional or a social work professional, or

- By another person who in the circumstances owes a duty of confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

West Kent HCP Integrated Neighbourhood Working – Weald PCN – Mental Health MDT

Howell Surgery

Lamberhurst Surgery

Marden Medical Centre

Weald View Medical Practice/North Ridge

Old Parsonage Surgery

Old School Surgery

Marden Medical Centre

Orchard End Surgery

Staplehurst Health Centre

The Crane Surgery

Yalding Surgery

West Kent Health Limited

Kent and Medway NHS Care and Social Partnership Trust

Maidstone and Tunbridge Wells NHS Trust

Kent County Council

Change Grow Live (CGL)

Live Well Kent (IAPT)

Porchlight

Kent Community Health NHS Foundation Trust

We are with you

IESO

West Kent Mind

SECAMB

EMIS Clinical Services

DOCMAN

This project is initially a 6-9-month pilot starting 1st January 2023, implementing a mental health MDT across practices that form the Weald PCN for frequent attenders of primary care who’s main presenting complaint is related to mental health. This is to provide a more personalised and joined up management of care to this group of patients by developing a multi-agency response informed by both mental health workers but also social care and community-based staff in the form of a Multi-Disciplinary Team meeting. The MDT will consist of core members such as:

Mental Health Practitioner, Social Prescriber Link Worker, Mental Health GP, MDT Co-ordinator, Pharmacist, Primary Care Mental Health Team & Frequent Attender Team

 

The Data Retention Period

All data held will be either destroyed securely at the end of the contract or handed back to the data controller.

Each GP Practice within The Weald PCN recognises that different record retention arrangements are needed in respect of retention and disposal schedules of Shared Personal Data. Therefore, each Party shall ensure it has a written policy and procedure for the archiving, retention and disposal of information in accordance with Records-management-code of practice 2021

All joint controllers , will store data on their systems and delete/destroy in compliance with the NHS records managements code of practice 2021

Paper records once uploaded to the digital records will be destroyed using a crosscut shredder or subcontracted to a confidential waste company that complies with European Standard EN15713

Lawfulness of processing is based on the fulfilment of a legal obligation (Article 6(1)(c) UK GDPR) as detailed in the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’ information amongst relevant commissioners and providers for the purposes of direct care and commissioning.

Processing is further carried out under the lawfulness conditions and the performance of a public task (Article 6(1)(e)) of the UK GDPR. the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide healthcare services

Article 9(2)(h) Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.

For the purpose of Article 9 (2) (h) of GPDR the circumstances in which the processing of shared personal data is carried out is subject to the conditions and safeguards referred to in article 9(3) of the GDPR (obligation of professional secrecy) there in accordance with DPA section 11(1) these include circumstances in which it is carried out -

by or under the responsibility of a health professional or a social work professional or

by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The use is necessary for compliance with a legal obligation to which the WKPC is subject.

the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller e.g. in order to provide healthcare services processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Dementia Coordinators Service

All GP Practices across Kent and Medway East Kent Age UK Herne Bay

West Kent Alzheimer’s and Dementia Support Service 

NHS Social Care Partnership Trust Memory Assessment Service

The Dementia Coordinator programme has been jointly commissioned by Kent and Medway ICB and Kent County Council (KCC). Whilst the Service will be made available across Kent and Medway, it should be noted that Medway Council have not commissioned the Service.

Principally, the aim is to establish Dementia Coordinators within the Specialist Dementia Support services. This is to create a model of care that proactively responds to ongoing care needs, has no service gaps enabling us to work collaboratively across our local health and care system. There will be added benefit in the model of coordination selected to support people pre and post diagnosis integrating with Primary Care Networks, pursuing a more rapid assessment process and reassuring GPs that there is a full supportive pathway of care for people following diagnosis.

 

The Data Retention Period

Data is stored electronically in clinically systems and deleted/destroyed in compliance with the NHS Record Management Code of Practice 2021.As Joint Controllers, providers will store data on their systems and delete/destroy in compliance with the NHS Record Management Code of Practice 2021.

Paper records will be destroyed using a crosscut shredder or subcontracted to a confidential waste company that complies with European Standard EN15713.

The Dementia Registers are held on GP EMIS systems, which will be updated by the Dementia Coordinators.

Article 6(1)(e) processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

Access to the information is to provide direct care

Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards

Access to the information is to provide direct care

The lawfulness of sharing/processing of Shared Personal Data set out in Article 6(1) (e) of the GDPR (as above) is also permitted under Section 8 (d) of DPA 2018:

Processing is necessary for the exercise of statutory functions.

Access to the information is to provide direct care.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Targeted Lung Health Check

NHS Kent and Medway

East Kent Hospitals University NHS Foundation Trust

St James Surgery 

Church Lane Surgery

Pencester Surgery

Sun Lane

Balmoral Surgery

St Richards Road Surgery

White House Surgery

Orchard House

The New Surgery

Guildhall Street Surgery

The Cedars Surgery

High Street Surgery

Sandgate Road

Peter Street Surgery

Oak Hall

Oaklands Health Centre

Hawkinge And Elham

Folkestone East Family Practice

Aylesham Medical Practice

Central

Lydden Surgery

Manor Clinic

Church Road 

Pencester Health

Martello Health Centre

New Lyminge Surgery

Manor Road Surgery

Buckland Medical Practice

White Cliffs Medical Centre

Park Farm

Sandwich Medical practice

Harbour Medical Practice

The New Surgery

The TLHC programme will identify those eligible for a Targeted Lung Health Check (55-74 years of age who have ever smoked) and invite them for a lung health check. This is done via a data extraction from GP Clinical system EMIS by Apollo Extraction to HISBI > EKHUFT extract and link to internal data

If identified as high risk following the initial lung health check appointment conducted by a TLHC nurse, the patients will then be invited for a low dose CT scan. The only patient-level information that will be made available to East Kent Hospitals University NS Foundation Trust (EKHUFT), as lead provider for the programme, will be patient contact and demographic details, patient date of birth, NHS number, and smoking status (which is a QOF flag). Only members of the EKHUFT TLHC team will be able to access this patient-level information, and patient details will only be used for the purpose of inviting eligible participants to take part in this programme, and for the purpose of administrating the programme and subsequent recall. EKHUFT will also use the information to crosscheck whether the participant has had a CT scan within the previous twelve months, as per national eligibility criteria.

 

Data Retention Period

Data is stored electronically in clinically systems used by the Acute trusts including such as infoflex and PAS and deleted/destroyed in compliance with the NHS Record

Management Code of Practice 2021.

Within the UK General Data Protection Regulation (GDPR), Article 6 sets out the conditions for lawfully processing personal data and Article 9 sets out further conditions for processing special categories of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate they have met a condition in both Article 6 and Article 9.

The lawful basis under the UK General Data Protection Regulation will be:

To support health and social care:

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. and

• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”;

Schedule 1, Part 1 DPA 2018 supplementary condition

Health or social care purposes

2(1)This condition is met if the processing is necessary for health or social care purposes.

(2)In this paragraph “health or social care purposes” means the purposes of—

(a)preventive or occupational medicine, and

(d)the provision of health care or treatment,

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

eHUB Proof of Concept - Pilot Programme – eConsultation Room

eHUB Proof of Concept - Pilot Programme – eConsultation Room

eHubs will enable GP practices to come together and create a centralised model for supporting the management of online consultations and remote monitoring at a practice / PCN level, known as a virtual online consultation hub (eHub)

The aim for the eHubs will be to enable GP practices and NHS Trusts to come together and create a centralised model for supporting the management of:

• Online Consultations

• COVID Oximetry

• Acute breathing difficulties: Children with RSV-like illnesses and adults

What are eHubs?

• eHubs coordinate remote monitoring services and support clinical decision making.

• The eHub is a virtual ‘house’ enabled to support teams/networks of clinicians working in virtual ‘rooms’ to monitor patients including recognition, assessment and out-of-hospital monitoring.

Article 6(1)(e) processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

Access to the information is to provide direct care

Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards

Access to the information is to provide direct care

The lawfulness of sharing/processing of Shared Personal Data set out in Article 6(1) (e) of the GDPR (as above) is also permitted under Section 8 (d) of DPA 2018:

Processing is necessary for the exercise of statutory functions.

Access to the information is to provide direct care.

The lawfulness of sharing/processing Shared Personal Data set out in Article 9 (2) (h) of the GDPR (as above) is permitted under DPA Section 10 (health and social care purposes)

Conditions relied upon for obligations of professional secrecy.

For the purpose of Article 9 (2) (h) of the GDPR, Part 2, Schedule 1, DPA 2018(Health and Social Care purposes) is also engaged

For the purposes of Article 9(2) (h) of the GDPR, the circumstances in which the processing of Shared Personal Data is carried out is subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of professional secrecy). Therefore, in accordance with DPA Section 11(1), these include circumstances in which it is carried out –

(a) by or under the responsibility of a health professional or a social work professional, or

(b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

The Digitalisation of Lloyd George Records

GP Practices

Iron Mountain

EMIS

This work forms part of a national NHSX acceleration programme to fully digitalise Lloyd George medical records (historic paper records). The provider will be determined through a procurement process supported by the NHSE regional team. The tender process will determine a range of suppliers who meet the minimum criteria to support the digitalisation of Lloyd George Medical Records. This will ensure the procurement is fit for purpose.

This work follows an extensive audit of current Lloyd George storage situation across the primary care estate. Significant opportunities for repurposing the use of storage have been identified such as creating additional clinical rooms, admin rooms to support Practice and PCN development.

A five-year framework for GP contract reform to implement The NHS Long Term Plan states that all patients will be able to have digital access to their full records from 2020

6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

HCRG Care Group and GPs EMIS

DGS GP Practices

Swale GP Practices

The information sharing agreement has been drafted to support clinicians in sharing relevant and appropriate clinical information between the GP practices and Adult Community services within HCRG Care Group for the purposes of Direct Care, using the EMIS clinical information system.

The GPs will sign up to the EMIS Configuration document which will be managed by the HCRG Care Group clinical systems team who will then complete the technical information sharing.

The purpose of the sharing of information detailed in this agreement is:

1. To deliver health care to patients

2. Support services that are managed by HCRG Care Group & GP practices

3. To allow appropriate data sharing of care records through EMIS to EMIS

HCRG Care Ltd

 

Data Retention Period

 All data, whether held on paper or in electronic format must be stored and disposed of in line with each partner organisation’s retention and disposal schedule. Retention periods should be informed by the Records Management Code of Practice published on 4 August 2021 by the Information Governance Alliance (IGA).

Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority’.

Where special categories personal data is being processed for purposes related to the commissioning and provision of health and social care services the condition is: Article 9(2)(h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for ... medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...’

HCRG Care Ltd, company number 5466033 registered in England and Wales at The Heath Business and Technical Park, Runcorn, Cheshire WA7 4QX

Send any correspondence to the address at the top of this letter

UK GDPR Article 6(1)(e) and Article 9(2)(h) is the lawful basis

Yes

Sharing for Safeguarding Purposes For the purposes of safeguarding vulnerable patients/service users, the Article 6(1)(e) and 9(2)(b) may apply.

The Children Act 1989 (CA) establishes implied powers for local authorities to share information to safeguard children. Local authorities have a duty to investigate where a child is the subject of an emergency protection order, is in police protection or where there is reasonable cause to suspect that a child is suffering or is likely to suffer significant harm. The CA also requires local authorities ‘to safeguard and promote the welfare of children within their area who are in need’ and to request help from specified authorities including NHS organisation. These are required by the CA to comply ‘…with the request if it is compatible with their own statutory or other duties and obligations and does not unduly prejudice the discharge of any of their functions’. Under the Children Act 2004 local authorities must make arrangements to promote cooperation with relevant partners and others, to improve well-being.

• Article 6(1)e – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority’.

Where special categories personal data is being processed for purposes related to the commissioning and provision of health and social care services the condition is:

Article 9(2)(b) – ‘‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law...’

UK GDPR Article 6(1)(e) and Article 9(2)(b) is the lawful basis

Explicit consent is available as a lawful basis for processing special categories of data but is not normally use consent as a legal basis in a healthcare setting.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Processing Activities: Other Primary Care Services delivered for the purpose of direct care

Recipients or categories of recipients of the personal or special categories of personal data

Purpose of the processing and data retention periods

Lawful basis

 

Your Rights

 

 

Integrated Urgent Care Service (IUC) - covering Out of Hours and NHS 111 service

Integrated Urgent Care Service (IUC) is an urgent care service delivered across Dartford, Gravesham, Swanley, Medway, Swale, East and West Kent for the provision of a functionally integrated 24/7 urgent care access, clinical advice and treatment service for patients. IUC incorporates NHS 111 and Out of Hours (OOH) services, which is often referred to as an IUC Clinical Assessment Service.

 

The purpose of IUC is to ensure that patients receive the best possible healthcare service in their community.

If you visit the urgent care centre or call NHS 111 for health related needs, personal data in your GP record will be shared with healthcare professionals in order to enable them make the best the best informed decision about your health needs.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

 

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) -health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislations:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Continuing Health Care (CHC)

NHS Continuing Health Care (CHC) is free care outside of hospital that is arranged and funded by the NHS to support living with complex medical conditions and on-going healthcare needs which can be delivered in the patient’s home, at their care home or in non-acute hospitals.

CHC is free, unlike support from social services for which a fee may be charged, depending on your income and savings. CHC is different from NHS Funded Nursing Care, which some people with less complex needs living in care homes receive.

If you require CHC needs personal data concerning your GP medical record will be shared with the care home or in non-acute hospitals looking after you.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1, (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislations:

Common Law of Duty of Confidentiality;

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered. Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

Evaluation of the Dartford, Gravesham and Swanley (DGS) Health & Care Partnership (HCP) - PCN Integrated Community Frailty Service

As part of DGS HCP’s programme to develop a whole system integrated approach to frailty and adult complex care, the DGS system partners have identified the need for a service to support frail and complex patients.

The service is part of a collaborative approach to identifying and supporting frail residents in the DGS area, working in particular with Darent Valley Hospital, Primary Care Networks across DGS, HCRG (formally Virgin Care), ellenor hospice, social prescribing services and local care home providers. It will work both in the community and upon discharge, to help maintain people’s health, wellbeing and independence, and ensure their carers are referred to any necessary support services, thus helping to prevent unwarranted hospital attendances and admissions. The service will provide two key areas of work – Proactive and Reactive care but will complement existing services by focussing primarily on the pro-active element.

 

The Retention Period

BI team keeps all data in line with the ICB Retention Policy

The most appropriate legal basis for processing identifiable data in this case is under GDPR – Article 6 ( e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

The ICB has both a contract in place with Mede Analytics and a Joint Controllers Agreement in place with Practices that describes that GP data will be pseudonymised at source, extracted and transferred to Mede Analytics by Apollo Medical Software Solutions Ltd (Apollo) where the ICB will be able to access pseudonymised patient records and use this data for the purpose of providing Business Intelligence (BI) and Analytics services.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

 

 

 

 

 

 

 

Processing Activities: Statutory Disclosures of Information

Recipients or categories of recipients of the personal or special categories of personal data

Purpose of the processing and data retention periods

Lawful basis

 

Your Rights

 

Safeguarding Concerns – to prevent an individual, or to prevent a serious crime

 

Some members of public are recognised as needing safeguarding protection, for example children and vulnerable adults. If an individual is identified as being at risk from harm, we have a duty to do what we can to protect that individual, and we are bound ‘Safeguarding’ laws to do so.

Where there is a suspected or actual safeguarding issue we will share information that we hold about you with other relevant agencies such as local Ambulance trusts, the police, A&E departments, out of hours services, 111 or Social Services)

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following conditions:

Article 9 (2) (c) – the processing is necessary to protect the vital interests of the data subject;

Article 9(2) (b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

In accordance with DPA Schedule 1, Part 3, (30) (b) - the conditions for protecting individual’s vital interests is met where the data subject is physically or legally incapable of giving consent.

In accordance with DPA Schedule 1, Part 2 (18) (1a) - the conditions is met where the processing is necessary for  protecting an individual from neglect or physical, mental or emotional harm,  or protecting the physical, mental or emotional well-being of an individual

Related Legislations:

Section 47 of The Children Act 1989.

Section 45 of the Care Act 2014

This sharing is a legal and professional requirement and therefore there is no right to object.

 

The Children Act 1989 requires local authorities to investigate where a child is the subject of an emergency protection order, is in police protection or where there is a reasonable cause to suspect that a child is suffering or is likely to suffer harm.

The Act requires the local authority to safeguard and promote the welfare of children who are in need, within their geographical area and to request help from specified authorities including General Practices, NHS Trusts, Integrated Care Boards (ICB) and NHS England.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

 

The Care Quality Commission (CQC)

The Care Quality Commission (CQC) is a regulatory body established under the Health and Social Care Act. The CQC regulates health and social care services in England to ensure that safe health and care are provided. The law allows CQC to access identifiable patient data/medical records in our clinical system for the purposes of their assessment and investigation of significant safety incident.

 

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

 

The source of the information shared in this way is your electronic GP record.

 

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following conditions:

Article 6(1) (c) - processing for legal obligation;

DPA Section 8 (d) - Processing is necessary for the exercise of statutory functions.

The processing of special categories of personal data concerning health is permitted under the following conditions:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services

DPA Section 10 (1) (c) - health and social care purposes.

In accordance with DPA Schedule 1, Part 1 (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

 

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Law Enforcement and Regulatory Bodies

In some circumstances the Practice may be legally required to share personal information with law enforcements and regulatory bodies (without the consent of the data subject) such as: the Police; Courts of Justice; HMRC and DVLA for the purposes of prevention or detection of crime; apprehension or prosecution of offenders; the assessment or collection of any tax or duty or, of any imposition of a similar nature.

GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.

The Practice will review each request based on its merits before deciding whether to release information to the ‘relevant authorities’.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following conditions:

Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - Processing is necessary for the exercise of statutory functions.

The processing of special categories of personal data concerning health is permitted under the following conditions:

Article 9 (2) (G) – the processing is  necessary for reasons of substantial public interest

In accordance with DPA Schedule 1, Part 2, (10) (1c) – the condition is met where the processing is necessary for the prevention or detection of an unlawful act  

 

This sharing is a legal and professional requirement and therefore there is no right to object. Personal data processed for these purposes are exempt for the first data protection principle (processed lawfully, fairly and in a transparent manner).

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Medico-Legal

Medico-Legal - Where a medical professional is holding personal data for the purpose of providing medical reports in connection with legal action.

The source of the information shared in this way is your electronic GP record.

 

The processing of personal data is permitted under the following conditions:

GDPR Article 6(1) (c) - processing for legal obligation;

The processing of special categories of personal data concerning health is permitted under the following conditions:

GDPR Article 9 (2) (f) – the processing is necessary for the establishment, exercise or defence of legal claims;

In accordance with DPA Schedule 1, Part 3, (33) - the conditions for processing for legal claims is met where it is in connection with, any legal proceedings including prospective legal proceedings or; for the purpose of obtaining a legal advice or; establishing exercising or defending legal rights.

This sharing is a legal and professional requirement and therefore there is no right to object.

 

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

General Medical Council (GMC)

General Medical Council (GMC) is a public body that maintains the official register of medical practitioners within the United Kingdom. Its primary responsibility is ‘to protect, promote and maintain the health and safety of the public’ by controlling entry to the register, and suspending or removing members when necessary.

Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practise.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following conditions:

Article 6(1) (c) - processing for legal obligation;

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

The Medical Act 1983

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

The Health Service Ombudsman (HSO)

 

The Health Service Ombudsman (HSO) was set up by Parliament to provide an independent complaint handling service for complaints that have not been resolved by the NHS in England and UK government departments.

The HSO has the power to request access to a patient’s medical records for the purpose of an investigation.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

The processing of personal data is permitted under the following paragraph:

Article 6(1) (c) - processing for legal obligation;

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

The Health Services Commissioners Act 1993,s12

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

NHS Counter Fraud

 

Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information.

This means that we are compelled by the law to share your data.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

The processing of personal data is permitted under the following paragraph:

Article 6(1) (c) - processing for legal obligation;

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

S10 NHS Act 2006

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

NHS Digital – Statutory Data Collection

NHS Digital is a national information and technology partner to the health and social care system. NHS Digital use digital technology to transform the NHS and social care.

NHS Digital carries out National Data collections/ extraction from the GP record. These include:

 

National Diabetes Audit (NDA) - A national monitoring system, auditing the care of patients with diabetes. The data extracted for the purpose of NDA includes NHS Number, date of birth and postcode, as well as clinical parameters related to diabetes. NDA is a mandatory data extraction under section 259 of the Health and Social Care Act 2012, this means that we are compelled by law to share your data

Individual GP Level Data (IGPLD) - A national monitoring system to enable NHS Digital to provide GPs with clinical information on the care provision for their patients. The data extracted includes the NHS number. IGPLD is a mandatory data extraction under 259 of the Health and Social Care Act 2012, this means that we are compelled by law to share your data

FGM) - NHS Digital collects data on FGM within the NHS in England on behalf of the Department of Health (DH). Data collected is used to produce information that helps improve NHS and local authorities to improve on how they support women and girls who have had or, who are at risk of FGM.

FGM Enhanced Dataset is a mandatory data extraction under section 259 of the Health and Social Care Act 2012, this means that we are compelled by law to share your data when required.

 

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

 

The processing of personal data is permitted under the following condition:

Article 6(1) (c) - processing for legal obligation;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 

Related Legislation:

S259 of the Health and Social Care Act 2012

 

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.

Whilst there is no right to object when we are complying with a legal obligation, NHS Digital respects Type 1 objections (9Nu0 read codes) present in the GP record and no data will be extracted and uploaded if so.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

NHS England

NHS England is responsible for securing, planning, designing and paying for Primary Care & Specialised NHS services not otherwise funded by Kent and Medway ICBs. This includes planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services.

We may often share personal information with NHS England potentially for safeguarding concerns that need escalating beyond our borough.

Where required the Practice may also have to share staff personal information with NHS England for the purpose of allegations framework or performers list.

 The source of the information that may be shared in this instance are in the staff record and patient’s electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

 

 

The processing of personal data is permitted under the following conditions:

Article 6(1) (c) - processing for legal obligation;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

National Cancer Diagnosis Audit (NCDA).

The National Cancer Diagnosis Audit (NCDA) looks at primary and secondary care data relating to patients diagnosed with cancer. It helps to understand pathways to cancer diagnosis, what works well and where improvements could be made.

The audit looks specifically at clinical practice in order to understand:

  • interval length from patient presentation to diagnosis;

  • use of investigations prior to referral;

  • what the referral pathways for patients with cancer are and how they compare with those recorded by the cancer registry

 

The processing of personal data is permitted under the following conditions:

Article 6(1) (c) - processing for legal obligation;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Public Health

 

Public Health England is an executive agency of the Department of Health and Social Care, and a distinct organisation with operational autonomy.

The main purpose of the organisation is to protect and improve the health and wellbeing of citizens. These include the management of smoking, alcohol and obesity; management of epidemics and infections such as flu, measles, tuberculosis or outbreaks of food poisoning.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following paragraph:

Article 6(1) (c) - processing for legal obligation;

The processing of special categories of personal data concerning health is permitted under the following condition:

GDPR Article 9(2) (i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

In accordance with DPA Schedule 1, Part 1 (3) (a) – the condition is met where the processing is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

 

Related Legislations:

The Health Protection (Notification) Regulations 2010 (SI 2010/659);

The Health Protection (Local Authority Powers);

Regulations 2010 (SI 2010/657)

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Processing Activities: Processing for the purposes of commissioning, planning, research and risk stratification

Kent and Medway ICB

Kent and Medway ICB are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as ‘Commissioning’.

In order to enable Kent and Medway ICB carry out its statutory responsibilities effectively, efficiently and safely, we may share personal data about you with the ICB for the following purposes:

  • Individual Funding Requests;

  • Continuing Health Care;

  • Appeals, queries or compliments; safeguarding concerns;

  • Commissioning purposes such as payment for target achievement known as Quality and Outcomes Framework (QOF); and where the Practice is participating in agreed national or local enhanced services.

The source of the information shared in this way is your electronic GP record.

Data retention period: All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following condition:

Article 6(1) (e) - public interest or in the exercise of official authority.

The processing of special categories of personal data concerning health is permitted under the following paragraph:

Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services

 You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Risk Stratification" (Population Health Management and Case Finding)

 

Recipient: Insert the name of your Risk Stratification Provider

The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, cancer, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Risk stratification can be grouped into two purposes namely:

Direct Care‘Case Finding’ where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care.

Indirect Care - understand the local population needs and plan for future requirement.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

 

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

 

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 

Related Legislation:

Section 251 NHS Act 2006

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient for the purpose of Indirect Care.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Research Partners

 

The [insert your organisation name] participates projects ad will only agree to do so if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the Section 251 arrangement.

We may also use your medical records to carry out research within the practice.

We share information with the following medical research organisations with your explicit consent or when the law allows: [insert names e.g. Clinical Practice Research Datalink].

The source of the information shared in this way is your electronic GP record.

You have the right to object to the sharing of your personal health data concerning your GP medical for research purposes.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data is permitted under the following GDPR and DPA conditions:

Article 9 (2) (i) - for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law

In accordance with DPA Schedule 1, Part 1, (4) - The condition for the processing is met where it is necessary for archiving purposes, scientific or historical research purposes or statistical purposes; carried out in accordance with Article 89(1) of the GDPR and DPA Section 19, and the processing is in the public interest.

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Employment Processing

 

The Practice ensures the protection of the rights and freedoms in respect of the processing of its  employees’ personal data, in particular for the purposes of the recruitment, obligations performance contract of employment, rights and benefits management planning, health and safety, equality and diversity in the workplace, health and safety at work.

The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with to regulatory bodies (e.g. courts, police or NHS England).

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data is permitted under the following conditions:

(2) (b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

 

 

Employees have the  right to:

  • To access, view or request copies of their personal information held by the Practice;

  • request rectification of any inaccuracy to their personal information;

  • restrict the processing of their personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object: Employees have a general right to raise an objection to the sharing personal data.

If an employee wishes to exercise his/her rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.

Right to complain: If an employee is dissatisfied with the way the Practice process his/her personal data, they have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Processing Activities: Data Sharing Databases

System/database

Recipients or categories of recipients of the personal or special categories of personal data

Purpose of the processing and data retention period

Lawful basis

 

Your Rights

The Kent and Medway Care Record

The Practice are one of the partner organisation’s to the Kent and Medway Care Record. The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you.  To enable this sharing of information, organisation’s who use the KMCR have agreements in place that allow the sharing of personal and special category data.  For further information about the KMCR and the ways in which your data is used for this system please click here.

The processing of personal data is permitted under the following GDPR and DPA conditions:

Article 6(1) (c) - processing for legal obligation;

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object or opt-out: You have the right to raise an objection to your personal data being shared in [INSERT SYSTEM] with your Practice. Although we will first need to explain how this may affect the care you receive.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/  

Shared Health and Care Board (SHaCB)

Your information will be passed, with all identifiers removed, to a collaborative programme called the Kent & Medway Shared Health and Care Analytics Board. It will be used for population health management purposes beyond your individual care, including, for example, planning services, managing finances, early treatment of illnesses (known as risk stratification), co-ordinating and improving patient and service user’s movement through the health and care system, research, and public health enhancement.

The processing of personal data is permitted under the following GDPR and DPA conditions:

Article 6(1) (c) - processing for legal obligation;

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

 

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

 

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 

Related Legislation:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

NHS Act 2006

Health and Social Act 2012

Integrated Care Act 2022

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object or opt-out: You have the right to raise an objection to your personal data being shared in [INSERT SYSTEM] with your Practice. Although we will first need to explain how this may affect the care you receive.

 

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

 

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/  

EMIS Health Systems Local Record Sharing – Integrated Care:

 

EMIS Local Record Sharing enables your GP medical record held on our secure EMIS Web clinical system to be shared with other healthcare Providers (e.g. acute hospitals, mental and community health and other GPs) who are commissioned to provide to provide health care services within your borough.

This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across [select area e.g. Dartford, Gravesham, Swanley, Swale, East or West Kent]

The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere.

The source of the information shared in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

Vision 360 System - Local Record Sharing – Integrated Care:

Vision 360 Practice Access provides secure, remote access to a patient's clinical data including medical history, therapy and test results. It allows Vision and Emis Web Practices you to share, view, record and edit patient consultation details between the two systems irrespective of technological and organisation boundaries.

The Vision 360 is used to provide Direct Patient Care for services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across [select area e.g. Dartford, Gravesham, Swanley, Swale, East or West Kent]

The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere in real time and on-demand, meaning that data from your GP record.

under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

Common Law of Duty of Confidentiality

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/   

 

Healthcare Gateway

Healthcare Gateway is the system supplier of Medical Interoperability Gateway (MIG) that can save hours of clinician time each day by providing healthcare professionals with instant access to real-time information about a patient.

The MIG is a secure middleware technology which enables the two-way exchange of patient information between local healthcare settings. This helps the clinicians to make informed treatment decisions faster and improve the efficiency of care by preventing unnecessary hospital admissions/appointments and duplicated tests.

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Common Law of Duty of Confidentiality

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/   

 

National NHS Digital Services “Spine” including:

 

Spine supports the IT infrastructure for health and social care in England, joining together over 23,000 healthcare IT systems in 20,500 organisations.

 

It hosts 5 key services to support the delivery of your care. They enable healthcare professionals, authorised with an NHS smartcard, to view relevant information about you as follows

Patient Demographics Service – The Personal Demographics Service (PDS) is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number (known as demographic information). It helps healthcare professionals to identify patients and match them to their health records. It also allows them to contact and communicate with patients.

Summary Care Record (SCR) – is an electronic record of important patient information, created from GP medical records. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient's direct care.

When your personal health records on your GP Record is uploaded to the spine, NHS Digital becomes the data controller for the uploaded information.

The source of the information shared in this way is your electronic GP record.

At a minimum, the SCR holds important information about;

  • current medication

  • allergies and details of any previous bad reactions to medicines

  • the name, address, date of birth and NHS number of the patient

The patient can also choose to include additional information in the SCR, such as details of long-term conditions, significant medical history, or specific communications needs.

 

e-Referral Service - The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.

Electronic Prescription Service - The Electronic Prescription Service (EPS) sends electronic prescriptions from GP surgeries to pharmacies. Eventually EPS will remove the need for most paper prescriptions.

GP2GP - GP2GP allows patients' electronic health records to be transferred directly, securely, and quickly between their old and new practices, when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient's first and later consultations.

The source of the information shared in all of the instances above in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object or opt-out: You have the right to raise an objection or opt-out of out of having an SCR by returning a completed opt-out form to their GP practice. Although we will first need to explain how this may affect the care you receive.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

NHS Digital – National Data Opt-Out

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care (research and planning) across the health and adult social care system in England. In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised.

Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them is able to set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine.

The national opt-out applies to a number of datasets including:

National Clinical Audit of Rheumatoid and Early Inflammatory - NHS Digital collects this data on behalf of the British Society for Rheumatology to improve the quality of care for patients with Rheumatoid and early.

 

National Adult Community Acquired Pneumonia (CAP) Audit - NHS Digital collects this data on behalf of the British Thoracic Society to assess variation in the care of patients hospitalised with pneumonia in the UK.

 

Trauma Audit & Research Network (TARN) - NHS Digital collects this Confidential Patient Information on behalf (CPI) on behalf TARN

 

Invoice Backing Data for Contracted Activity - NHS Digital collects this data to enable Commissioners to determine if they are the responsible commissioner. It is important to point out that the national opt-out applies to contracted activity data that has not been rendered anonymous.

 

Risk Stratification data for Indirect Care - NHS Digital collects this data for data processors working on behalf of GPs and ICBs. The GP data is linked to other records that they access, such as hospital attendance records in order to enable the ICBs (commissioners) understand the local population needs and plan for future requirement.

The source of the information shared in this way is your electronic GP record.

The source of the information shared in all of the instances above in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) - health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislation:

Section 251 NHS Act 2006

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

Right to object or opt-out: You have the right to raise an objection or opt-out of having your data shared for the purposes of indirect care (research and planning). You can do so via the national opt-out website

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Open Exeter

Open Exeter is a web-enabled viewer which provides the facility for healthcare professionals to share/access patient data held on the National Health Application and Infrastructure Services (NHAIS) systems, including cervical screening, breast screening, organ donor, blood donor and home oxygen. 

Access to Open Exeter is only possible on the N3 network, and via authorised logons/passwords provided by NHS Digital.

The source of the information shared in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared in Open Exeter.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

 

 

 

 

Processing Activities: Data Processors

System/database

Recipients or categories of recipients of the personal or special categories of personal data

Purpose of the processing and data retention periods

Lawful basis

 

Your Rights

EMIS Health and Egton

The Practice is required to change this, if using another clinical system supplier (e.g. Vision or TPP SystmOne)

 

EMIS Health and Egton are responsible for the provision of a clinical system, software and IT services used by the Practice to securely store and process your medical record.

All information about your personal health records are stored in your GP electronic record. This information is then available to practice staff & external bodies as outlined in this document.

 

Data Retention Periods:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

“GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.

 

Electronic patient records must not be destroyed or deleted for the foreseeable future.”

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Insert name of digital interoperability shared record provider – in line with five year forward - STP

[Insert name of digital interoperability shared record provider – in line with five year forward – STP] responsible for the provision of IT clinical systems that enables safe, digitised patient care across the healthcare facilities.

 

The supplier of [INSERT SYSTEM NAME] - an Electronic Health Record (EHR) that links system and brings together patient data across the health and care system irrespective of traditional organisational or technological boundaries. This means health and care professionals in Kent and Medway can access subsets of their patients/service users’ medical or social records from a single system in order to provide the best possible care.

The source of the information shared in this way is your electronic GP record for the purposes of direct patient care and population health management.

Data Retention Periods:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

“GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.

Electronic patient records must not be destroyed or deleted for the foreseeable future.”

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being in [INSERT SYSTEM].

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

Docman and Docmail

 

 

Docman Limited act as a data processor and provides cloud-based storage software for electronic patient document. This includes letters that we receive, scan and upload to the patient record, as well as letters that we receive in an electronic format.

 

Generally, Docman enables primary health care organisations capture, file, workflow, view and manage primary care documents efficiently.

Docmail enables primary health care organisations send letters, invoices and documents directly from computers and other portable devices.

The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

“GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.

Electronic patient records must not be destroyed or deleted for the foreseeable future.”

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

 

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

 

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

 

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

 

iPlato

iPlato is cloud-based text messaging service used by GPs to communicate with their patients.

The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

“GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Unionf

 

Electronic patient records must not be destroyed or deleted for the foreseeable future.”

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/ 

Quality Medical Solutions UK (QMS-UK):

QMS-UK are commissioned by NHS England to provide secure data processing solutions for two services:

Child Health Information Service – information relating to children’s vaccinations is shared with [insert organisation name] who run one of 4 Child Health Information Services across Kent and Medway

National Diabetic Retinal Screening Service – Diabetic eye screening is carried out in Kent and Medway  by Health Intelligence

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

“GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared in QMS.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

[Insert your Risk Stratification software supplier excluding EMIS (covered above) – e.g. Docobo, MedeAnalytics, Sollis or any listed on NHSE Approved Suppliers

 

The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, lung cancer, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Risk stratification can be grouped into two purposes namely:

Direct Care‘Case Finding’ where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care.

Indirect Care - understand the local population needs and plan for future requirement.

The source of the information shared in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

Related Legislation:

Section 251 NHS Act 2006

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

GP Data Flows using Apollo Data Extraction & MEDE Reporting Services

NHS Kent and Medway GP Practices

NHS Kent and Medway Clinical Commissioning Group

Apollo Medical Software Solutions Limited (transferring GP data to the ICB)

Maidstone and Tunbridge Wells NHS Trust as host for (HISbi)

MedeAnalytics International Limited

This DPIA relates to a change to the management of the transfer of General Practice healthcare data extraction due to the ICB contract with Optum Health Solutions (UK) Limited coming to an end on 31st January 2022.

The data is already flowing under the current solution managed by Optum Health Solutions (UK) Limited which involves Apollo Medical Software Solutions Limited, part of the Wellbeing Software and Citadel Group, running a bespoke SQL Query from within the SQL Suite software and creating a standardised output.

Depending on the circumstances and needs at the time the service is deployed with the General Practice, Apollo use two types of technology Data Extraction & Reporting Services, both of these are utilised by the General Practices in Kent and Medway:

• Amazon Web Services (AWS) Cloud Hosted

• Structured Query Language (SQL) Suite

 

Data Retention Period

There is no identifiable data, it is pseudonymised at source before leaving the Practices.

Individual back-up of local systems and data is not required as in the event of system failure data will be re-bulked from Practice systems.

However, to support the processing, there is a backup programme in place for the ICB via NEL IT, MedeAlanytics and HISbi.

All ICB retention policies are guided by the Records Management Code of Practice for Health and Social Care 2021.

Within the UK General Data Protection Regulation (UK GDPR), Article 6 sets out the conditions for lawfully processing personal data and Article 9 sets out further conditions for processing special categories of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate they have met a condition in both Article 6 and Article 9.

GDPR Article 6(1)(c) Legal obligation - the processing is necessary to comply with the law

- Section 14R NHS Act 2006 – ICBs have a legal duty as to the improvement of quality of services.

- Section 14Z1 NHS Act 2006 – ICBs have a legal duty to promote integration

Under the UK GDPR, for processing personal data in the delivery of direct care, and for providers’ administrative purposes, the most appropriate Article 6 condition that is available to all public funded health and social care organisations is Article 6(1)(e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller”.

For work undertaken the relevant condition to rely on under Article 9 is:

Article 9 (2)(h): “Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care treatment.” (read with Schedule 1 paragraph 2 of the Data Protection Act).

There is an obligation in s. 251B of the Health and Social Care Act 2012 to share information amongst relevant commissioners and providers for the purposes of direct care.

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

Optum ScriptSwitch

NHS Kent and Medway ICB

Optum Health Solutions (UK) Ltd

Kent and Medway ICB GP’s

Optum ScriptSwitch is a prescribing decision support product installed on GP desktops which has optional add on features to provide more specific patient advice by processing additional information from the clinical system patient record via the published APIs. This prescribing decision support software supports the Medicines Optimisation team by creating recommendations to prescribers when a medication is issued. Recommendations would be about a switch from the medication originally prescribed to an alternate product in line with the ICBs formulary.

 

Data Retention Period

Retention period is two years maximum from last entry. The data will be erased at the end of the retention period as required by the NHS Records Management Code of Practice for Health and Social Care 2021

29/03/22 - Patient ID data is held for 12 months only, to support the With-holding feature and automatically deleted by the ScriptSwitch Prescribing code

 

Within the General Data Protection Regulation (GDPR), Article 6 sets out the conditions for lawfully processing personal data and Article 9 sets out further conditions for processing special categories of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate they have met a condition in both Article 6 and Article 9.

Under the GDPR, for processing personal data in the delivery of direct care, and for providers’ administrative purposes, the most appropriate Article 6 condition that is available to all public funded health and social care organisations is Article 6(1) (e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller”.

For work undertaken the relevant condition to rely on under Article 9 is (2) (h): “processing is necessary for the purposes of preventive or occupational medicine” (read with Schedule 1 paragraph 2 of the Data Protection Act).

There is an obligation in s. 251B of the Health and Social Care Act 2012 to share information amongst relevant agencies

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

Kent and Medway Data Warehousing Service delivered by MedeAnalytics

As part of Kent and Medway ICB’s (KMICB) information and reporting functions, the third-party company Optum have been contracted since February 2018 to supply various data management and business intelligence services including the supply of data for reporting to the third-party company MedeAnalytics, the manipulation of data for various internal reporting and the receipt of data from a number of provider organisations for onward transmission. In essence, MedeAnalytics provide data warehousing and reporting capability using a self-service approach.

KMICB have made the decision to terminate the contract with Optum at the end of January 2022 and engage HISbi, a semi-autonomous department hosted by Maidstone and Tunbridge Wells NHS Trust (MTW), to deliver an alternative service, replacing data warehousing aspects of the Optum contract. Whilst ICB take steps to in-house data management and business intelligence services delivered by Optum, the ICB do not have an infrastructure to support its data warehousing needs. This is why an ICS partner was sought to deliver this critical activity.

 

Data Retention Period

The data is pseudonymised and not readily re-identifiable.

All data held by KMICB as the data controller will be reviewed and destroyed in line with ICB data retention policies, based on the Records Management Code of Practice for Health and Social Care 2021 and relevant Data Sharing Agreements.

The pseudonymised data can be exported and linked with other datasets outside of the MedeWorks platform, for example, in the KMICB sandbox in Kent and Medway Data Warehouse to perform further analysis, for example, for Population Health Management, providing that the data has a common pseudonym. Privacy Notices will be updated to reflect this.

The lawful basis for linking the data held from multiple systems to each individual data subject for secondary uses under the UK General Data Protection Regulation will be:

To support health and social care:

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. and

• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”;

Or

For supporting public health:

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

[insert the names of the organisations you conduct clinical research with]

 

To enable healthcare professionals working for the Practice to provide information, derived from GP records, about individuals to accredited research organisations.

This covers research situations where the data controller (Practice) is approached by research organisations, directly, to recruit patients for studies.

Any research proposal will only be agreed with a clearly defined protocol, consent mechanisms, and relevant research ethics committee approval, and in line with the principles of
Article 89(1) of the EU GDPR.

Research organisations do not approach patients directly, rather
Practice will invite appropriate patients directly seeking their wish to take part.

This
Privacy Notice does not cover situations where Practice has been approached by an organisation seeking personal data concerning health to be disclosed in the absence of consent, i.e. via Related Legislation: Section 251 NHS Act 2006 / Health Research Authority (HRA) approval.

The source of the information shared in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

Article 9 (2) (i) - for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law

In accordance with DPA Schedule 1, Part 1, (4) - The condition for the processing is met where it is necessary for archiving purposes, scientific or historical research purposes or statistical purposes; carried out in accordance with Article 89(1) of the GDPR and DPA Section 19, and the processing is in the public interest.

Related Legislation:

Section 251 NHS Act 2006

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

[insert the name of the organisation responsible archiving or destruction of Practice records e.g. PHS Data Solutions, Iron Mountain etc]

To provides solutions for records management, data backup and recovery, document management, secure storage, and accredited data destruction.

The source of the information shared in this way is your electronic GP record.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

Article 9 (2) (i) - for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law

In accordance with DPA Schedule 1, Part 1, (4) - The condition for the processing is met where it is necessary for archiving purposes, scientific or historical research purposes or statistical purposes; carried out in accordance with Article 89(1) of the GDPR and DPA Section 19, and the processing is in the public interest.

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

[insert the name of the organisation responsible financial and governance audit]

 

The supplier [insert name] offer a wide range of business assurance services, from internal audit, counter fraud and forensic investigations, risk management and governance.

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

 

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

 

 

You have the right to:

  • To access, view or request copies of your personal information;

  • request rectification of any inaccuracy in your personal information;

  • restrict the processing of your personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice process your data, you have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/

[if any, insert organisation responsible for Human Resources and Payroll Services

The supplier [insert name]  provides practices with a software solution to enable the recording of Human Resources related information of its  employees’ personal data, in particular for the purposes of the recruitment, obligations performance contract of employment, rights and benefits management planning, health and safety, equality and diversity in the workplace, health and safety at work.

The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with to regulatory bodies (e.g. courts, police or NHS England).

 

Data Retention Period:

All records held in the Practice EMIS  system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care

 

 

 

The processing of personal data is permitted under the following GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions:

Article 9(2) (b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

In accordance with DPA  Schedule 1, Part 1 , (1a) - the processing for employment, social security and social protection is met where it is for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection;

 

 

 

Employees have the  right to:

  • To access, view or request copies of their personal information held by the Practice;

  • request rectification of any inaccuracy to their personal information;

  • restrict the processing of their personal information where:

  • accuracy of the data is contested,

  • the processing is unlawful or,

  • where we no longer need the data for the purposes of the processing.

 

Right to object: Employees have a general right to raise an objection to the sharing personal data.

If an employee wishes to exercise his/her rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.

Right to complain: If an employee is dissatisfied with the way the Practice process his/her personal data, they have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/