Privacy Notice for Huntingdon Road and Girton Surgeries
How we use your information to provide you with healthcare
- This practice keeps medical records confidential and complies with the General Data Protection Regulation and UK data protection legislation.
- We hold your medical record so that we can provide you with safe care and treatment.
- We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
- We will share relevant information from your medical record with other health or social care staff organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.
- We use a medical record system called SystmOne. Other health and social care organisations, for example GP Out of Hours services and community services, who also use this system may have the ability to view your GP medical record when they are providing care to you. You may be asked if you are happy for your record to be viewed, or in some circumstances you may be sent a verification code to allow services caring for you to view your record. You can choose not to allow other organisations to be able to view your GP medical record.
- Healthcare staff working in A&E and out of hours care may also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This information may be obtained from your Summary Care Record or from SystmOne. For more information see https://digital.nhs.uk/summary-care-records
- You have the right to request to have any mistakes in your medical record corrected.
Other important information about how your information is used to provide you with healthcare
Registering for NHS care
All patients who receive NHS care are registered on a national database.
This database holds your name, address, date of birth and NHS Number but it does not hold medical information about the care you receive.
The database is held by NHS Digital, a national organisation which has legal responsibilities to hold the NHS register.
For more information see https://digital.nhs.uk/services/systems-and-service-delivery/national-health-application-and-infrastructure-services/primary-care-registration or call general enquires at NHS Digital on 0300 303 5678.
Identifying patients who might be at risk of certain diseases
Your medical records may be searched by approved computer programmes so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
This means we can offer patients additional care or support as early as possible.
This process may involve linking information from your GP record with information from other health or social care services you have used.
Safeguarding
- Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
- These circumstances are rare.
- We do not need your consent or agreement to share information in these circumstances, as we are required to do this.
- Please see local policies for more information: https://www.safeguardingcambspeterborough.org.uk/adults-board/cpsabprocedures/cpsabsafeguardingpolicy/
We are required by law to provide you with the following information about how we handle your information to provide you with healthcare.
Purpose of the processing
- To provide direct health or social care to individual patients
- For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
- To check and review the quality of care. This is called audit and clinical governance.
Lawful basis for processing
- These purposes are supported under the following sections of the General Data Protection Regulation:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
- Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data
The data will be shared with:
- healthcare professionals and staff in this surgery;
- local hospitals;
- out of hours services;
- diagnostic and treatment centres;
- screening services;
- or other organisations involved in the provision of direct care to individual patients.
- Organisations who help us manage our data for specific purposes, and under formal agreement, include:
- Cambridgeshire & Peterborough NHS Foundation Trust who help identify patients who are frail and may require additional care services. For more information: http://www.cpft.nhs.uk/
- ICS Health and Wellbeing who send letters to patients on our behalf, inviting patients to attend a diabetes prevention service where we have identified them as being at risk of developing diabetes. For more information: https://icshealth.co.uk/
- InHealth Intelligence – who provide data regarding Diabetes Eye Screening
- Mendelion Ltd - an organisation who help us identify patients who may be at risk of serious medical conditions
Right to object
- You have the right to request to object to information being shared between organisations who are providing you with direct care.
- This may affect the care you receive.
- You are not able to object to your name, address and other demographic information being sent to, and held by, NHS Digital.
- This is necessary if you wish to be registered to receive NHS care.
- You are not able to object when information is legitimately shared for safeguarding reasons.
- In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
- The information will be shared with the local safeguarding service(s).
Data we get from other organisations
- We receive information about your health from other organisations who are involved in providing you with health and social care.
- For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is updated when you receive care from other organisations.
How your information is used for medical research and to measure the quality of care
Medical research using population-based information
We share information from medical records:
- to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
- we will also use your medical records to carry out research within the practice.
This is important because:
- the use of information from GP medical records is very useful in developing new treatments and medicines;
- medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
- We share information with medical research organisations with your explicit consent or when the law allows.
- You have the right to object to your identifiable information being used or shared for medical research purposes.
Medical research trials that individual patients may agree to take part in
- If the practice takes part in a medical research trial, individual patients may be invited to be part of the trial. In order to take part, patients will be asked to consent to their data being used and shared for the particular research trial.
Checking the quality of care – national clinical audits
This practice contributes to national clinical audits so that healthcare can be checked and reviewed.
- Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
- The results of the checks or audits can show where hospitals are doing well and where they need to improve.
- The results of the checks or audits are used to recommend improvements to patient care.
- Data is sent to NHS Digital which is a national body with legal responsibilities to collect data.
- The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.
- We will only share your information for national clinical audits or checking purposes when the law allows.
- For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: https://www.hqip.org.uk/ or phone 020 7997 7370.
- You have the right to object to your identifiable information being shared for national clinical audits.
We are required by law to provide you with the following information about how we handle your information for research.
Purpose of the processing
- Medical research, and to check the quality of care which is given to patients (this is called national clinical audit).
Lawful basis for processing
The following sections of the General Data Protection Regulation mean that we can use medical records for research and to check the quality of care (national clinical audits)
- Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
For medical research: there are two possible Article 9 conditions.
- Article 9(2)(a) – ‘the data subject has given explicit consent…’ (where an individual has agreed to take part in a specific research trial)
OR
- Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. (where data is used for medical research using population based information)
To check the quality of care (clinical audit):
- Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
- For medical research the data will be shared with NHS Digital.
- For national clinical audits which check the quality of care the data will be shared with NHS Digital.
Rights to object and the national data opt-out
- Most of the time, anonymised data is used for research and planning so that you cannot be identified.
- From 25th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning.
- To find out more or to register your choice under the national data opt-out, please visit www.nhs.uk. You can change your mind about your choice at any time.
How your information is shared so this practice can meet legal requirements
The law requires the practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- plan and manage services;
- check that the care being provided is safe;
- prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.
We must also share your information if a court of law orders us to do so.
NHS Digital
- NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
- It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
- This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
- More information about NHS Digital and how it uses information can be found at:
- https://digital.nhs.uk/home
- NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here: https://www.gov.uk/government/publications/information-requests-from-the-home-office-to-nhs-digital
Care Quality Commission (CQC)
- The CQC regulates health and social care services to ensure that safe care is provided.
- The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
- For more information about the CQC see: https://www.cqc.org.uk/
Public Health
- The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
- We will report the relevant information to local health protection team or Public Health England.
- For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report
We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.
Purpose of the processing
- Compliance with legal obligations or court order.
Lawful basis for processing
The following sections of the General Data Protection Regulation mean that we can share information when the law tells us to:
- Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
- Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
- The data will be shared with NHS Digital.
- The data will be shared with the Care Quality Commission.
- The data will be shared with our local health protection team or Public Health England.
- The data will be shared with the court if ordered.
Rights to object and the national data opt-out
- There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.
NHS Digital
- You have the right to object to your identifiable information being shared with NHS Digital for reasons other than your own direct care.
- This is called a ‘Type 1’ opt-out – you can ask your practice to apply this code to your record.
- https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information/your-information-choices/opting-out-of-sharing-your-confidential-patient-information
- From 25th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning. This replaces a ‘Type 2 opt-out’.
- To find out more or to register your choice under the national data opt-out, please visit www.nhs.uk. You can change your mind about your choice at any time.
NHS Digital sharing with the Home Office
- There is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed an immigration offence.
Public health
- Legally information must be shared under public health legislation. This means that you are unable to object.
Care Quality Commission
- Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.
Court order
- Your information must be shared if it ordered by a court. This means that you are unable to object.
National screening programmes
- The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
- These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
- The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
- More information can be found at: https://www.gov.uk/topic/population-screening-programmes
We are required by law to provide you with the following information about how we handle your information in relation to our legal obligations to share data.
Purpose of the processing
- The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
- The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.
Lawful basis for processing
The following sections of the General Data Protection Regulation allow us to contact patients for screening:
- Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller...’
- Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
- The data will be shared with NHS Digital, hospital laboratory services, local breast screening units, and Health Intelligence who provide diabetic eye screening.
- The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence, commissioned by NHS England. For further information: www.eadesp.co.uk
Rights to object
- For national screening programmes you can opt so that you no longer receive an invitation to a screening programme.
- See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes
Data we get from other organisations
- We receive information about your screening test results from other organisations who are involved in providing these services.
- This means your GP medical record is updated with screening results.
Data we hold about you
We hold data about you in electronic and paper records. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.
The type of data that we hold about you may include the following:
- Details about you, such as your address and next of kin;
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health;
- Details about your treatment and care;
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you.
- Your medical record is held in a computer system called SystmOne. This system is provided to us under a National contract. Your data is held and managed in secure data centres by TPP. For more information: https://www.tpp-uk.com/
SMS and Email
- We will hold your mobile phone number and email address where you have provided these to us.
- We may use these to send you text messages or emails about your care, for example, messages about appointments, test results, or inviting you to attend for a clinic.
- You have the right to provide your mobile number for calls only. If you do not wish to receive text messages from us, please speak to the practice so we can add this to your record to prevent text messages being sent to you.
- You have to right to have your email address or mobile phone number removed from your GP record.
- We will only use the email address or mobile phone number for direct medical care purposes, unless you have provided us with your explicit consent to email you for other purposes as well, for example, for us to send you surgery newsletters, details from patient participation group meetings, or details about new services.
- If you provide your consent for us to send you information other than for your direct care, you can remove this consent at any time.
Right to access and correct
- You have the right to access the data we hold about you, and request to have any errors or mistakes corrected. Please speak to a member of staff.
- We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period
- GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Right to complain
- If you have concerns about the way we manage your data. Please contact the Operations Manager.
- You have the right to seek independent advice about data protection, as well as the right to complain, by contacting the Information Commissioner’s Office. https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113
Data Controller contact details
- Huntingdon Road Surgery, 1 Huntingdon Road, Cambridge CB3 0DB
Data Protection Registration Number
- Z6455468
Data Protection Officer
- Postal address: Data Protection Officer, Cambridgeshire and Peterborough CCG, Lockton House, Clarendon Road, Cambridge, CB2 8FH.
Email address: CPICB.DataProtectionOfficer@nhs.net
Date last reviewed or updated
- 24 May 2018
Covid-19 and your information - Updated on 8th April 2020
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice above.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by the patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently.