Privacy Policy

Privacy Notice Suffolk

 

The purpose of this notice is to inform you of the type of information that the surgery holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.

The surgery has a duty to ensure that your personal data is kept confidential, secure and used appropriately.

What kind of information do we use?

There are different types of information collected and used across the NHS.  It should be noted that information which cannot identify an individual does not come under the Data Protection Act 2018.

We use the following types of information/data:

1.      Anonymised data, which is data about you but from which you cannot be personally identified

2.      De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified

3.      De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number

4.      Personal data which you can be personally identified from (this includes information such as your name and address)

5.      Special category data which tells us something about you (this includes information such as your ethnicity and health information)

We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.

What do we use your information for?

We hold your medical record so that we can provide you with safe care and treatment. We will also use your information so that our surgery can check and review the quality of care we provide, this helps us to improve the service we provide to you. We shall share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in hospital or your GP will send details about your prescription to your chosen pharmacy.

Aside from sharing information directly for your care, there are some other purposes that we may share data for, including:

Risk Stratification

Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes.  This is called risk stratification for case-finding. As part of this, our surgery uses a primary care software system called SystmOne. 

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This surgery must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the Calculating Quality Reporting Service (CQRS) and GP clinical systems as part of the GP Collections service. Find out more here.

Care Quality Commission (CQC)

The CQC regulates health and social care services to ensure that safe care is provided. The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. For more information about the CQC see: http://www.cqc.org.uk/

Public Health

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England.

Who do we share your information with?

We may share your information with other parties dealing with your care. When we do this we will inform you first unless we have a legal basis. We will not share your information with marketing organisations or other organisations that could cause you harm or lead to intrusive contact.

Some examples are:

·         Local Council

·         Hospital

·         Mental Health Trust

·         Ambulance Service

·         Care Homes

·         Social Care

·         Safeguarding

·         Clinical Commissioning Group (CCG)

·         Clinical system providers

·         Police

·         Coroner

·         Confidential Waste removal company

·         Voluntary Sector Organisations

We will keep you informed of how your data is used through this privacy notice, however please note that there may be times when we may not notify you such as for the prevention and detection of crime, safeguarding purposes, or as requested by a Court Order. We will only do this when the law requires us to do so.

Primary Care Network

We are a member of  South Rural Primary Care Network (PCN).  This means we will be working closely with a number of other Practices and health and care organisations to provide healthcare services to you.

During the course of our work we may share your information with these Practices and health care organisations/professionals.  We will only share this information where it relates to your direct healthcare needs. 

When we do this, we will always ensure that appropriate agreements are in place to protect your information and keep it safe and secure. This is also what the Law requires us to do.

If you would like to see the information the PCN holds about you please contact the Practice Manager. See also your rights as a patient listed below.

Multi-disciplinary Meetings

Multidisciplinary teams (MDTs) are teams of professionals from different disciplines in primary, community, social care and mental-health services who work together to plan a patient's care.

Social Prescribing

Social Prescribing enables GPs, nurses and other primary care professionals to refer people to a range of local, non-clinical services. NHS England describes social prescribing as “enabling all local agencies to refer people to a link worker”. Link workers - known locally as Community Connectors - give people time and focus on what matters to the person. They connect people to community groups and agencies for practical and emotional support. If you have an appointment with a Community Connector, only limited information would be passed on. There are agreements in place to protect your data.

Diabetic Eye Screening

The Diabetic Eye Screening Programme in this area is provided by Health Intelligence after they were awarded the contract by NHS England Midlands and East to continue provision of the service from 1 April 2016. All patients aged 12 and over, with a diagnosis of diabetes will be referred by their GP surgery to the diabetic eye screening programme. You can find more information about this service as www.eadesp.co.uk

Text Messages

Please note that we will use your mobile number to text you with information regarding your care such as appointment reminders and appointment booking for Flu and Covid vaccination clinics. Please let us know if you would not like your mobile number used for this purpose. 

Call Recording

Please note that this practice records its calls for training and quality purposes.

 CCTV

Please note that this practice uses CCTV.

 How do we keep your information safe?

All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely. 

The surgery does not transfer personal confidential information overseas without adequate protection.

Under the Data Protection Act 2018, the surgery is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.

The surgery has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The surgery will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and or required to by law. The surgery is party to a number of information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation.

How long do we keep your information for?

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the NHS Records Management Code of Practice.

NHS data are subject to legal retention periods and should not be destroyed unless specific instructions to do so has been determined and received from the Data Controller. 

What rights do I have?

By law you have certain rights related to your information. These are:

The right to be informed

You have the right to know what information that we hold about you, what we do with it and why. We inform patients through this privacy notice.

The right of access

You have the right to have a copy of the information that we hold on you. We must provide this to you within one calendar month and free of charge unless an exemption applies. We may need you to prove your identity before we can release any information to you.

The right of rectification

You have the right to have your personal data corrected if inaccurate.

The right to erasure

You have the right to have your personal data erased in certain circumstances.

The right to restrict processing

You have the right to restrict the processing of your personal data in certain circumstances.

The right to data portability

You have the right allows you to obtain and reuse your information for your own purposes. You have the right to have your information in a digital format.

The right to object

You have the right to prevent processing of your information in certain circumstances.

Rights related to automated decision making and profiling

We must inform you if we do this kind of processing, and offer you a human based alternative.

If you wish to exercise any of your rights, you can make contact by using the information below:

Constable Country Medical Practice
Heath Road
East Bergholt
Colchester
CO7 6RT

ccmp@nhs.net

Telephone – 01206298272

Practice Manager – Pete Keeble

Caldicott Guardian – Dr Victoria Okpiabhele

Your Data Matters

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

The National Data Opt-Out programme is a service that allows patients to opt out of their confidential patient information being used for research and planning.

Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters.

Raising concerns

If you are concerned about the way we are handling your information or wish to make a complaint please contact the Practice Manager on 01206298272.

If you still have further concerns then please contact the Data Protection Officer – Paul Cook – email: iesccg.dpo@nhs.net

The Data Protection Officer service is provided by Ipswich and East Suffolk Clinical Commissioning Group (IESCCG) more information is available at: http://www.ipswichandeastsuffolkccg.nhs.uk/

If the issue cannot be resolved by our organisation or the Data Protection Officer, you have the right to report it to the Information Commissioners Office (ICO). The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. You can contact them on the details below:

www.ico.org.uk/concerns/

Phone – 0303 123 1113


Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Population Health Management (PHM) Privacy Notice

Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.

 

What is Population Health Management (PHM)?

This work is aimed at improving the health of both local and national populations.

It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.

Population Health Management requires health and social care organisations to work together with communities and partner agencies. The organisations will share de-identified information (where information about you has been removed) with each other in order to get a view of health and services for the population in a particular area.

Across Ipswich and East Suffolk and North East Essex a population health management programme has been introduced. The programme will combine this de-identified information from GP practices, community service providers, hospitals and other health and care providers to allow a comprehensive picture of health and care needs to be identified and services planned according to need.

 

How will my Personal Information be used?

The information needed for this Programme will include information about your health and social care.  Information about you and your care will be used in the programme, but in a format that does not directly identify you which we refer to within this privacy notice as pseudonymised.

The information will be used for a number of health and social care related activities such as:

·         improving the quality and standards of care provided

·         research into the development of new treatments

·         preventing illness and diseases

·         monitoring safety

·         planning services

 

Your Personal information will be shared with?

Your GP will send the information they hold on their systems to the NHS North of England Commissioning Support Unit (NECS), who are part of NHS England.   NHS Digital who already holds information about other health and care attendances, will send the information they hold to NHS North of England Commissioning Support Unit (NECS).

NECS will make the GP data linkable with other local and national data sources to understand the population health more effectively. This process is called Pseudonymisation and any information that identifies you has been removed and replaced with a pseudonym (Unique Code).

The pseudonym will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.

The pseudonymised data will be sent to a company called Optum.  Optum have been commissioned by NHS England to provide specialist analysis of the data to support improvements to the local populations health and to target health and social care resources effectively.

Both NECS and Optum are required to protect your information and maintain confidentiality at all times.

 

What will happen to my Personal Information when the Project is Finished?

For the NHS England and Improvement/Optum programme, data will be processed only for the duration of the 20-week programme.  Once the 20-week programme has completed the information will be securely destroyed from Optum systems.

NECS working on behalf of the practice will retain the practice data as agreed for a maximum of 14 days to ensure that they successfully remove any identifiable data once this is accomplished the identifiable practice data will be securely destroyed. The remaining de-identified data will be used by analysts to provide health and social care statistics for PHM projects for the length of each project as agreed with the practice.

Our legal basis for sharing data

Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally.

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in the majority of cases, anonymised data is used so that you cannot be identified.

Under data protection law, we can only share patient data if we have a legal basis under Articles 6 and 9 of the UK GDPR.

Our legal basis for sharing patient data is Article 6(1)(c) - legal obligation, as we are required under the Health and Social Care 2012 Act.

When we are sharing patient data about health we also need a legal basis under Article 9 of the UK GDPR.

 

Article 9(2)(h) – as we are sharing patient data for the purposes of providing care and managing health and social care systems and services. This is permitted under paragraph 2 of Schedule 1 of the DPA.

Article 9(2)(i) - as patient data will also be used for public health purposes. This is permitted under paragraphs 3 of Schedule 1 of the DPA.

Article 9(2)(j) - as patient data will also be used for the purposes of scientific research and for statistical purposes. This is permitted under paragraph 4 of Schedule 1 of the DPA.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

National Data Opt-out (opting out of NHS Digital sharing your data)

This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care - either GP data, or other data it holds, such as hospital data - you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

From 1 October 2021, the National Data Opt-out will also apply to any confidential patient information shared by the GP practice with other organisations for purposes except your individual care. It won’t apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for us to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.

Privacy notice - COVID-19 Clinical Risk Assessment Tool

Our purposes for processing your personal information
 

This COVID-19 Clinical Risk Assessment Tool Privacy Notice is provided to explain how your personal information is used when we use the COVID-19 Clinical Risk Assessment Tool (the Tool). This notice is an additional notice to our full privacy notice which explains how we process your personal information more generally and is available on request and on our website.

The Tool is an online tool, provided by the NHS, that assesses the risk to you of coronavirus. It has been designed for use during a consultation with a patient and otherwise to support direct patient care. Your doctor or healthcare professional (clinician) inputs information about you into the Tool, to generate individual risk assessment results for you.

Using information provided by you or obtained by your clinician, for example your weight and information from your health record, your clinician answers the questions in the Tool. The Tool will then generate risk assessment results based on this information. The results will give you or your clinician a better understanding of your risks of infection and potential consequences for you of infection from coronavirus. Your clinician may discuss the result with you to give you personalised health advice.

In addition to using the Tool to support the individual care of our patients, we will be providing information about your experience to NHS Digital, which provides the Tool. Anonymous data collected through the Tool will also help NHS Digital and the University of Oxford, who developed the QCovid® model used in the Tool, to develop and improve the Tool.

 

The Tool is registered as a medical device with the Medicines and Healthcare Products Regulatory Agency (MHRA).

 

 

What is the Tool and how does it work?
 

Your clinician will enter information into the Tool about you, your health and the medicines you take. Some of this information will be taken from your health record but your clinician may also need to ask you some questions about you and your health. They may also need to measure your height and weight to work out your body mass index (BMI).

 

The Tool will generate results for absolute risk and relative risk (see below), estimating how likely it is that you will:

catch coronavirus and go to hospital
catch coronavirus and die
All of the information used to answer the questions in the Tool is required because it has been identified as a factor which is relevant to the risk of catching and being hospitalised or dying from coronavirus.

 

The Tool has been developed from research by the University of Oxford about how people have been affected by coronavirus. The Tool uses a model called QCovid® which was developed based on information about people who had coronavirus in early 2020. The University of Oxford looked at data about people who went to hospital or died as a result of coronavirus during the first wave of the pandemic and combined it with data from hospital records and GP surgeries.

 

To develop the QCovid® model used by the Tool, the University of Oxford analysed this data to find out if certain things impact how coronavirus affects people. Researchers found that some things make it more likely that a person will need to go to hospital or die from coronavirus – these are called ‘risk factors’. 

 

Risk factors that were identified as important included: age; body mass index (BMI); ethnicity; certain health conditions and where people live. The University developed a model which weighted each of these factors and this is used within the Tool to generate risk assessment results from the information entered about you by the clinician. The results may support a discussion between you and your clinician about what your level of risk means for you or otherwise used by your clinician for your healthcare.

 

The Tool will estimate your ‘absolute risk’ and ‘relative risk’.

 

‘Absolute risk’ is the risk of catching and being hospitalised or dying from coronavirus. This is based on data from the first wave, alongside a second time period (May-June 2020). For example, an absolute risk of 1% (or 1 in 100), would mean that we would expect 1 person to be hospitalised or die with the same characteristics and 99 to not be hospitalised or die.

‘Relative risk’ is the risk of catching and being hospitalised from coronavirus based on your information and risk factors compared with a person of the same age and sex, but no other risk factors. For example, a relative risk of 2 would mean that we would expect you to be twice as likely to catch and be hospitalised or die from coronavirus than somebody of the same age and sex with no other risk factors.

 

The risks factors used to develop the QCovid® model used in the Tool, are based on data collected in the first few months of the pandemic in 2020. These risks are changing over time in line with infection rates, social distancing measures and individual behaviour. It is based on data collected between February and April 2020, at a time when different measures were in place for shielding and social distancing and different national restrictions were in place. This means that, although risk assessment results are generated for you using the Tool, your clinician will consider these alongside shielding, social distancing and local or national restrictions, which may be different from when the QCovid® model was developed.

 

Because we don’t yet have enough research about some groups of people, risk assessment results may not be accurate for:

 

People aged under 19 and over 100, because the research was done on adults aged from 19 to 100 and because very few children became seriously ill with coronavirus.
People who are trans or intersex, because the research was done using information about the sex people were registered with at birth
People who are pregnant, because only small numbers of pregnant people were included in the research so we cannot be confident about their level of risk.
People who were asked to shield during the first wave because, when the research was done, many of these people were shielding at home and so were less likely to catch coronavirus. This means the Tool may underestimate the risk for these people.
 

Your clinician will explain more about these limitations when they tell you what your risk assessment means for you. Risk assessment results will not be used in isolation to remove anyone from the Shielded Patient List (SPL). However, your clinician may use the Tool as part of their assessment of whether you should be placed on the SPL.  

 

Researchers are continuing to learn more about coronavirus as more information becomes available. The QCovid® model used in the Tool will change and be updated over time as more information becomes available. The online service will be updated to reflect changes to the model.

 

Our legal basis to process your personal information
 

Your clinician is processing your personal data in order to answer the questions in the Tool and to record the risk score in your health record.  This is to provide you with safe care and treatment.

Under the UK General Data Protection Regulations (UKGDPR) we are allowed to process your personal information using the Tool for the purposes of providing you with healthcare services. This is called “Public Task” under the UKGDPR and is allowed under Article 6(1)(e).

We are also processing personal information about your ethnicity and health conditions to use the Tool. This is also for a healthcare purpose and this is allowed under Article 9(2)(h) of the UKGDPR and under Schedule 1 of Paragraph 2 of the Data Protection Act 2018. 

 

Categories of personal information we process when using the Tool
 

Your clinician will input the following about you into the Tool using information you have provided or taken from your health record:

 

Age (19-100)
Sex registered at birth
Ethnic group
Living arrangements (whether you live in your own home, in a care home or are homeless)
Postcode (to identify a Townsend deprivation score, a well-known way of measuring deprivation based on data from the 2011 Census). Your postcode is deleted from the Tool once the Townsend score is created.
Health information, including
Height (cm), Weight (Kg) – used to calculate BMI
Cardiovascular diseases
Respiratory diseases and treatment
Metabolic, renal and liver conditions
Neurological and psychiatric conditions
Autoimmune and haematological conditions
Cancer and Immunosuppressants– If you have a diagnosis of certain cancers and you have been prescribed if you have been prescribed 4 or more times with certain immunosuppressants in the last 6 months.
 

The Tool takes the answers we have provided to the questions above and generates a risk assessment result which will allow your clinician to provide personalised advice to you about your risk and otherwise for your healthcare.

 

Who we share your information with
 

We do not include any personal information that would identify you when we are answering the questions in the Tool.  

 

The only information which could be used to potentially identify you is your postcode. For most people, postcode alone would not identify them because usually a number of different people live within a postcode area. However, just in case you are the only person who lives at your postcode, the Tool immediately converts your postcode to a number which relates to a Townsend deprivation score, a well-known way of measuring deprivation based on data from the 2011 Census. This number, which cannot identify you, is used by the Tool to generate risk assessment results and your postcode is then deleted from the Tool.

 

Anonymous data, which is the information provided to answer the questions in the Tool and which cannot identify you, will be collected by NHS Digital who provide the Tool. This anonymous data may be shared with the University of Oxford and the Department of Health and Social Care to help develop and improve the Tool and the QCovid® model developed by the University which is used in the Tool.

 

More information

 

For more information about:

 
how long we keep your personal information for
where we store your personal information
your rights and choices in relation to how we process your personal information
how to contact us; and
how to complain to the Information Commissioner if you are unhappy about the way we are processing your personal information
 

please see our full Privacy Notice which is available on our website or on request.

 

Changes to this privacy notice

 
This privacy notice may change from time to time and the latest version number and date will be shown at the top and on the version published on our website so you know when it was last updated.