- Privacy Notice – COVID-19 and how we will use your data (updated 7th May, 2020)This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus ) outbreak. It supplements our main Privacy Notice which is available on our website. Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data. All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed. In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers,for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
- We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
- It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.
- During the COVID-19 outbreak London Clinical Commissioning Groups will not process any new requests to opt-out of local data sharing arrangements such as the One London Health and Care Record exemplar, Connecting your Care or The National Data Opt-Out.
- In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.
- Plain English explanation
1) Controller contact details
2) Data Protection Officer contact details
Miles Dagnall firstname.lastname@example.org
3) Purpose of the processing of your data
The purpose of the envisaged temporary Covid-19 data flows is to effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.
4) Lawful basis for processing your data
Under the General Data Protection Regulation (EU GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes – Public Health (Control of Disease) Act 1984 – The Health and Social Care Act 2008 (by virtue of The Care Act 2014) The relevant basis in UK law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes: – preventive or occupational medicine; – the assessment of an employee’s working capacity; – medical diagnosis; – the provision of health care or treatment; – the provision of social care (this is likely to include social work, personal care and social support services); or – the management of health care systems or services or social care systems or services. Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes: – a health professional or a social work professional; or – another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 – Special categories of personal data and criminal convictions etc. data, Part 1 – Conditions relating to employment, health and research etc., paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.
5) Recipient or categories of recipients of the processed data
Health and social care organisations, hospitals, GPs, GP Federations, Clinical Commissioning Groups, Arm’s Length Bodies (such as Public Health England); local authorities;.
6) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a Court of Law.
8) Retention period
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the City&Hackney CCG.
9) Right to Complain
You have the right to complain to the practice, to the Data Protection Officer (details above) or the Information Commissioner’s Office (ICO), you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
The ‘Notice’ issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
- Privacy Notice
- General Practice Privacy Notice When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data. If your care requires treatment outside the practice, we will exchange with those providing such care and treatment whatever information may be necessary to provide safe, high quality care. The practice also delivers services and treatment to our patients as part of, and in association with, the primary care networks in City & Hackney and beyond.The sharing of data, within the practice and with those others outside the practice is assumed and is allowed by law (including the Data Protection Act 2018) however, we will gladly discuss this with you in more detail if you would like to know more.You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests and under the Data Protection Act in performance of a public task (see legal bases below).How is the information stored? How long is the information retained?
- The medical information is retained at the practice for the lifetime of the patient, after which it is sent to Primary Care Services England (PCSE)
- The practice stores the main patient record via a contracted data processor in the cloud. The contracted processor for the practice is Egton Medical Information Systems (EMIS). They can be contacted via EMIS, Rawdon House, Green Lane, Yeadon, Leeds LS19 7BY.
- We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
- The Practice team (clinicians, administration and reception staff) only access the information they need to allow them to perform their function and fulfil their roles.
- Once you have seen the care provider, they will normally send us details of the care they have provided you with, so that we can understand your health better.
- As GPs, we cannot process all your information ourselves, so we need to delegate this responsibility to others within the practice and sometimes with other organisations.
- Who we share information with.
- Our practice keeps data on you relating to who you are, where you live, contact details, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, if you have a carer, where you are seen and when you are seen, who by, referrals to specialists and other health and social care providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other health care workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
- The information we hold on you
- Nightingale Practice Protecting your Confidentiality – Privacy Notice
Data Protection Officer
Purpose of Processing your personal information
Direct Care is care delivered to the individual alone, much of which is provided in the surgery.
After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare and social care professionals to provide the most appropriate advice, investigations, treatments, therapies and or care.
Lawful Basis for Processing your personal information
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Recipient or categories of recipients of your personal data
The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
· Primary Care Network
· Local GP provider organisation
· NHS Commissioning Support Units
· Social Care Services · Health and Social Care Information Centre (HSCIC)
· Independent Contractors such as dentists, opticians, pharmacists
· Private Sector Providers
· Voluntary Sector Providers
· Ambulance Trusts
· Clinical Commissioning Groups
· Local Authorities
· Education Services
· Fire and Rescue Services
· Police & Judicial Services
· Voluntary Sector Providers
· Private Sector Providers