Your Data and the NHS
The health and social care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in Clinic, Social Care Package etc). These records help to provide you with the best possible health and social care.
Records may be held in electronic or manual format, and may include the following information.
- Details about you, such as address and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc
- Relevant information from other health professionals, relatives of those who care for you and know you well
To ensure you receive the best possible care, your records are used to facilitate the care you receive and will be shared with other health and social care professionals to aid decision making about your total care package. Information held about you may also be used to help protect the health of the public and to help us to manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Some of this information will be held centrally and used for statistical purposes. The surgery will always endeavour to gain your consent before releasing the information.
Should you have any concerns about how your information is managed at the surgery, please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.
Every member of staff who works for an NHS or Social Care Organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS or social care organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts, Specialist Trusts, Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers & Voluntary Sector Providers
- Ambulance Trusts, Clinical Commissioning Groups, Social Care Services
- Local Authorities, Education Services, Fire & Rescue Services, Police, Other ‘Data Processors’
Information to patients on sharing personal data
Data Protection – Your Personal Data is Safe
We are aware that recent events highlighted in the media concerning sharing your personal data may have left you confused and worried.
This has led to a rise in the number of queries asking us who we actually share your personal data with, do we have the rights to and can we trust these external organisations to look after your personal data.
We would like to assure you that as a practice we take your personal data very seriously and we have certain processes in place to make sure your personal data is in safe hands at all times.
As a practice we must adhere to UK Data Protection laws, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, both pieces of legislation are around to make sure we look after your data. Where we do not follow any part of the Data Protection laws we are at risk of being investigated by the Information Commissioner’s Officer (ICO) on your behalf, and possibly being issued with a fine or warning. The ICO is an independent advisory body who report directly to Parliament and make sure your rights around your personal data are protected.
To help us keep on track and make sure we abide by these laws we complete something called the Data Security and Protection Toolkit (DSPT) that incorporates the laws. It helps us measure how we are doing and keeps us in line with the law and we are required to complete this annually.
There will be times when we have to share your personal data with external organisations / companies in order to provide you with the care you need. However, we only do this where we need to, where we have a legal reason to do so and when we are happy they will continue to safeguard your personal data. An example would be the Clinical IT system we use that holds your medical records, this is supplied by an IT company who will host your personal data to enable us to use the system.
In any event where we share your personal data we will conduct the necessary Data Protection checks with the external organisation. Like us, they are required by data protection law to provide us with relevant assurances that any personal data we share with them will remain secure. Under the UK GDPR they are required to provide us with documents to assure us and this will include contracts which must include UK GDPR clauses. If an organisation does not process your personal data in line with law they too will be investigated by the ICO.
We cannot share your personal data without a legal basis, which means we cannot give your personal data to anyone ‘just because’ they want it. The UK GDPR sets out 6 legal bases we can use, the most common one you would have heard of is ‘consent.’ Consent is not often used in healthcare and where we are using your personal data for direct care, it just would not work and the UK GDPR recognise this so we apply a legal basis called ‘public tasks.’ Public tasks covers the use of personal data where it relates to either being in the interest of the patients care or the public interest. This means that we do not need to ask for your consent, although we are obliged to be open and transparent with your personal data which we do via our Privacy Notice (insert link).
We certainly will not sell your personal data to anyone.
When we share your personal data we need to abide by the UK GDPR principles, one of which is called ‘data minimisation’ – this means we can legally only share what is relevant and necessary for the task.
Finally along with completing the DSPT (as mentioned above) where we have any data protection concerns or need advice we have a dedicated Information Governance team who are on hand to guide us through the do’s and don’ts.
I hope this information has provided you with assurance that we take the necessary steps to make sure your personal data is safe when in our care and that where we share your personal data we do so only if the law allows us to.