We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Introduction
Policy statement
This policy has been created as an easy read guide to understand how this organisation deals with patient data in accordance with the Data Protection Act 2018 and especially Part 2, Chapter 2 of the legislation that is the UK GDPR.
This document is predominantly a guide for both children and those who may have a learning disability. It can also be used as a quick read for all as it provides the information to patients regarding how patient data is processed for the provision of direct care, research, audit and screening programmes.
It can be read in conjunction with the organisation’s UK General Data Protection Regulation (UK GDPR) Policy.
Status
The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.
Compliance
Data Protection Act 2018 and UK GDPR
The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation for the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998).
Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.
This organisation will ensure that any personal data is processed in accordance with Article 5 of the UK GDPR and information about how this is done will be provided to applicants in a format that is compliant with Article 12 of the UK GDPR.
Communicating privacy information
This organisation must provide information about how data is processed in the form of a privacy notice. An easy read privacy notice is provided below.
Furthermore, the Information Commissioner’s Office (ICO) has provided a Privacy Notice Checklist.
Data for planning and research
The organisation may also share data for research and other purposes, for example when required by law for public health reasons, or anonymised for clinical research, e.g., through the Clinical Practice Research Datalink.
Patients can decide as to whether data is used for research or planning and, be it a child under 13 years or a child over 13 who has capacity, all have the right to opt-out of such arrangements. No patient identifiable information will ever be shared for research without the consent of the patient.
Further information can be found in the NHS E guidance titled Choose if data from your health records is shared for research and planning.
National Data Opt Out
This organisation will ensure patients are compliant with the national data opt-out policy by following the NHS England guidance titled National Data Opt-Out. Patient information from NHS England can be found in the guidance titled Supporting your patients – information and resources.
NHS England has provided a NDO-O data protection impact assessment and further reading can be sought from the National Data Guardian guidance titled Review of Data Security, Consent and Opt-Outs.
Easy read privacy notice
What is a privacy notice?
A privacy notice helps this surgery to tell you how we use the information it has about you. The data could be name, address, date of birth and, importantly, the clinical records that a clinician may write about you in your healthcare record.
Why do we need one?
By law, this practice needs a privacy notice. This is detailed within the Data Protection Act 2018 and is part of the UK General Data Protection Regulation (or UK GDPR for short)
What is the UK GDPR?
The UK GDPR is part of a law that states that the information about you must remain secure. All staff at the surgery must follow these rules and keep your information safe.
How can I learn more about the privacy notice?
This surgery has lots of information about privacy on our website telling you how we use the information we have about you. You can also ask a member of the staff should you have any questions about your data.
The UK GDPR details what needs to be provided within the privacy notice, this is:
- What information we hold about you
- How we keep this especially important information safe and secure and where we keep it
- How we use your information
- Who we share your information with
- What your rights are
- When the law gives us permission to use your information
What information do we collect about you?
Personal information is anything that identifies you as a person and we all have personal information. Personal information that tells us something about you includes:
- Your name
- Address
- Mobile and/or home telephone number
- Information about your parent(s) or person with parental responsibility
- All your health records
- Appointment records
- Treatments you have had
- Medicines prescribed for you and any other information to help us to look after you
How do we use your information?
Your information is taken to help us to provide your care. We might need to share this information with other medical teams. We only usually use your information to help us to care for you. That means we might need to share your information with other people who are concerned and involved with looking after your health, such as hospitals if you need to be seen there.
We might also need to share your information with the police, courts, social services, solicitors and other people who have a right to your information, but we always make sure that they have a legal right to see it (or have a copy of it) before we provide it to them. The law gives us permission to use your information in situations when we need it to take care of you. Because information about your health is very personal, sensitive and private to you, the law is very strict about how we use it. So, before we can use your information in the ways we have set out in this privacy notice, we have to have a good reason in law which is called a ‘lawful basis’.
Not only do we have to do that, but we also have to show that your information falls into a special group or category because it is very sensitive. By doing this, the law makes sure we only use your information to look after you and that we do not use it for any other reason.
If you would like more information about this, please ask to speak to our Data Protection Officer (DPO) who is mentioned in this privacy notice who will explain this in more detail.
How do we keep your information safe?
We know that it is really important to protect the information we have about you. Therefore, we will follow the rules that are written in the Data Protection Act and the Chapter that details the UK GDPR. The law says that we must do all we can to keep your information private, safe and secure.
We use secure computer systems and we make sure that any written information held about you is kept securely and we train our staff to respect your privacy and deal with your information in a manner that makes sure it is always kept and dealt with in a safe way.
What if I have a long-term medical problem?
If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them to help you, making sure you get the care you need when you need it.
Who else will see my information?
Usually, only staff at this practice are allowed to see your information. Should you need to go to the hospital then we may be asked to share your information with them, but this is only so that we can take care of you.
Sometimes we might be asked to take part in medical research that could help you in the future. We will always ask you or your parent(s) or an adult with parental responsibility if we can share your information if this happens.
Possibly the police, social services, the courts or other organisations may have a legal right to see your information.
What if I don’t want to opt out of sharing my medical information?
England
All our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 13 this is something that your parents or an adult with parental responsibility will have to decide. If you’re over 13 and need help, then it may make sense to discuss this with those who care for you.
Should you want to discuss this further, then you can discuss any concerns that you have with a member of staff at the surgery.
You have a right to ask us not to share your information. Should you want to talk to us about not sharing your information, even if this means you do not want us to share your information with your parent(s) or an adult with parental responsibility, please let us know.
How to access my records?
If you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). There are some rules on this.
- If you are under 16, your parents or adults with parental responsibility can do this on your behalf.
- If you are over 12, you may be classed as being competent and may be able to do this yourself.
- If you are over 16 and need help in understanding what to do, then you can still ask the person who cares for you to do it on your behalf.
You may also be able to access your records online and you can discuss this with a member of staff at the surgery.
What if there is something wrong in my record?
If you believe that there are any errors in the information that we hold about you, then you can ask us to correct it.
Can I get anything removed from my record?
Legally, we cannot remove any of the information we hold about you as we need all this information to take care of you.
What to do if I have a question?
Should you have any questions about this privacy policy or the information we hold about you, you can discuss this with a member of staff, or your parents or adults with parental responsibility, or the person who cares for you.
They will advise you to either:
- Contact the organisation
- Write to the data protection officer at mlcsu.dpo@nhs.net
Please note that the DPO is specially trained in data management.
What if I have a complaint about how my information is being managed?
If you are unhappy with any element of our data processing methods, contact the relevant Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
How to contact them to make a complaint
The ICO is the regulator for the UK GDPR and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.