Privacy Notice (December 2020 with Changes due to Covid-19)
North Beverley Medical Centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.
This Privacy Notice explains why North Beverley Medical Centre collects information about you, how that information may be used and which organisations the information will be shared with to ensure you receive the best possible care. North Beverley Medical Centre may change this notice from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 14th May 2018.
What information do we collect about you?
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. Hospital, GP surgery, Walk-In clinic etc.). NHS health records may be electronic, on paper or a mixture of both. At North Beverley Medical Centre we use an electronic medical records system called EMIS which has been accredited to the highest standards for use in GP Practices. We use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your healthcare record may include the following information:
- Biographical details about you, such as address, date of birth and family details
- Details of your contact with us such as appointments with our GP’s and nurses
- Notes and reports about your health including diagnosis and treatment
- Details about your treatment and care including prescriptions
- Results on investigations, such as laboratory blood tests, x-rays, etc.
- Relevant information from other health professionals e.g. District Nurse, Health Visitor, Social Worker, relatives or those who care for you
How we will use your information
Your data is collected for the purpose of providing direct patient care to ensure you receive the best possible care. However, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Information is used to inform national campaigns regarding uptake of screening and immunisation programmes e.g. breast screening, cervical screening, childhood immunisation and the national Flu campaign.
Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you.Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential. For the purposes of managing your health and Health Risk Screening we may need to share your information e.g. by making a referral with your consent to the following organisations :
- Hull & East Yorkshire Hospital Trust
- Humber Foundation Trust
- Other NHS Trusts and providers of services commissioned by NHS England such as:
- Community Nurses and/or Community Matrons from City Health Care Partnership or the Humber NHS Foundation Trust.
- Representatives from Adult Community Services in Hull City Council and East Riding of Yorkshire Council
- Voluntary Support Organisations commissioned by NHS Hull & NHS East Riding of Yorkshire
We will not disclose your information to any third party without your permission unless there are exceptional circumstances or the law requires information to be passed on e.g. the Public Health (Control of Disease) Act 1984, the Public Health (Infectious Diseases) Regulations 1988 and the Road Traffic Act 1988. Anyone who receives information from us is also under a legal duty to keep this information confidential.
We may also be obliged to reveal information about you if we believe you are a risk to yourself or others or if we believe a child or a vulnerable adult would be harmed if we did not reveal the information. We may also have to disclose information to prevent disorder or crime or if we are instructed to by a Court order.
General Data Protection Regulation (GDPR)
We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
Summary Care Record
A summary of your basic details along with information about your medication is updated daily from the practice to the Summary Care Record on the NHS Spine. This is to allow other health professionals with access to the NHS Spine e.g. in A&E to have easy access to this information if they need it. You can opt out of the summary care record if you wish, please contact our reception team if you wish to do this.
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including North Beverley Medical Centre; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) or Council (such as the East Riding of Yorkshire) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information; this is done by registering a Type 1 opt-out, preventing your information from being shared outside this practice.
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration. Records of the deceased are returned promptly to Patient Data Services so requests for access are usually directed to them not the practice.
What to do if you have any questions
1. Contact the practice’s data controller via email at firstname.lastname@example.org. GP practices are data controllers for the data they hold about their patients
2. Write to the data controller at North Beverley Medical Centre, Pighill Lane, Beverley, HU17 7JY
3. Ask to speak to the Practice Manager or Deputy Practice Manager
This Practice have appointed Barry Jackson to be the Data Protection Officer (DPO). He is employed by N3i and can be contacted through their service desk on phone: 0300 002 0001 or email: email@example.com.
In the event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.
When someone visits our website our website provider collects standard internet log information and details of behaviour patterns. This is done so we can identify the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone.
We do not make any other attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source.
If we do want to collect personally identifiable information through our website, we will make it clear when we collect the personal information and will explain what we intend to do with it. Security
Links to other websites
This privacy notice does not cover the links within our site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
 BMA GPs as data controllers under the GDPR
Changes due to the Covid-19 Coronavirus
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. This transparency notice supplements our main practice privacy notice.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
We will not share details for any patient who has registered a Type 1 objection with the practice. Where a Type 1 objection has been registered, we will not share your personal identifiable confidential information outside of the GP practice, except when it is being used for the purposes of your care and treatment or where there is a legal requirement to do so. Although there is a legal requirement to do so here, NHS Digital has agreed with the National Data Guardian, the British Medical Association and the Royal College of General Practitioners to respect Type 1 objections.
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
PDF copy of the privacy statement June 2020.