General Data Protection Regulations (GDPR)

 

BACK TO MAIN INDEX

 

Privacy Statement

Bay Medical Group aims to ensure the highest standard of medical care for our patients. To do this, we keep records about you, your health and the care we provided or plan to provide to you.

 

Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing.

 

What types of personal information do we collect about you?

We may collect the following types of personal information:

  • Your name, address, email address, telephone number and other contact information
  • Gender, NHS Number and date of birth and sexual orientation
  • Details of family members and next of kin details
  • Health (Medical) information, including information relating to your sex life
  • Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls.
  • Results of investigations such as laboratory tests or x-rays
  • Biometric data
  • Genetic information 
 

How will we use the personal information we collect about you?

We may use your personal information in the following ways:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations
  • To help us monitor and manage our services
  • To support medical research
 

Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.

 

Data processors

We may use the services of a data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply.

 

How will we share your personal information?

We work with a number of other NHS and Partner agencies to provide healthcare services to you.  Below is a list of organisations that we may share your information with:

  • Other NHS hospitals
  • Relevant GP Practices
  • Dentists, opticians and pharmacists
  • Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS).
  • Voluntary Sector Providers who are directly involved in your care;
  • Ambulance Trusts;
  • Specialist Trusts;
  • The Health & Social Care Information Centre (HSCIC);
  • Clinical Commissioning Groups;
  • NHS 111;
  • Out of hours medicals services/centres;
  • NHS England;
  • Local Authorities;
  • Other ‘data processors’ which you will be informed of

We may also share your information, with your consent, and subject to strict sharing protocols about how it will be used, with:

  • Local authority departments, including social care and health (formerly social services), education and housing and public health;
  • Police and fire services.
 

Who else may ask to access your information?

  • The law courts can insist that we disclose medical records to them;
  • Solicitors often ask for medical reports.  These will always be accompanied by your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (e.g. wife, children, parent etc.) unless we also have their consent;
  • Life Insurance Companies frequently ask for medical reports on prospective clients.  These are always accompanied by your signed consent form.  We must disclose all relevant medical conditions unless you ask us not to do so.  In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them. You have the right, should you request it, to see reports to insurance companies or employers before they are sent.

Any medical or health related personal information will be treated with confidence in line with the common law duty of confidentiality and the Confidentiality NHS Code of Practice. 
We may be required to share information with organisations in order to comply with our legal and regulatory obligations. This may include:

  • Care Quality Commission (CQC): The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. Further information about the CQC can be found here.
  • Public Health England: The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.

 

Disclosure of Information to Other Health and Social Professionals

We work with a number of other NHS and Partner agencies to provide healthcare services to you. Below is a list of organisations that we may share your information with:

 

Our Partner Organisations

  • Other NHS hospitals 
  • Relevant GP Practices 
  • Dentists, opticians and pharmacists 
  • Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS). 
  • Voluntary Sector Providers who are directly involved in your care; 
  • Ambulance Trusts; 
  • Specialist Trusts; 
  • The Health & Social Care Information Centre (HSCIC); 
  • Clinical Commissioning Groups; 
  • NHS 111; 
  • Out of hours medicals services/centres; 
  • NHS England; 
  • Local Authorities; 
  • Other ‘data processors’ which you will be informed of

We may also share your information, with your consent, and subject to strict sharing protocols about how it will be used, with:

  • Local authority departments, including social care and health, (formerly social services), education and housing and public health; 
  • Police and fire services.
 

Computer System

This Practice operates a Clinical Computer System on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

To provide around the clock safe care, unless you have otherwise asked us not to, we will make information available to trusted organisations. Wherever possible, their staff will ask your consent before your information is viewed.

We consider patient consent as being a key factor in dealing with your health information.

 

Risk Stratification

Risk Stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re) admission and identifying a need for preventative intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through analysis of your de-identified information using software managed by Lancashire and South Cumbria Clinical Services Support Unit commissioned by Morecambe Bay Clinical Commissioning Group (MB CCG) and is only provided back to your GP as a data controller in an identifiable form. Risk stratification allows your GP to focus on preventing ill health and not just treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

 

Research and Development

Bay Medical Group contributes to the Clinical Practice Research Datalink (CPRD)

Information in patient records is important for medical research to develop new treatments and test the safety of medicines. This practice supports medical research by sending some of this information from patient records to CPRD.

CPRD is a government organisation that provides anonymised patient data for research to improve patient and public health. You cannot be identified from the information sent to CPRD.

If you do not want anonymised information from your patient record to be used in research you can opt out by speaking to one of our Doctors, Nurses or Patient Advisors and ask them to let our Administration & IM&T Manager know.

For more information about how your data is used please click here

 

Medicines Management

The Practice may conduct Medicines Management Reviews of medication prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is mainly carried out in the Practice however there are times when it may also be supported by MB CCG.

 

Shared Care Records

To support your care, and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems. The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.

 

Gathering Patient Feedback/Patient Surveys

As part of the NHS Constitution, the NHS actively encourages feedback from public, patients and staff and welcomes it use to improve services. Bay Medical Group uses the NHS Friends and Family’s Tests (FFT) to collect feedback from patients about their experiences when accessing services so we may review the care provided and inform development of high quality standards. The FFT is managed solely by the Practice. Bay Medical Group also runs surveys from time to time to gather feedback from patients on proposed changes to services and on the introduction of new services, again these are all managed in-house by Bay Medical Group.

 

Lawful Basis for Processing your Data

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in Bay Medical Group and in support of direct care elsewhere is supported under the GDPR Special Category of Data concerning health and under the following Articles 6 (lawful basis) and 9 (conditions):

  • Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."
  • Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"
  • Article 6(1)(e) …necessary for the performance of a task carried out in the public interest or in the exercise of official authority…
  • Article 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’
  • Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"
  • Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"
  • Article 9(20(b)…‘necessary for social protection law

For safeguarding specifically the sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Articles 6 (lawful basis) and 9 (conditions) also apply:

For consented processing;

  • 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For unconsented processing;

  • 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

We will consider your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality"*

 

How we keep your information confidential and secure

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the:

  • Data Protection Act 1988; 
  • Article 8 of the Human Rights Act 1998; 
  • The Common Law Duty of Confidentiality; 
  • Health and Social Care Act 2012; 
  • The NHS Codes of Confidentiality, Information Security and Records Management; 
  • Information: To Share or not to Share Review

Everyone working in, or for, the NHS must use personal information in a secure and confidential way.

We will only ever use or pass on your information if there is a genuine need to do so. We will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.

To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by fax, unless we are sure we are talking to you. This means we will not disclose information to your family, friends, and colleagues about any medical matters at all, unless we know that we have your consent to do so.

 

Anyone who receives information from us is also under a legal duty to keep it confidential and secure

All persons in the Practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.

Please be aware that your information will be accessed by non-clinical Practice staff in order to perform tasks enabling the functioning of the Practice. These are, but not limited to:

  • Typing referrals letters to hospital consultants or allied health professionals; 
  • Opening letters from hospitals and consultants; 
  • Scanning and coding of clinical letters, radiology reports and any other documents not available in electronic format; 
  • Managing medications requests & changes and producing repeat prescriptions; 
  • Photocopying or printing documents for referral to consultants; 
  • Handling, printing, photocopying and postage of medico legal and life insurance reports and of associated documents.
 

Rights of Access to your Health Information

Under GDPR you have the right to find out what information about you is held on computer and in manual records. This is known as ‘subject access rights’ (SARs) and applies to;

  • Confirmation that your data is being processed; 
  • Access to the personal information held about you; 
  • Access to other supplementary information (such as this privacy notice).  

If you want to see the information held about you that the Practice holds:

  • We ask that when making a SAR please mark it for the attention of the Administration and IM&T Manager, Janet Taylor.
  • Depending on the SAR, the complexity and number of requests made we may need to charge a reasonable fee to provide the information held about you; 
  • We are required to respond to you within one month, if your SAR may take longer we will explain the reasons to you. 
  • You will need to give adequate information (for example full name, address, date of birth, NHS number etc.); 
  • You will be required to provide ID before any information is released to you.
 

NHS National Data Opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out your confidential patient information will still be used to support your individual care.

We do not share your confidential patient information for purposes beyond your individual care without your permission. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

Information being used or shared for purposes beyond individual care does not include your confidential patient information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement.

Health and care organisations that process confidential patient information have to put systems and processes in place so they can be compliant with the national data opt-out. They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care. 

Bay Medical Group are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit NHS: Your Data Matters.

You can change your choice at any time.

 

Type 1 Opt Out Information

The data held in your GP medical records is shared with other healthcare professionals for the purposes of your individual care. It is also shared with other organisations to support health and care planning and research.

If you do not want your personally identifiable patient data to be shared outside of your GP practice for purposes except your own care, you can register an opt-out with your GP practice. This is known as a Type 1 Opt-out.

Here is the link to our Type 1 Opt Out form

 

How long do we keep your personal information?

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death. At that point, all personal data we hold on you will be securely deleted.

 

accuRx

We use accuRx to communicate with our patients, for example via video call. 

Full details about how accuRx will process your personal information can be found on their privacy notice.

 

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is serious risk of harm or abuse to you or other people; 
  • Where a serious crime, such as assault, is being investigated or where it could be prevented; 
  • Notification of new births; 
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS); 
  • Where a formal court order has been issued; 
  • Where there is legal requirement, for example if you have committed a Road Traffic Offence.

Bay Medical Group is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Information you supply using any electronic form(s) on this website will only be used for the purpose(s) stated on the from;

 

Changes of Details

It is important that you tell the person treating you if any of your details such as your name or address or telephone number (including mobile) have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

 

Notification

The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The Practice is registered with the Information Commissioners Office (ICO).

 

Your rights

You have a right to:

  • ask for a copy of the information we hold about you;
  • correct inaccuracies in the information we hold about you
  • withdraw any consent you have given to the use of your information;
  • complain to the relevant supervisory authority in any jurisdiction about our use of your information

In some circumstances:

  1. Ask us to erase information we hold about you;
  2. Request a copy of your personal data in an electronic format and require us to provide this information to a third party;
  3. Ask us to restrict the use of information we hold about you; and
  4. Object to the use of information we hold about you.

You can exercise these rights by contacting us as detailed below.

 

How to contact us

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information then please contact our Data Protection Officer via post at:

Data Protection Officer
Heysham Primary Care Centre
Middleton Way
Heysham
LA3 2LY

 

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is Bay Medical Group.

 

Who is the Data Protection Officer?

The Data Protection Officer (DPO) for Bay Medical Group is Dr Andy Foster.

 

How to make a complaint

You also have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioners Office (ICO) or calling 0303 123 1113.

 

Changes to this Privacy Notice

We keep our privacy notice under regular review and we will place any updates on this webpage. This privacy notice was last updated on 06/10/2021.

 

COVID-19 Privacy Notice Appendix

This appendix has been added to include any additional data processing completed by us during the Coronavirus (COIVD-19) outbreak.

 

Summary Care Record with Additional Information

In light of the current emergency, the Department of Health and Social Care has removed the requirement for your explicit consent prior to sharing additional information as part of the summary care record.

Read more about the changes to your Summary Care Record.

 

GP Connect in support of the National COVID-19 Response

To help the NHS during the COVID-19 outbreak, NHS Digital are improving the access that doctors, nurses and healthcare professionals have to medical records and information, so that they can more safely treat and advise patients who are not in their usual GP practice, who call 111 or are seen in hospitals and other healthcare settings.

Read more about GP Connect

 

GPES Data for Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

 

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

 

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • Diagnoses and findings
  • Medications and other prescribed items
  • Investigations, tests and results
  • Treatments and outcomes
  • Vaccinations and immunisations
 

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information. 

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

 

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

 

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

 

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice will be reviewed again before the end of April 2022.