General Data Protection Regulations (GDPR)

Privacy Statement

Bay Medical Group aims to ensure the highest standard of medical care for our patients. To do this, we keep records about you, your health and the care we provided or plan to provide to you.

 

Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing.

 

What types of personal information do we collect about you?

We may collect the following types of information:

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS number.

And

  • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics, and sexual orientation.

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

 

Why do we collect this information?

 

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. 

To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests;
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
  • Perform tasks in the public’s interest;
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services.

We also may use or share your information for the following purposes:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations  
  • Looking after the health of the public
  • Making sure that our services can meet patient needs in the future
  • Preparing statistics on NHS performance and activity (where steps will be taken to ensure you cannot be identified)
  • Investigating concerns, complaints, or legal claims
  • Helping staff to review the care they provide to make sure it is of the highest standards
  • Training and educating clinical staff
  • Research approved by the Local Research Ethics Committee. You will always be asked to provide consent to take part in research
  • The Practice may conduct reviews of medications prescribed to its patients. This is a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

The health care professionals who provide you with care must maintain records about your health and any treatment or care you have received previously. This maybe at another GP Surgery or at a hospital. These records help to provide you with the best possible healthcare. NHS health records may be electronic, on paper or a mixture of both. We use several ways of working and with computerised systems this helps to ensure that your information is kept confidential and secure.

 

Keeping your information confidential and the Gender Recognition Act 2004

Bay Medical Group understand that sexual orientation and trans status are protected characteristics and therefore protected data which must be kept confidential.

The 2004 Gender Recognition Act (GRA) makes it a criminal offence to disclose an individual’s transgender history to a third party without their written consent if that individual holds a Gender Recognition Certificate (GRC). Patients do not need to show a GRC or birth certificate for the GRA 2004 to be in effect, so we will act in best practice and act as though every trans patient has one.

We will always obtain a trans patient’s written consent before sharing details about their social or medical transition, sometimes also called gender reassignment, with other services or individuals. This includes information such as whether a patient is currently taking hormones or whether they have had any genital surgery, as well as information about previous names or the gender they were given at birth.

Consent will always be obtained before information relating to the patient being trans is shared in referrals and this information will only be shared where it is clinically relevant, e.g., it would be appropriate when referring a trans man for a pelvic ultrasound but not if referring him to Ear, nose, and throat departments.

 

Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.

 

Data processors

We may use the services of a data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply.

 

How will we share your personal information?

We work with a number of other NHS and Partner agencies to provide healthcare services to you.  Below is a list of organisations that we may share your information with:

  • Other NHS hospitals
  • Relevant GP Practices
  • Dentists, opticians, and pharmacists
  • Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS)
  • Voluntary Sector Providers who are directly involved in your care
  • Ambulance Trusts
  • Specialist Trusts
  • Clinical Commissioning Groups
  • NHS Commissioning Support Units
  • NHS 111
  • Out of hours medicals services/centres
  • Community services such as district nurses or rehabilitation services
  • Child health services that undertake routine treatment or health screening
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Local authority departments, including social care and health (formerly social services), education and housing and public health
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Fire and Rescue Services
  • Police & Judicial Services
  • Other ‘data processors’ which you will be informed of

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.

 

Who else may ask to access your information?

  • The law courts can insist that we disclose medical records to them;
  • Solicitors often ask for medical reports.  These will always be accompanied by your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (e.g. wife, children, parent etc.) unless we also have their consent;
  • Life Insurance Companies frequently ask for medical reports on prospective clients.  These are always accompanied by your signed consent form.  We must disclose all relevant medical conditions unless you ask us not to do so.  In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them. You have the right, should you request it, to see reports to insurance companies or employers before they are sent.

Any medical or health related personal information will be treated with confidence in line with the common law duty of confidentiality and the Confidentiality NHS Code of Practice. 
We may be required to share information with organisations in order to comply with our legal and regulatory obligations. This may include:

  • Care Quality Commission (CQC): The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. Further information about the CQC can be found here.
  • Public Health England: The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information that has been collected lawfully.  Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

  • We believe you are putting yourself at risk of serious harm
  • We believe you are putting a third party (adult or child) at risk of serious harm
  • We have been instructed to do so via court order made against the practice
  • Your information is essential for the investigation of a serious crime
  • You are subject to the Mental Health Act (1983)
  • Public Health England needs to be notified of certain infectious diseases
  • Regulators use their legal powers to request your information as part of an investigation

Our practice policy is to respect the privacy of our patients, their families, and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors who work with our practice are asked to sign a confidentiality agreement.  

 

NHS National Data Opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out, your confidential patient information will still be used to support your individual care. We do not share your confidential patient information for purposes beyond your individual care without your permission. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

Information being used or shared for purposes beyond individual care does not include your confidential patient information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement. Health and care organisations that process confidential patient information must put systems and processes in place so they can be compliant with the national data opt-out. They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care. 

Bay Medical Group are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit NHS: Your Data Matters

You can change your choice at any time.

 

How long do we keep your personal information? 

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death. At that point, all personal data we hold regarding you will be securely deleted.

 

accuRx

We use accuRx to communicate with our patients, for example via video call. 

Full details about how accuRx will process your personal information can be found on their privacy notice.

 

Advanced Telephony

We use a third party advanced telephony provider to host phone calls digitally. Statistics for call volumes will be collected and analysed to better deploy resources. When you call the GP Practice, the information provided will be used to ascertain which service is most suitable for you, such as a triage call with a GP, or a visit to the local pharmacy. Relevant information from the call will be shared with heath and care professionals. The information used and shared will vary depending on what is discussed on the call.  

The advanced telephony system will also have call recording functionality for Training purposes and for investigating patient complaints.  

Your rights 

You have a right to:

  • ask for a copy of the information we hold about you
  • correct inaccuracies in the information we hold about you
  • withdraw any consent you have given to the use of your information
  • complain to the relevant supervisory authority in any jurisdiction about our use of your information

In some circumstances:

  1. ask us to erase information we hold about you
  2. request a copy of your personal data in an electronic format and require us to provide this information to a third party
  3. ask us to restrict the use of information we hold about you; and
  4. object to the use of information we hold about you. 

You can exercise these rights by contacting us as detailed below. 

 

How to contact us

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information then please contact our Data Protection Officer via post at:

Data Protection Officer
Heysham Primary Care Centre,
Middleton Way,
Heysham,
LA3 2LY

 

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is Bay Medical Group. The Data Protection Officer (DPO) for Bay Medical Group is Dr Raed Amr.

 

How to make a complaint

You also have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioners Office (ICO) by clicking here to visit their website or calling 0303 123 1113

 

Changes to our privacy notice

We keep our privacy notice under regular review, and we will place any updates on this webpage. This privacy notice was last updated on 16/02/2024.

 

COVID-19 Privacy Notice Appendix

This appendix has been added to include any additional data processing completed by us during the Coronavirus (COIVD-19) outbreak.

 

Summary Care Record with Additional Information

During the height of the pandemic, changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following:

  1. Choose to have a Summary Care Record with all information shared.

This means that any authorised, registered, and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.

2. Choose to have a Summary Care Record with Core information only.

This means that any authorised, registered, and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.

3. Choose to opt-out of having a Summary Care Record altogether.

This means that you do not want any information shared with other authorised, registered, and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered, and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, please let us know.

You can read more about the changes to your Summary Care Record here

 

GP Connect in support of the National COVID-19 Response

To help the NHS during the COVID-19 outbreak, NHS Digital are improving the access that doctors, nurses, and healthcare professionals have to medical records and information, so that they can more safely treat and advise patients who are not in their usual GP practice, who call 111 or are seen in hospitals and other healthcare settings.

You can read more about GP Connect here

 

GPES Data for Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care, and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking, and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England. 

 

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

 

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests, and results
  • treatments and outcomes
  • vaccinations and immunisations
 

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning, and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information. 

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

 

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

 

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

 

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice will be reviewed again before the end of December 2023.

 

Transmitting eMED3 fit note data to the DWP

The DWP performs a weekly anonymous extract of fit note usage data for collection, storage, transmission and publication by NHS Digital. As data controllers, we will make you aware of the data collection and ask you about your consent preferences. This could be:

  • In person when you come in for a fit note.
  • On our practice website.
  • On our practice notice board.

If you do not consent to secondary use of GP patient identifiable data, we will be code it on your care record. If you don’t actively express dissent, implied consent is assumed.

To comply with the Department of Health’s patient objection policy, data about patients who have dissented from secondary use of their data will not be included in the extract.

Electronic submission of non identifiable patient data to the DWP will only be sent if you have not opted out.

What data is included in the extract?

The data extracted is completely anonymous to protect patient privacy and consists of:

  • How many eMED3 fit notes are issued.
  • How many patients are recorded as ‘unfit’ or ‘maybe fit’ for work.
  • Fit note duration.
  • Gender.
  • Health condition type aggregated to a high level diagnosis code, for example, paranoid schizophrenia would be classed as a Mental Disorder.
  • Location, including CCG areas.
  • Whether workplace adaptations were recommended.