Introduction

This policy sets out our Practice’s approach to Clinical Governance.

Implementing Clinical Governance applies throughout the Practice and is designed to ensure the safety and well-being of our patients and improve the service that they receive from us.

Policy

Summary Statement.

The Practice will always do its utmost to provide the highest quality treatment and care it can to its patients, ensuring always that it works with the most up-to-date clinical information and current best practice guidelines.

1.   Patient involvement.

We will encourage and actively seek patient participation, ensuring there is a system in place which enables patients to provide feedback and make suggestions and be actively involved in deciding how the health services they use should develop.

This system will be supported and promoted through open dialogue, in person and / or in writing, and also through the use of the Practice’s Patient Participation Group, whose aim is to give patients an opportunity to meet, exchange ideas and information to improve the running of the Practice and ensure we are listening and responding to the needs and concerns of our patients.

2.   Patient experience.

We will discuss feedback received from patients and publicise both suggestions and the practice response. Whenever an identifiable patient suggests, the Practice will ensure s/he will receive a personal response.

We will view the practice from the patient perspective (from formal patient survey results) and actively seek to try and implement feasible and beneficial ideas.

3.   Health & Safety and Risk Control.

The Practice implements a robust framework for ensuring it adheres to Health and Safety legislation, both for staff working within the Practice premises and environment, as well as preventing harm to patients when they attend the surgery. The Practice considers the guidelines in the revised version of the GMC document “Raising and acting on concerns about patient safety”, effective 12 March 2012, a copy of which can be downloaded here:

Dr Bapu Sathyajith is the Practice Health & Safety Lead who has overall responsibility for ensuring the Practice Premises are a safe environment for staff and patients using the service.

We operate an open system of Significant Event Reporting which ensures we review, obtain and provide feedback and learn from such incidents. Each Significant Event is discussed in detail and agreed action documented in a Significant Event Review / Clinical Policy Review Meeting.

4.   Clinical Audit.

The Practice undertakes regular clinical audits, carefully and accurately recording the results and taking appropriate action so that we can effectively plan for the implementation of changes / improvements for the benefit of our Patients.

Our administrative procedures are also audited on a regular basis to ensure they are operating effectively.

5.   Evidence-based medical treatment.

The Practice will develop, refine and maintain an awareness of the latest developments, research results and advances in medical treatment and assess the impact of this information on our established and proven methods of working.

To encourage discussion and learning, we will ensure that expertise and opinion is shared both within the Practice and between clinicians.

6.   Information and its use.

The Practice is committed to making maximum use of both electronic and paper-based information in clinical and non-clinical decision making and will share best practice with others both internally and externally.

We will aim to continuously improve data quality and encourage patients to participate in their own clinical treatment and be involved in making the decisions which affect them.

7.   Staff and staff management.

To encourage team working throughout the Practice, we will operate “no-blame” learning culture which will provide all Staff with an open and equal working relationship.

We aim to work towards the “Investor in People” standard, by encouraging staff training and development whilst also supporting devolution of control and empowerment.

8.   Education, Training and Continuing Professional Development (CPD).

All Practice Staff, Clinical and Non-clinical take part in an annual appraisal system which links into their personal development programme.

GPs and nurses are obliged professionally to maintain their CPD to ensure their clinical skills are as up to date as possible and they can continue to practise. All their CPD activity will be documented as an integral part of their learning portfolio (GPs a minimum of 50 learning credits per year and Nurses a minimum of 35 hours of learning activity relevant to their practice every three years).

We ensure all Doctors benefit from CPD by undertaking revalidation, attending a variety of clinical treatment updates, GP registrar training sessions, and resuscitation training days and organising regular in-house clinical seminars from specialist consultants and in-house trainers.

Our Nurses attend training in clinical areas such as the new trends in treatment and care of patients undergoing the menopause, a diploma in chronic obstructive pulmonary disease, up dates in travel and childhood immunisation, and care of the diabetic patient.

All Non-clinical staff are encouraged to attend events related to their own specialism or professional development need, as identified by the appraisal system.

The Practice closes for Four hours each month to allow all staff to take part in protected learning sessions, including updates on basic life support, health and safety, appraisal skills, team building and information governance.

These sessions also provide the opportunity to review departmental policies and procedures, to examine any critical incidents that have occurred and to review the feedback from the annual patient survey in order to implement any changes that may be necessary as a result of its findings and recommendations.

9.  Strategic approach.

We will operate a 5-year strategic plan based on projected patient needs, being mindful of both the current and projected National and Local healthcare situation.

We will actively participate in the Clinical Commissioning Group and focus on activity which creates resources to help achieve both immediate and longer-term patient clinical needs.

Implementation

Dr Bapu Sathyajith is the Clinical Governance Lead(s) for the Practice, having responsibility for:

• Overseeing the management of the key provisions of this Policy.
• Provision of clinical governance leadership and advice.
• Promotion of quality care within the practice.
• Acting as an expert resource and advisor in the examination and review of significant events.
• Initiating and reviewing clinical audits.
• Keeping up to date with research and governance recommendations and communicating these accordingly.

Introduction

The purpose of the policy is to ensure that all patients (or their representatives) who have the cause to complain about their care or treatment can have freely available access to the process and can expect a truthful, full and complete response and an apology where appropriate. Complainants have the right not to be discriminated against as the result of making a complaint and to have the outcome fully explained to them. The process adopted in the practice is fully compliant with the relevant NHS Regulations (2009) and guidance available from defence organisations, doctors` representative bodies and the Care Quality Commission. Everyone in the practice is expected to be aware of the process and to remember that everything they do and say may present a poor impression of the practice and may prompt a complaint or even legal action.

The general principle of the practice in respect of all complaints will be to regard it first and foremost as a learning process, however in appropriate cases and after full and proper investigation the issue may form the basis of a separate disciplinary action.  In the case of any complaint with implications for professional negligence or legal action, the appropriate defence organisation must be informed immediately.

Procedure

Availability of information

The practice will ensure that there are notices advising on the complaints process conspicuously displayed in all reception/waiting areas and that leaflets containing sufficient details for anyone to make a complaint are available without the need to ask. The practice website and any other public material (Practice Leaflet etc.) will similarly provide this information and also signpost the complainant to the help available through the NHS Complaints Advisory Service.

Who can a formal complaint be made to?

ONLY TO – either the practice   -OR –  NHS England

In the event of anyone not wishing to complain to the practice they should be directed to make their complaint to NHSE at:

By telephone: 03003 11 22 33

By email: [email protected]

By post: NHS England, PO Box 16738, Redditch, B97 9PT

In those cases where the complaint is made to NHS England, the practice will comply with all appropriate requests for information and co-operate fully in assisting them to investigate and respond to the complaint.

Who can make a complaint?

A complaint can be made by or, with consent, on behalf of a patient (i.e. as a representative); a former patient, who is receiving or has received treatment at the Practice; or someone who may be affected by any decision, act or omission of the practice.

A Representative may also be

• by either parent or, in the absence of both parents, the guardian or other adult who has care of the child; by a person duly authorised by a local authority to whose care the child has been committed under the provisions of the Children Act 1989;  or by a person duly authorised by a voluntary organisation by which the child is being accommodated
• someone acting on behalf of a patient/ former patient who lacks capacity under the Mental Capacity Act 2005 (i.e. who has Power of Attorney etc.) or physical capacity to make a complaint and they are acting in the interests of their welfare
• someone acting for the relatives of a deceased patient/former patient

In all cases where a representative makes a complaint in the absence of patient consent, the practice will consider whether they are acting in the best interests of the patient and, in the case of a child, whether there are reasonable grounds for the child not making the complaint on their own behalf.  In the event a complaint from a representative is not accepted, the grounds upon which this decision was based must be advised to them in writing.

Who is responsible at the practice for dealing with complaints?

The practice “Responsible Person” is Dr Bapu Sathyajith.  They are charged with ensuring complaints are handled in accordance with the regulations, that lessons learned are fully implemented, and that no Complainant is discriminated against for making a complaint.  This person should be a practice Partner (BMA Guidance and Primary Care contracts)

The practice “Complaints Manager” is Jasvinder Tooray, and they have been delegated responsibility for managing complaints and ensuring adequate investigations are carried out.  (N.B. they can be the same person, but the Responsible Person must be a Partner, who may then delegate the complaints management role to someone else – omit or amend as per practice choice)

Time limits for making complaints

The period for making a complaint is normally:
(a) 12 months from the date on which the event which is the subject of the complaint occurred; or

(b) 12 months from the date on which the event which is the subject of the complaint comes to the complainant’s notice.

The practice has discretion to extend these limits if there is good reason to do so and it is still possible to carry out a proper investigation.  The collection or recollection of evidence, clinical guidelines or other resources relating to the time when the complaint event arose may also be difficult to establish or obtain. These factors may be considered as suitable reasons for declining a time limit extension, however that decision should be able to stand up to scrutiny.

A verbal complaint need not be responded to in writing for the purposes of the Regulations if it is dealt with to the satisfaction of the complainant by the end of the next working day, neither does it need to be included in the annual Complaints Return. The practice will however record them for the purposes of monitoring trends or for Clinical Governance and that record will be kept and monitored by Jasvinder Tooray (PM)/ Nasima Khatun (Deputy)]. Verbal complaints not formally recorded will be discussed when trends or issues need to be addressed and at least annually, with minutes of those discussions kept.

Action upon receipt of a complaint

A) Verbal Complaints:  It is always better to try and deal with the complaint at the earliest opportunity and often it can be concluded at that point. A simple explanation and apology by PM/ Deputy at the time may be all that is required.

If resolution is not possible, the Complaints Manager will set down the details of the verbal complaint in writing and provide a copy to the complainant within three working days. This ensures that each side is well aware of the issues for resolution. The process followed will be the same as for written complaints.

B) Written Complaints:  On receipt, an acknowledgement will be sent within three working days which offers the opportunity for a discussion (face-to-face or by telephone) on the matter.  This is the opportunity to gain an indication of the outcome the complainant expects and also for the details of the complaint to be clarified. In the event that this is not practical or appropriate, the initial response should give some indication of the anticipated timescale for investigations to be concluded and an indication of when the outcome can be expected.

It may be that other bodies (e.g. secondary care/ Community Services) will need to be contacted to provide evidence. If that is the case, then a patient consent form will need to be obtained at the start of the process and a pro-forma consent form included with the initial acknowledgement for return.

If it is not possible to conclude any investigations within the advised timescale, then the complainant must be updated with progress and revised time scales on a regular basis. In most cases these should be completed within six months unless all parties agree to an extension.

The Investigation

The practice will ensure that the complaint is investigated in a manner that is appropriate to resolve it speedily and effectively and proportionate to the degree of seriousness that is involved.

The investigations will be recorded in a complaints file created specifically for each incident and where appropriate should include evidence collected as individual explanations or accounts taken in writing.

Final Response

This will be provided to the complainant in writing (or email by mutual consent) and the letter will be signed by the Responsible Person or Complaints manager under delegated authority.  The letter will be on headed notepaper and include:

• An apology if appropriate (The Compensation Act 2006, Section 2 expressly allows an apology to be made without any admission of negligence or breach of a statutory duty)

• A clear statement of the issues, details of the investigations and the findings, and clear evidence-based reasons for decisions if appropriate
• Where errors have occurred, explain these fully and state what has been or will be done to put these right or prevent repetition. Clinical matters must be explained in accessible language
• A clear statement that the response is the final one and the practice is satisfied it has done all it can to resolve the matter at local level
• A statement of the right, if they are not satisfied with the response, to refer the complaint to the Parliamentary and Health Service Ombudsman,  Millbank Tower, Millbank,  London, SW1P 4QP or visit the ‘Making a complaint page‘  at  http://www.ombudsman.org.uk/make-a-complaint (to complain online or download a paper form).  Alternatively the complainant may call the PHSO Customer Helpline on 0345 015 4033 from 8:30am to 5:30pm, Monday to Friday or send a text to their ‘call back’ service: 07624 813 005

The final letter should not include:

• Any discussion or offer of compensation without the express involvement and agreement of the relevant defence organisation(s)
• Detailed or complex discussions of medical issues with the patient’s representative unless the patient has given informed consent for this to be done where appropriate.

Annual Review of Complaints

The practice will produce an annual complaints report to be sent to the local Commissioning Body (NHSE) and will form part of the Freedom of Information Act Publication Scheme.

The report will include:

• Statistics on the number of complaints received
• The number considered to have been upheld
• Known referrals to the Ombudsman
• A summary of the issues giving rise to the complaints
• Learning points that came out of the complaints and the changes to procedure, policies or care which have resulted

Care must be taken to ensure that the report does not inadvertently disclose any confidential data or lead to the identity of any person becoming known.

Confidentiality
All complaints must be treated in the strictest confidence and the practice must ensure that the patient etc. is made aware of any confidential information to be disclosed to a third party (e.g. NHSE).

The practice must keep a record of all complaints and copies of all correspondence relating to complaints, but such records must be kept separate from patients’ medical records and no reference which might disclose the fact a complaint has been made should be included on the computerised clinical record system.

Unreasonable or Vexatious Complaints

Where a complainant becomes unreasonable or excessively rude or aggressive in their promotion of the complaint, some or all of the following formal provisions will apply and must be communicated to the patient by the Responsible Person in writing:

• The complaint will be managed by one named individual at senior level who will be the only contact for the patient
• Contact will be limited to one method only (e.g. in writing)
• Place a time limit on each contact
• The number of contacts in a time period will be restricted
• A witness will be present for all contacts
• Repeated complaints about the same issue will be refused unless additional material is being brought forward
• Only acknowledge correspondence regarding a closed matter, not respond to it
• Set behaviour standards
• Return irrelevant documentation
• Detailed records will be kept of each encounter

Complaints involving Locums

It is important that all complaints made to the practice regarding or involving a locum (Doctor, Nurse or any other temporary staff) are dealt with by the practice and not passed off to a Locum Agency or the individual locum to investigate and respond. The responsibility for handling and investigating all complaints rests with the Practice.

Locum staff should however be involved at an early stage and be advised of the complaint in order that they can provide any explanations, preferably in writing.  It would not be usually appropriate for any opinions to be expressed by the Practice on Locum staff. Providing their factual account along with any factual account from the practice is the best way to proceed.

The practice will ensure that on engaging any Locum, the Locum Agreement will include an assurance that they will participate in any complaint investigation where they are involved or can provide any material evidence.  The practice will ensure that there is no discrepancy in the way it investigates or handles complaints between any Locum staff and either practice Partners, salaried staff, students or trainees or any other employees.

Informal complaints

The collection of data about informal complaints – often referred to as “grumbles” – is a good tool for identifying trends for low-level dissatisfaction with services or the way they are offered to patients.

Staff are encouraged to raise these issues at practice meetings and in addition a book will be kept in Reception for everyone to note when a negative comment or feedback is made to them by a patient.

Introduction

The Data Protection Act 2018 (DPA) is a UK Act of Parliament that brings the European General Data Protection Regulations (GDPR) into British Law and updates the Data Protection Act 1998. The DPA requires a clear direction on policy for security of information held within the practice and provides individuals with a right of access to a copy of information held about them.

The practice needs to collect personal information about people with whom it deals in order to carry out its business and provide its services.  Such people include patients, employees (present, past and prospective), suppliers and other business contacts.  The information we hold will include personal, sensitive and corporate information.  In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law.  No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 2018.

The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees.  We ensure that the practice treats personal information lawfully and correctly.

This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

See also: Access to Medical Records policy, which covers Subject Access Requests under the Data Protection Act.

1.0      Data Protection Principles

We support fully and comply with the six principles of the Act which are summarised below:

1. Personal data shall be processed fairly and lawfully.

• Personal data shall be obtained/processed for specific lawful purposes and will only be used for the purpose for which it was collected.

• Personal data held must be adequate, relevant and not excessive.

• Personal data must be accurate and kept up to date, and every reasonable step will be taken to ensure any personal data that is inaccurate is erased or rectified without delay.

• Personal data shall not be kept for longer than necessary.

• Personal data shall be processed in a manner that ensures appropriate security of the personal data.

• Employee Responsibilities

All employees will, through appropriate training and responsible management:

• comply at all times with the above Data Protection Act principles

• observe all forms of guidance, codes of practice and procedures about the collection and use of personal information

• understand fully the purposes for which the practice uses personal information

• collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the practice to meet its service needs or legal requirements

• ensure the information is correctly input into the practice’s systems

• ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required

• on receipt of a request from an individual for information held about them by or on behalf of immediately notify the practice manager

• not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian / IG Lead

• understand that breaches of this Policy may result in disciplinary action, including dismissal

• Practice Responsibilities

The practice will:

• Ensure that there is always one person with overall responsibility for data protection.  Currently this person is Dr Bapu Sathyajith, should you have any questions about data protection. Jasvinder Tooray will take on these responsibilities if the first named individual is absent with illness or on annual leave.

• Maintain its registration with the Information Commissioner’s Office

• Ensure that all subject access requests are dealt with as per our Access to Medical Records policy

• Provide training for all staff members who handle personal information

• Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting

• Carry out regular checks to monitor and assess new processing of personal data and to ensure the practice’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data

• Develop and maintain DPA procedures to include roles and responsibilities, notification, subject access, training and compliance testing

•  Display a poster in the waiting room explaining to patients the practice policy (see

below) plus a copy of the Information Commissioners certificate

• Make available a leaflet and or a poster in reception on Access to Medical Records for the information of patients. Also display the certificate of registration with the Information Commissioners office.

• Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, DPA principles, working security procedures, and the application of best practice in the workplace.

• Undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.

• Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.

•  Include DPA issues as part of the practice general procedures for the management of risk.

•  Ensure confidentiality clauses are included in all contracts of employment.

•  Ensure that all aspects of confidentiality and information security are promoted to all staff.

•  Remain committed to the security of patient and staff records.

• Ensure that any personal staff data requested by the CCG or NHS, i.e. age, sexual orientation and religion etc., is not released without the written consent of the staff member

Not all services at the Practice are available under the NHS.

Where patients request NON-NHS items or services, a Private Fee may be payable.

This poster lists those fees, which are payable in advance.

Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

1. WHY WE ARE PROVIDING THIS PRIVACY NOTICE

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer (details below).

The Law says:

1. We must let you know why we collect personal and healthcare information about you;

• We must let you know how we use any personal and/or healthcare information we hold on you;

• We need to inform you in respect of what we do with it;

• We need to tell you about who we share it with or pass it on to and why; and

• We need to let you know how long we can keep it for.

• THE DATA PROTECTION OFFICER

The Data Protection Officer at the Surgery is Dr Sathyajith. You can contact them at/on 020 8586 6555 if:

• You have any questions about how your information is being held;

• If you require access to your information or if you wish to make a change to your information;

• If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you;

• Or any other query relating to this Policy and your rights as a patient.

• ABOUT US

We, at the Dr Sathyajith’s Practice situated at East Ham Memorial Hospital, are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

• INFORMATION WE COLLECT FROM YOU

The information we collect from you will include:

1. Your contact details (such as your name and email address, including place of work and work contact details);

• Details and contact numbers of your next of kin;

• Your age range, gender, ethnicity;

• Details in relation to your medical history;

• The reason for your visit to the Surgery;

• Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare.

• INFORMATION ABOUT YOU FROM OTHERS

We also collect personal information about you when it is sent to us from the following:

1. a hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.

• YOUR SUMMARY CARE RECORD

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit www.nhs.uk/my-data-choice.

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

• WHO WE MAY PROVIDE YOUR PERSONAL INFORMATION TO, AND WHY

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in proving better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

1. Hospital professionals (such as doctors, consultants, nurses, etc);

• Other GPs/Doctors;

• Pharmacists;

• Nurses and other healthcare professionals;

• Dentists;

• Any other person that is involved in providing services related to your general healthcare, including mental health professionals.

• OTHER PEOPLE WHO WE PROVIDE YOUR INFORMATION TO

1. Commissioners;

• Clinical Commissioning Groups;

• Local authorities;

• Community health services;

• For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies;

• Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.   

• Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

The key Hub practices are as follows:

Glen Road Medical Centre

Plashet Medical Centre

Westbury Road Surgery

• Data Extraction by the Clinical Commissioning Group – the clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

There are good reasons why the Clinical commissioning Group may require this pseudo-anonymised information, these are as follows:

Flu Vaccinations

Childhood Immunisations

• ANONYMISED INFORMATION

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

1. YOUR RIGHTS AS A PATIENT

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

1. Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information we hold about you please email our Data Protection Officer. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

• Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

• Correction

 We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

• Removal

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

• Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

• Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

1. THIRD PARTIES MENTIONED ON YOUR MEDICAL RECORD

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

1. HOW WE USE THE INFORMATION ABOUT YOU

We use your personal and healthcare information in the following ways:

1. when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare;

• when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

1. LEGAL JUSTIFICATION FOR COLLECTING AND USING YOUR INFORMATION

The Law says we need a legal basis to handle your personal and healthcare information.

CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.

Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.

LAW: Sometimes the Law obliges us to provide your information to an organisation (see above).

1. SPECIAL CATEGORIES

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment;

CONSENT: When you have given us consent;

VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment);

DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party;

PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services

1. HOW LONG WE KEEP YOUR PERSONAL INFORMATION

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

1. UNDER 16s

There is a separate privacy notice for patients under the age of 16, a copy of which may be obtained on request.

1. IF ENGLISH IS NOT YOUR FIRST LANGUAGE

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.

1. COMPLAINTS

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.

However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office: https://ico.org.uk/.

1. OUR WEBSITE

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

• COOKIES

The Surgery’s website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

• SECURITY

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

• TEXT MESSAGING AND CONTACTING YOU

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.

• WHERE TO FIND OUR PRIVACY NOTICE

You may find a copy of this Privacy Notice in the Surgery’s reception, on our website, or a copy may be provided on request.

• CHANGES TO OUR PRIVACY NOTICE

We regularly review and update our Privacy Notice. This Privacy Notice was last updated on in April 2019 and will be reviewed again in April 2020.

To read the privacy notice for our ICS please CLICK HERE

Please click here to download a copy of our Information Governance leaflet for patients.

Your Data

In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.

We are legally required to tell you:

•  What personal information we use

•  Why we need your personal information

•  The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it

•  How we use, store, protect and dispose of your personal information

•  How long we keep it for and who we may share it with

•  About your information rights

•  How to report a complaint or concern

Your Personal Information

When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.

Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.

Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you.

The personal information we collect may be used for any of the following specific purposes:

•  Health care for patients – diagnosis, treatment and referral

•  Accounting, financial management and auditing

•  Education and training

•  Consultancy and Advisory services

•  Human resources and staff administration

•  Crime prevention and prosecution

•  Health administration and services management

•  Business activity information and databank administration

•  Contractual arrangements for data processing by third parties

•  Occupational Health referrals

•  Research, national surveys

•  Security services e.g CCTV monitoring, confidentiality audits

Without your personal information, we cannot:

•  Direct, manage and deliver the health care you may require

•  Ensure we have accurate and up to date information to assess and provide what you require

•  Provide the appropriate level of assistance or adequate guidance

•  Refer you to a specialist or another service

•  Protect the general public or promote public health

•  Manage, develop or improve our services

•  Investigate complaints or proceed with legal actions for claims

•  Employ you to join our workforce

•  Procure products and services

•  Commission business activities

•  Comply with a court order

•  Comply with regulatory requirements

•  Meet some of our legal obligations

•  Compile statistics to review our performance

•  Educate and train our workforce

•  Undertake clinical trials and research studies you have consented to

•  Complete occupational health checks you have consented to

•  Keep you and other service users safe on our premises

Lawful Basis for Processing your Personal Information

We do not rely on consent to use your personal information as a ‘lawful basis for processing’ regarding using your information for healthcare instead follow guidance issued by the British Medical Association (BMA).

We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:

For your personal information

Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’

Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

For your special category information

Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Please note: You do have the right to say ‘NO’ to our use of your personal information but this may have an impact on our ability to provide appropriate care or services.

Please speak a member of the Practice or our Data Protection Officer.

We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.

Retention and Disposal of Personal Information

Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Practice. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Practice.

Records Management Code of Practice 2016

Keeping your Personal Information Safe

We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.

We are registered to the Information Commissioner’s Office: registration number: Z6733449

Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.

When there are data protection breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.

Sharing Personal Information

We may need to share your personal information with another organisation e.g. NHS organisations, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.

This is because of our duty to share which is equally as important as our duty of confidentiality. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.

You have the right to say no and to opt out of or restrict this sharing.  Your right to opt out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).

Your Information Rights

You have the right to:

•  Be informed about the processing of your personal information by the Practice (done through this notice)

•  Access the information we hold about you (paper, digital or electronic copies)

•  Ask the Practice to correct or complete your personal information

•  Ask the Practice to restrict the processing of your personal information under certain circumstances

•  Ask the Practice to move, copy and transfer your personal information which you have provided to the Practice, in a commonly-used/machine readable format and securely, for your own purpose

•  Ask us not to process your personal information

•  Ask us not to use your personal information for public interests, direct marketing, automated decision-making, profiling, research or statistical purposes

•  Receive a response to your access or change request within a calendar month

Requests for information

Please complete a Request for Access to Records form which is available from our admin team. We will require proof of identity before we can disclose any personal information.

Report Complaint or Concern

We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.

The Practice employs an independent Data Protection Officer (DPO). The role our DPO is to examine our information handling practices and ensure we operate within the law.

These services are provided by Umar Sabat from IG-Health. He can be contacted on [email protected]. He can only assist with complaints about your personal information. All other complaints should be directed to the Practice.