Patient privacy notice
Patient privacy notice
- Who we are
- Why we collect information about you
- How your information will be used
- How we keep it safe and confidential
Who are we?
St Luke’s Health Centre services are provided by Virgin Care Services Limited on behalf of NHS England. As your registered GP Practice, we are the data controller for any personal information we hold about you.
Virgin Care Services Ltd is a limited company registered in England and Wales, number 07557877. Registered office: Virgin Care Services Ltd, Lynton House, 7-12 Tavistock Square, London WC1H 9LT, part of the Virgin Care Group of companies.
The information we collect and use
Once you register with us, we will collect basic ‘personal data’ about you such as your name, address and contact details. We may also ask you for more sensitive data, called ‘special category data’ such as your ethnicity and information about your health and outcomes of needs assessments. This information is held in written form and/or in digital form.
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation (eg information from Hospitals, other GP surgeries, out of hours and community nursing team etc). These records help to provide you with the best possible healthcare and help us to protect your safety.
In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We may collect the information from you or other trusted parties involved in your care.
This may include:
- Details about you, such as your address, NHS number, next of kin and/or carer information
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health and safeguarding
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
How we use your information
Your records are used to:
- Provide information to make health decisions made by care professional with and for you
- Make sure your care is safe and effective
- Support working with other providing your care
We may also use, or share, your information for the following purposes:
- Looking after the health of the general public
- Making sure that our services can meet patient needs in the future
- Preparing statistics on NHS performance and activity
- Investigating concerns, complaints or legal claims
- Helping colleagues review the care they provide to make sure it is of the highest standards
- Training and educating staff
- For research purposes (we will always ask your consent for this)
Your Summary Care Record (SCR)
Your Summary Care Record is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies. This means they can give you better care if you need health care away from your usual doctor’s surgery:
- in an emergency
- when you’re on holiday
- when your surgery is closed
- at out-patient clinics
- when you visit a pharmacy
Ask your doctor to include additional information on your SCR
You can add more information to your SCR by asking your doctor. They can add extra details from your medical notes, including:
- health problems like dementia or diabetes
- details of your carer
- your treatment preferences
- communication needs, for example if you have hearing difficulties or need an interpreter
This will help medical staff care for you properly, and respect your choices, when you need care away from your GP surgery. This is because having more information on your SCR means they will have a better understanding of your needs and preferences.
When you are treated away from your usual doctor’s surgery, the health care staff there can’t see your GP medical records. Looking at your SCR can speed up your care and make sure you are given the right medicines and treatment.
Protecting your SCR information
Staff will ask your permission to look at your SCR (except in an emergency where you are unconscious, for example) and only staff with the right levels of security clearance can access the system, so your information is secure. You can ask an organisation to show you a record of who has looked at your SCR – this is called a Subject Access Request.
SCRs improve care, but if you don’t want to have one you can opt out. Tell your GP or fill in an SCR opt-out form and give it to your GP practice.
Who we share your information with
We may also share your information for the provision of your care or for another legal obligation with the following organisations and partners:
- NHS Trusts/Foundations
- Community Services such as district nurses and rehabilitation services,
- Child health services that undertake routine treatment or health screening
- Urgent care organisations, minor injury units or out of hours services
- Community and palliative care hospitals
- Care Home
- Mental Health Trusts
- Dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- NHS England (NHSE) and NHS Digital (NHSD)
- Local Authorities
- Education Services
- Police and Judicial Services
- Virgin Care Support teams
The following provide you with an overview of the types of sharing:
Local Information Sharing to support your direct care
Your GP electronic patient record is held securely and confidentially on an electronic system managed by your registered GP practice. However, if you require attention from a health professional such as an Emergency Department, Minor Injury Unit or Out Of Hours service, the professionals treating you are better able to give you safe and effective care if relevant information from your GP record is available to them.
Where available, this information can be shared electronically with other local health and care providers via a secure system designed for this purpose. Depending on the service you are using and your health and care needs, this may involve the professional accessing a secure system that enables them to view relevant parts of your GP electronic patient record.
In all cases, your information is only accessed and used by authorised health and social care professionals in locally based organisations who are involved in providing or supporting your direct care.
Your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).
Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent for a number of specific purposes, which are set out in law. These purposes are explained below.
You can choose to withdraw your consent to your personal data being shared for these purposes. When we are about to participate in a new data-sharing project we will display prominent notices in the Practice and on our website at least four weeks before the scheme is due to start. Instructions will be provided to explain what you have to do to ‘opt-out’ of the new scheme. Please be aware that it may not be possible to opt out of one scheme and not others, so you may have to opt out of all the schemes if you do not wish your data to be shared.
You can object to your personal information being shared with other healthcare providers but should be aware that this may, in some instances, affect your care as important information about your health might not be available to healthcare staff in other organisations. If this limits the treatment that you can receive then the practice staff will explain this to you at the time you object.
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS
Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long terms conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.
If we receive requests from organisations to use health information for research purposes – we will always ask your permission before releasing any information for this purpose.
Improving Diabetes Care
Information that does not identify individual patients is used to enable focussed discussions to take place at practice-led local diabetes review meetings between health care professionals. This enables the professionals to improve the management and support of these patients.
Individual Funding Request
An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that CCG has agreed to commission for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.
Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health.
Risk-stratification data may also be used to improve local services and commission new services, where there is an identified need. In this area, risk stratification may be commissioned by the Clinical Commissioning Group. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification /
If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.
To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in circumstances where it’s legally required for the safety of the individuals concerned.
Supporting Medicines Management
CCGs operate pharmacist and prescribing advice services to support local GP practices with prescribing queries, which may require identifiable information to be shared. These pharmacists work with your usual GP to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is appropriate for your needs, safe and cost-effective. Where specialist prescribing support is required, the CCG medicines optimisation team may order medications on behalf of your GP Practice to support your care.
Supporting Locally Commissioned Services
CCGs support GP practices by auditing anonymised data to monitor locally commissioned services, measure prevalence and support data quality. The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.
Invoice validation enables us to identify which Clinical Commissioning Group (CCG) is responsibility for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes and uses your NHS number to validate payment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.
How we keep your information safe
Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.
The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.
The health records we use will be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- General Data Protection Regulation
- Human Rights Act
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
- Health and Social Care Act 2015
- And all applicable legislation
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.
We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
How the NHS and care services use your information
St Luke’s Health Centre is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
Your choice: how to opt out of certain sharing
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
You can decide if health and care information that could identify you is used for research and planning.
National data opt-out
You can choose whether your confidential patient information is used for research and planning. To find out more visit nhs.uk/your-nhs-data-matters.
You do not need to do anything if you are happy about how your confidential patient information is used. You can change your choice at any time.
The following types of Opt Out’s are being phased out this year and replaced by the National Data Opt Out. You can read more about it here.
Type 1 opt-out: medical records held at your GP practice
You can also tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP surgery.
Type 2 opt-out: information held by NHS Digital (now the national data opt out)
Previously you could tell your GP surgery if you did not want us, NHS Digital, to share confidential patient information that we collect from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs.
As of October 2018 the National opt-out can only be set by NHS Digital and there are three options:
Online – via the following link:
You must have an email address or mobile phone number registered with an NHS Service to use this method.
Telephone – via 0300 303 5678. The NHS Digital Contact Centre will verify your identity and discuss your data sharing choices. The Contact Centre may be able to guide you through the online service or set a choice on your behalf.
Print and post – if you are unable to use the online or telephone service, you can use a paper print-and-post form to set a choice instead via the following link:
Access to your information, your rights and corrections
Keeping us updated of any changes
Please let us know if you change your address or contact details etc so that we can keep your information up to date. If you have a concern about some of the information held on your record, you can contact us about it or request a copy of your record.
How to request a copy of your record
You can request a copy of your records via our Data Subject Access Requests (DSAR) portal. Our portal supports the management of requests with regards to records and/or alterations/concerns. Your request will be directed to our Privacy Team which will ensure that the correct service receives your request promptly.
To progress the request you will need proof of identity as follows:
- Driving licence or Passport or Work ID badge or Bus Pass or a witness to your signature by someone who is over 18 and is not a relative, (preferably by your doctor/solicitor on their headed business paper) as proof of identity
- Bank statement or Pay slip or Utility bill or a Letter on headed paper from a local authority or similar as proof of residence.
If you are a Representative acting on a data subject’s behalf you will need proof of your identity as well as proof that the data subject is freely giving consent to the request, or you have the appropriate legal authority.
If you would like more information about your records, please ask at reception, speak to the person proving your care or contact our Data Protection Officer: Sarah Murray, Head of Information Governance, Virgin Care. Email: firstname.lastname@example.org
Data Protection laws provides you with the following rights:
|The right of access||You are entitled to request a copy of the personal data we hold about you.|
|The right to rectification||You are entitled to request changes to information if it is inaccurate or incomplete
|The right to erasure||Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.|
|The right to restrict processing||Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.|
|The right to data portability||Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.|
|The right to object to processing||You have the right to object to our processing of your data where
· Processing is based on legitimate interest;
· Processing is for the purpose of direct marketing;
· Processing is for the purposes of scientific or historic research;
· Processing involves automated decision-making and profiling.
Please note that the above rights may not apply in all circumstances but we will respond within a month of any requests. If you have any questions or concerns about the information we hold on you, please contact our Data Protection Officer by one of the following options:
Via our secure Data Subject Access Requests (DSAR) portal
Email the central IG Team: email@example.com
Tel: 01928 242942
Post: FAO Head of Information Governance & Data Protection Officer
6600 Daresbury Business Park
If you are not happy about the way your information is handled, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioners Office (ICO).
Changes to our privacy notice
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information.