Our Privacy Notice and GDPR
This Practice aims to provide you with the highest quality of Healthcare. To do this we must keep records about you, your health and the care we have provided or plan to provide.
These records may include:
- Basic details about you, such as address, date of birth, next of kin;
- Notes and reports about your health;
- Contact we have had with you such as clinical visits;
- Details and records about your treatment and care;
- Results of x-rays, laboratory tests etc. Relevant information from people who care for you and know you well, such as health professionals and relatives.
The people who care for you use your records to:
- Provide a good basis for all health decisions made by you and care professionals;
- Make sure your care is safe and effective;
- Work effectively with others providing you with care.
We may also need to use records about you to:
- Check the quality of care;
- Protect the health of the general public;
- Help investigate any concerns or complaints you or your family have about your health care
We will not share information that identifies you for any reason, unless:
- You ask us to do so;
- We ask and you give your consent;
- It is clinical emergency;
- We have to do this by law
Everyone working for the NHS has a legal duty to keep information about you confidential. We have a duty to:
- Maintain full and accurate records of the care we provide to you;
- Keep records about you confidential, secure and accurate;
- Provide information in a format that is accessible to you (e.g. in large type if you are partially sighted.
You have the right
- You have the right to confidentiality under the Data Protection Act 1998 (DPA), The General Data Protection Regulations 2018, the Human Rights Act 1998 and the common law duty of confidentiality.
- You also have the right to ask for a copy of your records to enable you to verify the lawfulness of the processing of data held about you - please write to the Practice F.A.O. Data Controller at the normal surgery address detailing the information you require.
The Data Controller for this Practice is: THE UNIVERSITY HEALTH CENTRE
DRS MOUNSEY, RASAKUMARAN & THOMAS
The Data Protection Officer for this Practice is: Nicola Toner
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euros
What is ‘patient data’?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
Individuals also have the right to withdraw their consent at any time.
Third party processors
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Delivery services (for example if we were to arrange for delivery of any medicines to you).
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
OUR DATABASE PROVIDER STATEMENT