We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
A brief guide to your data. What we keep and how it’s used
The new law
The GDPR and Data Protection Act 2018 replace the Data Protection Act 1998 with an updated and strengthened data protection framework. The law came into force on 25th May
2018 although our Practice was already registered under both the Data Protection and Freedom of Information Acts and so we have always taken protection of data and patient confidentiality very seriously. The key principles of the original Act remain unchanged.
The principles of the GDPR are as follows:
- Data should be processed fairly and in a transparent manner
- Data should be collected for specified, explicit and legitimate purposes
- Data stored should be adequate, relevant and limited to what is necessary
- Data should be kept accurate and up to date where necessary
- Data should only be retained for as long as is necessary
- Data should be processed in an appropriate manner to maintain security.
Under the GDPR, we are the Data Controller of our patients’ information. This means we are responsible for ensuring the above principles are adhered to.
Data Processors are 3rd parties who do something with the data we store on our behalf. For instance, our physiotherapy service, our prescribing quality team and the CCG. We are responsible for ensuring these parties process data according to the principles listed above.
Largely, the GDPR is about being clear with consumers how their data is processed, which this leaflet sets out to do.
Consent
Data should be processed when there is a lawful reason to do so. Consent is generally needed for commercial purposes eg sales, and not normally necessary for NHS organisations. We process data as it is necessary for performance of contract and also as a legal obligation. This of course goes hand in hand with the principles of patient confidentiality. ([Article 6(1)(e)], [Article 6(1)(c)] and [Article 9(2)(h)]).
What data we store and who it is shared with
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations. If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case. Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
When a new patient registers with us, an electronic record is set up on our Clinical System (EMIS). Some patient records can be transferred electronically, and so sometimes we will receive information from your old GP which will be filed directly into this record. Our staff can then add to this. Any missing historic information will also be added from your
paper Lloyd George notes, which we also receive. We store these in locked filing cabinets in staff-only areas of the building. When a patient de-registers or passes away, these notes are located and sent off in sealed bags; only current patient records are stored on site.
Electronic records are accessible only to staff members with a username and password. Staff will only access patient records if it is necessary to do so as part of their job. Staff will include all clinical and administrative staff, as well as other clinicians who see our patients but are not employed by New Dover Road Surgery. They do so by implied consent eg if you are referred to a physiotherapy, you are giving your implied consent that you give permission for the physiotherapist to access your medical records to treat your condition in an informed way.
We will also share your data in a similar way with other NHS organisations. These include but are not limited to: East Kent Hospitals; other hospital trusts you might be referred to; Kent Community Health Trust (local minor injuries units; District Nurses; Health Visitors etc); Public Health England; Canterbury Integrated Health Ltd (ie clinical/admin staff you might see if you were to attend a Saturday morning appointment at Bridge or the University); Out of Hours services and pharmacies. We will not share data with these parties unless it is directly for the purpose of care.
Sometimes we have a legal obligation to share information with organisations such as the DVLA, the Coroner’s Office and the Police. Any other 3rd parties with whom we share information will normally require your signed consent, such as solicitors or insurance companies acting on your behalf. When demographic patient data is required, this is anonymized.
Summary Care Record (SCR)
A SCR is an electronic record of important patient information, created from GP medical records. It can be seen and used by authorised staff in other areas of the health system involved in the patient's direct care. Access to SCR information means that care in other settings is safer, reducing the risk of prescribing errors. It also helps avoid delays to urgent care.
At a minimum, the SCR holds important information about:
- current medication
- allergies and details of any previous bad reactions to medicines
- the name, address, date of birth and NHS number of the patient
The patient can also choose to include additional information in the SCR, such as details of long-term conditions, significant medical history, or specific communications needs.
We seek explicit consent to add your details to the SCR by means of the new patient health questionnaire, given out at registration and sometimes we may call you. If at any point you wish to opt out, please let us know in writing.
How we protect your data
When data is required to be sent to other parties, it is done so generally via fax or email. When we send a fax we will double check the number before sending and ensure we are sending it to a trusted source. Unless we have consent, emails are only sent to nhs.net or other secure and encrypted addresses. Some data can be sent via specific electronic systems, such as ‘iGPR’ which we use for transmitting solicitors and insurance reports.
For patients who have provided us with a mobile phone number, we will routinely send text messages with appointment reminders and with requests to submit feedback. When the text messaging service was first set up, all users were messaged to seek their permission at which point the option to opt out was given. This is still possible at any time by replying to your last message, or to +447903593916, with the message OPT OUT. We will never use your mobile number for marketing reasons. We may use the lawful basis of legitimate interest to send eligible patients invitations for flu vaccinations and other services. It is through this basis we also run searches on our patients to identify those who require tests, appointments and reviews and send invite letters.
Prescriptions are either sent electronically to pharmacies, which GPs sign off with a PIN, or by secure fax, or are picked up and signed for by pharmacy staff.
All staff and visitors sign a confidentiality agreement and all staff receive annual training on data protection. They are issued passwords which are regularly changed. Staff areas of the building are locked unless they provide a route to a fire exit.
CCTV cameras are used on the property for the protection of our building and its contents, staff and patients. This footage is recorded and stored for one month before being automatically erased. Footage is only accessed if there has been an event that requires investigating. We are obliged to provide footage to the police if required to do so.
Paper-based information that is no longer required is disposed of in shredding bins which is collected by a company called Shred It and taken off-site to be destroyed.
How can I request access to my data?
Patients aged 16 and over are entitled to make a Subject Access Request ie a request to view their medical notes. In the first case, we would encourage patients to utilise our Patient Access online system, which (following a request in writing) we can set to allow your electronic medical notes to be visible. Many patients already use this system for ordering repeat prescriptions and booking appointments. Please enquire at reception for a registration form, and return it with a note requesting you are also given access to your notes.
If you wish to be given a paper copy of your records, to view paper notes that are in your Lloyd George file, or to request a copy of your child’s notes (under 16) please put this in writing to Janine Walsh, Administrator. We will not charge unless the request is repetitive or excessive, however we ask patients to bear in mind the amount of admin time this can take and cost to the Practice through printing etc. If possible, please be specific about the information you require eg information linked to a certain problem/diagnosis, or information within a certain time frame. Where possible we will return your notes in electronic form such as encrypted disc and always within 1 month.
For further information, guidance, complaints and comments please contact the Practice Manager, Rachel Mackey. A full version of our privacy policy can be provided and is also accessible on our website Subject Access Requests should come in writing to Janine Walsh and in some cases will be run past your named GP for authorisation.
Sources of information
- GPs as data controllers under the General Data Protection Regulation BMA document March 2018
- NHS England: Summary Care Records
- DIY Practice Privacy notice (from April 2018 blog) Dr Paul Cundy, GPC IT Policy Lead
- Further reading on the ICO website