Privacy Notice

 

BACK TO MAIN INDEX

 

How Woodbury Surgery uses your information to provide you with healthcare

This practice keeps medical records confidential and complies with the General Data Protection Regulation.

We hold your medical record so that we can provide you with safe care and treatment.

We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.

  • We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
  • This practice is a member of the East Devon Health federation of GP practices and works collaboratively with other member practices for the purpose of delivering the best possible healthcare to patients in east Devon. To enable us to optimise the available resources with your needs you may be referred to other member health partners for treatment and will be given access to your health record to facilitate this treatment. You have the right to opt out if you do not wish your data to be shared under this arrangement. For more information on how we share your information with other GP practices and any other organisation who are directly involved in your care please speak to our Data Controller Dr Elizabeth Crawford.
  • Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information visit the NHS Website or alternatively speak to your practice.
  • You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.
 

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

All patients who receive NHS care are registered on a national database

  • This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive.
  • The database is held by NHS Digital a national organization which has legal responsibilities to collect NHS data.
  • More information can be found on the NHS Digtial Website the phone number for general enquires at 0300 303 5678

Identifying patients who might be at risk of certain diseases

  • Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
  • This means we can offer patients additional care or support as early as possible.
  • This process will involve linking information from your GP record with information from other health or social care services you have used.
  • Information which identifies you will only be seen by this practice.

Safeguarding

  • Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
  • These circumstances are rare.
  • We do not need your consent or agreement to do this.
  • Please see our local policies for more information: available at reception

Type 1 Opt-out

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you being extracted from your GP record and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record you can complete a type 1 Opt-out form or contact the surgery.

e-Consult - Consulting your doctor online

  • We use e-Consult an online tool where you can get advice and treatment or get self-help.
  • e-Consult are a third party organisation and by using this tool you are submitting your information to them. This information is then submitted to our practice for review by our GPs.
  • The e-Consult privacy notice can be found on their website

Not a patient but perhaps a relative, friend, next of kin or otherwise have an involvement with a patient?

It is possible that we also hold information on you as part of someone else’s record. The nature of the information held about you will depend on the circumstances that the information was collected for. For instance if you have been named as patient Next of Kin we will hold your name and a means of contacting you such as a phone number or address. Under Data Protection law you will be entitled to receive a copy of this information unless there is good reason not to provide it.

Xima - Recording of Telephone Calls

The surgery has the ability to record telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse. All calls to and from the surgery are recorded. We also occasionally use recordings for staff training and quality control.

AccuRx – Patient Communication for Healthcare Professional

AccuRx are an NHS Digital approved supplier generally and are also NHS Digital approved specifically as a video consultation supplier. They have Data Security and Protection Toolkit assurance (ODS code: 8JT17) and Cyber Essentials Plus certification.

AccuRx are used to facilitate text messaging and video consultations –– your name and mobile telephone number are shared for purposes of arranging video consultations, sending appointment reminder messages, links to specific healthcare advice and recall requests.

Population Health Analytics

As well as using your information to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout Devon using Population Health Management methods. We will only use a pseudonomised extract (ie not identifiable information) which will be sent securely to NHS Devon Clinical Commissioning Group (CCG) and in partnership with Optum, who have been appointed to provide technical assistance to NHS Devon Clinical Commission Group, use the information to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations. Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose. Further information about Population Health Management can be found on their website. We will rely on Public interest task as the legal basis for processing your data for this purpose.

General Practice Data for Planning and Research Data Collection (GPDfPR)

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone. NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies. At the time of publication (May 2021), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose.

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

General Practice Data for Planning and Research (GPDPR)

Third Party Service Providers

The practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

  • Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc. 
  • Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system). 
  • Delivery services (for example if we were to arrange for delivery of any medicines to you). 
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

For further information of who we share your personal data with and our third-party processors, please contact the surgery on 01395 232509

Devon and Cornwall Care Record

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.

This shared system is called the Devon and Cornwall Care Record.

It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include. For more information about the Devon and Cornwall Care Record visit their website

 

COVID-19

The Practice may collect, hold and share information about you in relation to the COVID-19 pandemic in order to plan and manage services, check that care is being provided and prevent COVID-19 from spreading.

Information about your COVID-19 status may be shared within the NHS and with other partners involved in your care and treatment, along with:

  • NHS England,
  • NHS Digital,
  • Public Health England,
  • CCG,
  • The Department of Health,
  • Other Government Departments where it’s legally required, or where it is necessary for the protection of public health or management of the outbreak.

We do not need your consent or agreement to do this.

More information

 

We are required by law to provide you with the following information about how we handle your information.

Data Controller contact details

  • Dr Elizabeth Crawford - Woodbury Surgery, Fulford Way, Woodbury EX5 1NZ

Data Protection Officer contact details

  • DELT: email d-ccg.deltdpo@nhs.net

Purpose of the processing

  • To give direct health or social care to individual patients.
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care. 
  • To check and review the quality of care. (This is called audit and clinical governance).
  • Sharing of Special Patient Notes (SPN’s) with out of hours services to assist in the delivery of patient care. This includes information such as End of life status, challenging behavior, domestic circumstances and other relevant information that may influence the manner in which health care services are delivered.
  • Data is shared with other organisations to ensure that care is delivered effectively and safely to patients.
  • Data is shared with other organisations to ensure that vulnerable patients including children are safeguarded. Data will be shared with other organisations to safeguard providers of health care from harm or risk to their wellbeing.

Lawful basis for processing

These purposes are supported under the following sections of the GDPR:

  • Article 6(1)(c) “…necessary in order to protect the vital interest of the data subject or another natural person.”
  • Article 6(1)(f)”…necessary for the purpose of legitimate interest…” Article 9(2)(b) “…necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…” (specifically the safeguarding of children and vulnerable adults)
  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with:

  • healthcare professionals and staff in this surgery;
  • local hospitals;
  • out of hours services (specifically Devon Doctors Ltd);
  • diagnostic and treatment centres;
  • or other organisations involved in the provision of direct care to individual patients. (ie Hospiscare, community nursing team, UCR)

Rights to object

  • You have the right to object to information being shared between those who are providing you with direct care
  • This may affect the care you receive – please speak to the practice.
  • You are not able to object to your name, address and other demographic information being sent to NHS Digital.
  • This is necessary if you wish to be registered to receive NHS care.
  • You are not able to object when information is legitimately shared for safeguarding reasons. ·
  • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
  • The information will be shared with the local safeguarding service Multi Agency Safeguarding Hub

Right to access and correct

You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff. · We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period

GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found on the NHS Digital Website or you can speak to the practice

Right to complain

Please let us know if you are unhappy with how we have used your personal information. You can contact us via our website or in person at the surgery.

You have the right to complain to the Information Commissioner’s Office. If you wish to complain you can do via their website or call the helpline 0303 123 1113

Data we get from other organisations

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

Processing of data for the purpose of Public Protection

The practice may provide information to and receive information from other agencies for the purpose of protecting the public from individuals who may pose a risk (eg MAPPA). The practice may process this information either as a public task function or because it has a legal duty to do so

Multi-Agency Public Protection Arrangements