Privacy Notice
How Woodbury Surgery uses your information to provide you with healthcare
This practice keeps medical records confidential and complies with the General Data Protection Regulation.
We hold your medical record so that we can provide you with safe care and treatment.
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
- We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
- This practice is a member of the East Devon Health federation of GP practices and works collaboratively with other member practices for the purpose of delivering the best possible healthcare to patients in east Devon. To enable us to optimise the available resources with your needs you may be referred to other member health partners for treatment and will be given access to your health record to facilitate this treatment. You have the right to opt out if you do not wish your data to be shared under this arrangement. For more information on how we share your information with other GP practices and any other organisation who are directly involved in your care please speak to our Data Controller Dr Elizabeth Crawford.
- Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information visit the NHS Website or alternatively speak to your practice.
- You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.
Other important information about how your information is used to provide you with healthcare
Registering for NHS care
All patients who receive NHS care are registered on a national database
- This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive.
- The database is held by NHS Digital a national organization which has legal responsibilities to collect NHS data.
- More information can be found on the NHS Digtial Website the phone number for general enquires at 0300 303 5678
Identifying patients who might be at risk of certain diseases
- Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
- This means we can offer patients additional care or support as early as possible.
- This process will involve linking information from your GP record with information from other health or social care services you have used.
- Information which identifies you will only be seen by this practice.
Safeguarding
- Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
- These circumstances are rare.
- We do not need your consent or agreement to do this.
- Please see our local policies for more information: available at reception
Type 1 Opt-out
You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you being extracted from your GP record and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record you can complete a type 1 Opt-out form or contact the surgery.
Not a patient but perhaps a relative, friend, next of kin or otherwise have an involvement with a patient?
It is possible that we also hold information on you as part of someone else’s record. The nature of the information held about you will depend on the circumstances that the information was collected for. For instance if you have been named as patient Next of Kin we will hold your name and a means of contacting you such as a phone number or address. Under Data Protection law you will be entitled to receive a copy of this information unless there is good reason not to provide it.
Xon - Recording of Telephone Calls
The surgery has the ability to record telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse. All calls to and from the surgery are recorded. We also occasionally use recordings for staff training and quality control.
AccuRx – Patient Communication for Healthcare Professional
AccuRx are an NHS Digital approved supplier generally and are also NHS Digital approved specifically as a video consultation supplier. They have Data Security and Protection Toolkit assurance (ODS code: 8JT17) and Cyber Essentials Plus certification.
AccuRx are used to facilitate online consultations, text messaging and video consultations –– your name and mobile telephone number are shared for purposes of arranging video consultations, sending appointment reminder messages, links to specific healthcare advice and recall requests.
Population Health Analytics
As well as using your information to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout Devon using Population Health Management methods. We will only use a pseudonomised extract (ie not identifiable information) which will be sent securely to NHS Devon Clinical Commissioning Group (CCG) and in partnership with Optum, who have been appointed to provide technical assistance to NHS Devon Clinical Commission Group, use the information to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations. Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose. Further information about Population Health Management can be found on their website. We will rely on Public interest task as the legal basis for processing your data for this purpose.
General Practice Data for Planning and Research Data Collection (GPDfPR)
As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone. NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies. At the time of publication (May 2021), patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose.
We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.
General Practice Data for Planning and Research (GPDPR)
Third Party Service Providers
The practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:
- Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.
- Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system).
- Delivery services (for example if we were to arrange for delivery of any medicines to you).
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
For further information of who we share your personal data with and our third-party processors, please contact the surgery on 01395 232509
Devon and Cornwall Care Record
Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.
This shared system is called the Devon and Cornwall Care Record.
It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.
It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.
Only authorised staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include. For more information about the Devon and Cornwall Care Record visit their website
COVID-19
The Practice may collect, hold and share information about you in relation to the COVID-19 pandemic in order to plan and manage services, check that care is being provided and prevent COVID-19 from spreading.
Information about your COVID-19 status may be shared within the NHS and with other partners involved in your care and treatment, along with:
- NHS England,
- NHS Digital,
- Public Health England,
- CCG,
- The Department of Health,
- Other Government Departments where it’s legally required, or where it is necessary for the protection of public health or management of the outbreak.
We do not need your consent or agreement to do this.
More information
- Data and services to support the management of Coronavirus
- Notifiable diseases and causative organisms: how to report
We are required by law to provide you with the following information about how we handle your information.
Data Controller contact details
- Dr Elizabeth Crawford - Woodbury Surgery, Fulford Way, Woodbury EX5 1NZ
Data Protection Officer contact details
- DELT: email d-ccg.deltdpo@nhs.net
Purpose of the processing
- To give direct health or social care to individual patients.
- For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
- To check and review the quality of care. (This is called audit and clinical governance).
- Sharing of Special Patient Notes (SPN’s) with out of hours services to assist in the delivery of patient care. This includes information such as End of life status, challenging behavior, domestic circumstances and other relevant information that may influence the manner in which health care services are delivered.
- Data is shared with other organisations to ensure that care is delivered effectively and safely to patients.
- Data is shared with other organisations to ensure that vulnerable patients including children are safeguarded. Data will be shared with other organisations to safeguard providers of health care from harm or risk to their wellbeing.
Lawful basis for processing
These purposes are supported under the following sections of the GDPR:
- Article 6(1)(c) “…necessary in order to protect the vital interest of the data subject or another natural person.”
- Article 6(1)(f)”…necessary for the purpose of legitimate interest…” Article 9(2)(b) “…necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…” (specifically the safeguarding of children and vulnerable adults)
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data
The data will be shared with:
- healthcare professionals and staff in this surgery;
- local hospitals;
- out of hours services (specifically Devon - Practice Plus Group);
- diagnostic and treatment centres;
- or other organisations involved in the provision of direct care to individual patients. (ie Hospiscare, community nursing team, UCR)
Rights to object
- You have the right to object to information being shared between those who are providing you with direct care
- This may affect the care you receive – please speak to the practice.
- You are not able to object to your name, address and other demographic information being sent to NHS Digital.
- This is necessary if you wish to be registered to receive NHS care.
- You are not able to object when information is legitimately shared for safeguarding reasons. ·
- In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
- The information will be shared with the local safeguarding service Multi Agency Safeguarding Hub
Right to access and correct
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff. · We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found on the NHS Digital Website or you can speak to the practice
Right to complain
Please let us know if you are unhappy with how we have used your personal information. You can contact us via our website or in person at the surgery.
You have the right to complain to the Information Commissioner’s Office. If you wish to complain you can do via their website or call the helpline 0303 123 1113
Data we get from other organisations
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
Processing of data for the purpose of Public Protection
The practice may provide information to and receive information from other agencies for the purpose of protecting the public from individuals who may pose a risk (eg MAPPA). The practice may process this information either as a public task function or because it has a legal duty to do so
We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.