Your data, privacy and the Law.
How we use your medical records
- This practice handles medical records according to the laws on data protection and confidentiality.
- We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
- Some of your data is automatically copied to the Northern Ireland Electronic Care Record.
- We may share some of your data with the local Out of Hours Services (e.g. SEBDoc)
- Data about you is used to manage national screening campaigns such as Flu, Cervical cytology and Diabetes prevention.
- Data about you, usually de-identified, is used to manage the NHS and make payments.
- We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
- Your data is used to check the quality of care provided by the NHS.
- We may also share medical records for medical research
For more information please read on or contact the surgery directly to clarify any points.
Privacy Notice Direct Care
Plain English explanation
This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by the Business Services Organisation (BSO) a national organisation which has legal responsibilities to collect NHS data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances. For this reason GPs share your care with others, predominantly within the surgery, but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details
|
1) Data 1) Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018a
|
|
3) Purpose of the processing
|
Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
|
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller (the practice). You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice Emergencies
Plain English Explanation
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
|
|
4) Lawful basis for processing
|
This is a Direct Care purpose. There is a specific legal justification;
Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person”
And
Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Or alternatively
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres.
|
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.
You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.
|
|
8) Retention period
|
The data will be retained in line with the law and national guidance
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – National Screening programs
Plain English explanation
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: www.gov.uk/topic/population-screening-programmes
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.
|
|
4) Lawful basis for processing
|
The sharing is to support Direct Care which is covered under
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with [insert name of local service providers]
|
|
6) Rights to object
|
You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. Contact the Data Controller or the practice. For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.
See: www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes
Or speak to the practice.
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
GP medical records will be kept in line with the law and national guidance.
Information on how long records can be kept can be found at: digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Or speak to the practice.
|
|
9) Right to Complain
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Commissioning, Planning, Risk Stratification, Patient Identification
Plain English explanation
The records we keep enable us to plan for your care.
This practice keeps data on you that we can search and process, using computer algorithms, to identify patients who might be in need of increased care.
This means using only the data we hold, or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.
If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease.
You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.
Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
|
|
4) Lawful basis for processing
|
The legal basis for this processing is
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared for processing with the BSO and for subsequent healthcare with local NHS healthcare providers.
|
|
6) Rights to object
|
You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the Data Controller or the practice.
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained in line with the law and national guidance. digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice Research
Plain English explanation
This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement<href="#one">1. We may also use your medical records to carry out research within the practice.
We share information with the following medical research organisations with your explicit consent or when the law allows [PC1] :
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the sharing
|
Medical research.
|
|
4) Lawful basis for processing or sharing
|
Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
or
Article 6(1)(e) may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
And in addition there are three possible Article 9 justifications.
Article 9(2)(a) – ‘the data subject has given explicit consent…’
or
Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.
or
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with [PC2]
|
|
6) Rights to object
|
You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time. Contact the Data Controller (the practice).
|
|
7) Right to access and correct
|
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
|
|
8) Retention period
|
The data will be retained for the period as specified in the specific research protocol(s).
|
|
9) Right to Complain
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
1, Section 251 and the NHS Act, Health Research Authority. www.dropbox.com/s/sekq3trav2s58xw/Official%20Section%20251%20guidance%20Health%20Research%20Authority.pdf?dl=0
Privacy Notice Public Health
Plain English
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.
This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.
Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659) the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657),the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
There are occasions when medical data needs to be shared with the HSC Public Health Agency, either under a legal obligation, or for reasons of public interest.
|
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with the HSC Public Health Agency https://www.publichealth.hscni.net/
|
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained for active use during the period of the public interest and according to legal requirements and NIO’s criteria on storing identifiable data
https://www.gov.uk/government/organisations/northern-ireland-office/about/personal-information-charter
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
Privacy Notice – Safeguarding
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:
Section 47 of The Children Act 1989 :
(www.legislation.gov.uk/ukpga/1989/41/section/47),
Section 29 of Data Protection Act (prevention of crime) www.legislation.gov.uk/ukpga/1998/29/section/29
and
section 45 of the Care Act 2014 www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989 www.legislation.gov.uk/ukpga/1989/41/section/17
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
The purpose of the processing is to protect the child or vulnerable adult.
|
|
4) Lawful basis for processing
|
The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:
For consented processing;
6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
For unconsented processing;
6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
and:
9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’
We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with the local social services based in the Knockbreda Centre, 110 Saintfield Rd, Castlereagh, Belfast BT8 6GR 02895044450 and other social services based elsewhere in the region depending on where the patient resides.
|
|
6) Rights to object
|
This sharing is a legal and professional requirement and therefore there is no right to object.
There is also GMC guidance:
www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp
|
|
7) Right to access and correct
|
The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Other Statutory Disclosures of Information
Plain English
There are a number of other circumstances in which the Practice can be compelled by law to reveal your information to another body without your consent. These circumstances usually are when failure to do so could lead to harm befalling you someone else – classed as an overriding public interest. The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. We are required to disclose information if ordered to do so by a judge or presiding officer of a court.
The General Medical Council can request access to your notes for the purpose as investigating a doctor’s fitness to practice. The Health Service Ombudsman has similar powers to request information when investigating a complaint.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
The purpose of the processing is to protect the public.
|
|
4) Lawful basis for processing
|
The sharing is a legal requirement to provide certain statutory bodies with information when requested.
For consented processing;
6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
For unconsented processing;
6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
and:
9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’
We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
Prevention of Terrorism Act (1989) and Terrorism Act (2000)
An obligation to inform the Police if you have information (including personal information) that may assist them in preventing an act of terrorism, or help in apprehending or prosecuting a terrorist.
The Road Traffic Act (1988)
A statutory duty to inform the Police, when asked, of any information that might identify any driver who is alleged to have committed an offence under the Act. We are not required to disclose clinical or other confidential information, only that information required to enable and identification of the driver.
The Female Genital Mutilation Act (2003)
A statutory duty to report to the police under Section 5B of this Act where it appears that a girl under the age of 18 has been subject to genital mutilation.
The Medical Act (1983)
The GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practise.
The Health Services Commissioners Act (1993)
The HSO has the power to request access to a patient’s medical records for the purposes of an investigation.
DVLNI
Applicants and licence holders have a legal duty to notify the DVLNI of any injury or illness that would have a likely impact on safe driving ability.
GPs are obliged to notify the DVLNI when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.
|
|
5) Recipient or categories of recipients of the shared data
|
The Police, DVLNI, the Courts, the GMC, the HSO
With any disclosures there must be:
- a legal duty to disclose, or
- a sufficiently important reason to disclose AND a legal basis for doing so
Only the minimum, or relevant, information to satisfy the request will be provided.
The list of statutory bodies is not exhaustive and there may be other circumstances where the sharing of your information may be legally obligated.
|
|
6) Rights to object
|
This sharing is a legal and professional requirement and therefore there is no right to object.
|
|
7) Right to access and correct
|
The DSs or legal representatives have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
Police policy can be found at
https://www.psni.police.uk/advice_information/information-about-yourself/
Data retained in line with DVLA policies on storing identifiable data
www.gov.uk/government/organisations/driver-and-vehicle-licensing-agency/about/personal-information-charter
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Payments
Plain English explanation
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. The amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally, there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.
In order to make patient-based payments basic and relevant necessary data about you, needs to be sent to the various payment services. The release of this data is required by law.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
To enable GPs to receive payments. To provide accountability.
|
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
|
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with the BSO,Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained in line with the law and national guidance. digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
Privacy Notice - Electronic Care Record
Plain English
The Northern Ireland Electronic Care Record (NIECR is a Northern Ireland specific development. It consists of a basic medical record held on a central government database on every patient registered with a GP surgery in Northern Ireland. The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS H&C number of the patient.
Other detailed information is added by all the Secondary care trusts in the form of hospital discharge letters, outpatient letters, laboratory results and x-ray results. The record also contains records of hospital admissions and appointments in the past and that have been booked in the future. Your GP can see this information but not alter it.
The NIECR can only be viewed on systems directly linked to the NHS computer system, or remotely by staff using high level security protected devices.
You can find out more about the NIECR here www.nidirect.gov.uk/articles/northern-ireland-electronic-care-record-niecr
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
(although the HSC is the overall data controller for the NIECR)
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
Upload of basic health data
|
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained in line with the law and national guidance. digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Medical Defence Organisations
Plain English
In the event of a doctor having to obtain legal advice in relation to proceedings related to the care of a patient, the law allows patient information to be shared with medico-legal advisors.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
Health records can be reviewed by independent medico-legal experts.
|
|
4) Lawful basis for processing
|
The Schedule 2 Paragraph 5 of the forthcoming Data Protection Bill 2018 states:
Information required to be disclosed by law etc. or in connection with legal proceedings
5(3)
The listed GDPR provisions do not apply to personal data where disclosure of the data is necessary
(a) for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), or
(b) for the purpose of obtaining legal advice or otherwise establishing, exercising or defending legal rights
to the extent that the application of those provisions would prevent the controller from making the disclosure.
When seeking medicolegal advice from defence organisations (i.e. not formal or likely legal proceedings as such) then information from an individual’s record may be disclosed to the supporting organisation. That information will be:
- Relevant (i.e. not the entire GP record)
- Anonymised or de-identified
|
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with the Medical defence organisation (MDU, MDDUS, MPS) and any experts they employ.
|
|
6) Rights to object
|
None
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
Usually 10 years.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
Privacy Notice – GP as an Employer
Plain English explanation
As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act.
We are also required by HMRC and various taxation laws, such as “The Income Tax (Pay As You Earn) Regulations 2003” to keep financial records.
Details
|
1) Data Controller contact details
|
Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
(although the HSC is the overall data controller for the NIECR)
|
|
2) Data Protection Officer contact details
|
Mr Alan Hawthorne, Knock Medical Centre, 423b Upper Newtownards Road Belfast BT43LH
02890654018
|
|
3) Purpose of the processing
|
To process payments accurately. To comply with the Health and Social Care Act and taxation law.
|
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
|
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared BSO and anonymised data with the Equality Commission. Financial data will also be shared with HMRC.
|
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with BSO. Contact the Data Controller or the practice. There is no right to have UK taxation related data deleted except after certain statutory periods.
|
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law.
|
|
8) Retention period
|
The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.
|
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link ico.org.uk/global/contact-us
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place,
Belfast
BT7 2JB
Telephone: 028 9027 8757 / 0303 123 1114
Email: ni@ico.org.uk
|
Privacy Notice - Complaints
Details
|
Identity and contact details of the data controller and the data protection officer
|
Data Controller: Knock Medical Centre
Data Protection Officer: Mr Alan Hawthorne
|
|
How does this comply with the Common Law Duty of Confidentiality?
- Consent
- Implied (e.g. direct care)
- Explicit (e.g. 2° uses)
- COPI Regulations 2002
(e.g. Reg 5 - “s251”)
- “overriding public interest”
(to safeguard you or another person)
- legal obligation (e.g. court order)
|
Consent (implied)
This means that it would be reasonable to infer that you agree to the use of the information as long as:
- We are accessing the information to provide or support your direct care, or are satisfied that the person we are sharing the information with is accessing or receiving it for this purpose
- Information is readily available to you, explaining how your information will be used and that you have the right to object
- We have no reason to believe that you have objected
We are satisfied that anyone we disclose personal information to understands that we are giving it to them in confidence, which they must respect
|
|
Purpose of the processing and the lawful basis for the processing
|
Storage of communication following a complaint about care received at the practice.
This is a Direct Care purpose
Special category of data (health)
Lawful bases:
Article 6(1)(e) – Official Authority
Article 9(2)(h) – Provision of health
|
|
Is this:
- Access to your GP record
- Extraction of information
from your GP record
- Access to data held about you
by another data controller
|
Extraction of information from the GP record
|
|
The recipient(s), or categories of recipients, of your personal data
|
Communication (which is usually by email) between practice staff and the patient.
|
|
Retention period of the data (or criteria used to determine the retention period)
|
3 years following resolution of the complaint.
|
|
The existence of each of your rights
|
You are able to exercise certain rights in relation to your personal data that we process.
These are set out in more detail at:
ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights
Article 6(1)(e) gives the data subject the right to object.
|
|
The right to lodge a complaint with a supervisory authority
|
Yes:
The Information Commissioner
|
|
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
|
No
|
|
Further information
|
When a complaint from a patient is received by the practice, discussion takes place between practice staff, and the patient, to try to resolve the complaint.
Any such communication (emails, letters, fa xes) is stored in a hard copy (i.e. emails are printed) and separately from the GP patient record.
Any communication made by email is processed in line with our email data retention policy (deleted after 1 calendar month).
All correspondence relating to the complaint is then stored securely in a file for 3 years, when it is destroyed.
|