Privacy Notice

GDPR is part of the data protection act and applies to UK businesses and organisations. It is tailored by the Data Protection Act 2018 and explains each of the data protection principles, rights and obligations. More information on the data protection act can be found at www.gov.uk/data-protection.

We are a Primary Care General Practice providing a wide range of services including:

  • Patient consultations – GPs and Practice nurses
  • Chronic disease management
  • Minor surgery
  • Phlebotomy

We have approximately 11,200 patients registered, we have 4 Partners and employ 35 staff across 3 sites:  New House, Hillside and Riverbank Surgeries.

Your information, what you need to know

This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential.

  • What information are we collecting?
  • Who collects the data?
  • How is it collected?
  • Why do we collect it?
  • How will we use the data?
  • Who will we share it with?
  • What is the effect on the individuals?

Why we collect information

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare. We collect and hold data for the sole purpose of providing healthcare services to our patients.

In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services.

We keep your information in written form and/or in electronic form. The records may include basic details about you and they may also contain more sensitive information about your health.

  • What information are we collecting?
  • Who collects the data?
  • How is it collected?
  • Why do we collect it?
  • How will we use the data?
  • Who will we share it with?
  • What is the effect on the individuals?

Why we collect information

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare. We collect and hold data for the sole purpose of providing healthcare services to our patients.

In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services.

We keep your information in written form and/or in electronic form. The records may include basic details about you and they may also contain more sensitive information about your health.

Details we collect about you

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g., NHS Trusts, GP Surgeries, Walk-in Clinics, etc).  We keep data on you which will be used to support delivery of appropriate care and treatment and this may include:

  • Details such as your name, address, date of birth, next of kin
  • Any contact the surgery has had with you such as appointments, clinics visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.

Sensitive data relates to genetic data, sexual orientation, race, your religious beliefs, whether you have a disability, allergies and health records.

Information is collected via you, healthcare professionals and hospital correspondence.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence and the Data Protection Act 2018.  Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law.

The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared.

All our staff undertake annual mandatory training in data protection, confidentiality, information governance.  All our staff are expected to make sure information is kept confidential and safe and they are aware of their personal responsibility.

Our doctors, nurses and other healthcare professionals are registered, regulated and governed by professional bodies.

NHS health records may be electronic, on paper or a mixture of both.  We use a combination of working practices and technology to ensure that your information is kept confidential and secure.  Information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personal.  Records are backed up securely in line with NHS procedures.

We may be asked to share basic information about you, such as your name and parts of your address which does not include sensitive information from your health records.  We ensure external data processors are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

For example, healthcare services, public health or national audits.  We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2015
  • Public Records Act 1958
  • Records Management Code of Practice Health & Social Care 2016
  • Information Security Management NHS Code of Practice
  • The Care Record Guarantee for England
  • International Organisation for Standardisation (ISO) – information
    Security Management Standards (ISMS)

Non-NHS organisations may include but are not restricted to; social services, education services, local authorities, the police, voluntary sector providers and private sector providers.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your consent unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

How we use your information

Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

You can object to your personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Occasionally your information may be requested to be used for research purposes. We will always gain your consent before releasing any information for this purpose.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to:

  • Improve individual care, diagnosis and safety
  • Help protect the health of the general public
  • Understand more about disease risks and causes
  • Develop new treatments and preventions
  • Plan services and to help us manage the NHS
  • Train healthcare professionals
  • Help with research and audits
  • Provide data on performance

We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function.  We will assume you are happy to for your information to be shared unless you choose to opt-out (see below).

This means you will need to express an explicit wish not to have your information shared with the other NHS organisations; otherwise they will be automatically shared. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.

There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued. Our guiding principle is that we are holding your records in strictest confidence.

Your right to object or withdraw consent for us to share your information (opt-out)

We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.

Where we are using, storing and sharing your information based on explicit consent, you have a right to withdraw your consent to personal data being used at any time.

Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

NHS Digital will not collect data about patients who have registered a Type 1 Opt-out with the practice. More information about Type 1 Opt-outs is in NHS Digital’s GP Data for Planning and Research Transparency Notice

This collection will start on 1 September 2021 so if you do not want your data to be shared with NHS Digital please register your Type 1 Opt-out with the practice. You can do this by completing and submitting this opt-out form Register your Type 1 Opt-Out Preference.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with NHS Digital. They will however still hold the patient data that was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-out (opting out of NHS Digital sharing your data)

We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you – this includes GP data, or other data we hold, such as hospital data – with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read the Your NHS Data Matters page for more details.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

NHS Digital – Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with the Practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients.

It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19)

Supporting Locally Commissioned Services

CCGs and Public Health Surrey County Council support GP practices by auditing pseudonymised data to monitor locally commissioned services, measure prevalence and support data quality.  The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.

Your right to correction

If information about you is incorrect you are entitled to request that we correct it.  There may be occasions where we are required by law to maintain the original information.

Who will the information be shared with?

We may need to share information about you with others, subject to strict agreements on how it will be used.  These are the type of organisations we may share your information with:

  • NHS Trusts/Specialist Trusts
  • Private Healthcare Organisations
  • Independent Contractors such as dentists, opticians, pharmacists
  • Primary Care Networks
  • Voluntary Sector Providers
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Ambulance Trusts
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘Data Processors’

Summary Care Record (SCR)

NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information (SCR-AI) can also include reason for medication, vaccinations, significant diagnoses /problems, significant procedures, anticipatory care information and end of life care information.

Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please contact the Practice.

Summary Care Record update during COVID Pandemic

Based on the legal Notice issued on 20th March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 requiring confidential patient information to be shared in the circumstances set out in the Notice. Changes will be made to the Summary Care Record and these changes will remain in force during the period of the COVID-19 emergency period as set out in the Notice (unless extended or reduced) at which point systems will return to their current state unless alternative arrangements have been put in place before then.

Our clinical system provider will enable Summary Care Record Additional Information (SCR-AI) changes to be made to share confidential information in response to COVID-19 with other healthcare professionals.  Safeguards required to keep information safe have not been compromised. NHS access to the SCR and to medical records is traceable and auditable. Only those staff who require access to do their jobs can view this information, and it remains the case that all staff should always seek permission to view an SCR from the patient before doing so. Further information is available: Supplementary Privacy Notice for Summary Care Records.

Clinical Audits

Information may be used for clinical audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes. Where we do this we take strict measures to ensure that individual patients cannot be identified e.g. the National Diabetes Audit.

Footfall (website)

Footfall is the dashboard that is linked to the Practice website that allows the Practice to operate digitally. Patient inputs information for the use of GP triage.  Access is via authorised username and password connected to the HSCN (N3).

LumiraDx (INRstar)

LumiraDx is point of care software that allows the Practice to manage anticoagulation monitoring on a safe and effective basis. It supports the induction, dosing and review of all anticoagulant patients. Access to this system is via authorised username and password connected to the HSCN (N3).  LumiraDx privacy notice can be found at https://lumiradxcaresolutions.com/privacy-policy

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Population Health Management

The GP Practice and the Surrey Heartlands Partnership work with partners to link local data together to make better decisions on the care of our patients.  What this means is that data that is held in GPs, Hospitals and community care can be linked to see what the needs of the local population are. This will help partners improve care for groups of people in the community. This is called a Population Health approach. Whilst the data will be linked, those partners will not be able to identify individuals as any identifiable data will be removed. If there is a need to identify individuals then this can only be done by the GP or other organisation that holds that data.

Safeguarding

To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Software

We may use other software within the practice as part of our data processing but data is not shared with anyone else and is not stored outside of the practice.

Surrey Care Record

The Surrey Care Record is an Electronic Health Record (EHR) linking system that brings together patient/client’s information across health and care systems in a secure manner, giving a summary of your information which is held within a number of local records.

For more information see: www.surreyheartlands.uk/surrey-care-record-privacy-notice

You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Clinical Research

Occasionally your information may be requested to be used for research purposes. The practice will always gain your consent before releasing any information for this purpose.  Research organisations ethically approve companies to gather data on their behalf:

OPC UK – the data extracted from the practice is de-identified pseudonymised data (removal of name, date of birth, address, contact information, NHS number) is stored on their database.  The OPC Research Database is approved by NHS Health Research Authority and only provides anonymised data for ethically approved, scientific and exploratory research to help improve patient outcomes.  Research data is anonymised in accordance with the Information Commissioner’s Anonymisation Code of Practice.

Supporting Medicines Management

CCGs support local GP practices with prescribing queries which generally do not require identifiable information. CCG pharmacists work with the Practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective.

Risk Stratification

Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services.

Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness, i.e. diabetes, heart disease, risk of falling. Information about you is collected from a number of sources including NHS Trusts who link our records to other records that they access such as hospital attendance records.  This shared information enables other healthcare workers to provide the most appropriate advice, investigations and treatments.

Access to your information

Under the new General Data Protection Regulation (GDPR) 2018 everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data.

Every patient can have access to their medication records on-line but if you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. If you wish to have a copy of the information we hold about you, please contact the Practice.

Data Protection Officer

If you wish to discuss or exercise any of your rights, please contact the Practice directly in the first instance:

John Glosto, Operations Manager

Email: john.glosto@nhs.net

Tel: 01306 881313

Dorking Medical Practice,
142a South Street,
Dorking,
Surrey RH4 2QR

Alternatively, the Practice’s Data Protection Officer can be contacted directly.

Every Practice is required to have a Data Protection Officer, responsible for overseeing data privacy compliance and manage data protection.  Our Data Protection Officer is:

Adam Spinks, Surrey Heartlands Primary Care Data Protection Officer Service,

Tel: 0203 887 6923

Email: ajspinksltd.surreyheartlandsdpo@nhs.net

Change of details

It is important that you tell the Practice if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended.  Please inform us of any changes so our records for you are accurate and up to date.

Mobile numbers and email addresses

If you provide us with your mobile phone number/email address, we may use this to send you reminders about your appointments, other health screening information or to make an appointment for a review.  Please let us know if you do not wish to receive reminders on your mobile and/or email address.

Further information

Dorking Medical Practice is registered with the Information Commissioners Office (ICO).  Our registration can be viewed online at https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/

Date written: 01/07/2021

Next review due: July 2022