Data Protection Privacy Notice for Patients
We at Victoria Medical Centre understand the importance of keeping your personal information safe and secure. This Privacy Notice explain how we use any personal information we may collect about you. If you have any questions or concerns about it, please do contact us.
Who should I contact? If you have any concerns about anything to do with your personal data, please contact us by writing to the Data Protection Office (DPO) at Victoria Medical Centre.
What information do we collect? We collect information such as: personal details (name, address, contact details, date of birth, etc.); details regarding your medical history and in respect of your visits to us; correspondence, test results and notes from other health professionals; plus any other relevant information to enable us to deliver effective medical care.
What is the legal basis for collecting and using your information? The law states we must have a legal basis for obtaining and using your personal information. We rely on the following legal bases:
- Contract: our contract with NHS England is to provide medical care to all of our patients, which includes you.
- Consent: we may also obtain your consent to use your personal information on occasions. Remember that you have the right to withdraw your consent at any time.
- Protecting your vital interests: there may be times when you are not able to provide consent, and so we may need to use your personal information to provide medical care where necessary.
- Legal obligations: in certain limited situations, we are under a legal duty to disclose your personal information to other organisations.
The law also states that personal information about your health is so sensitive that it falls into a special category. In addition to the legal bases given above, we also rely on the following:
- Public interest: we may need to use your personal information for the public interest, such as when there is an outbreak of a serious disease and steps need to be taken to stop it spreading
- Defending a claim: we may need to use your personal information to defend a legal claim made by you or a third party
What do we do with the collected personal information? Chiefly, it is used to provide your medical care. However, your information may be disclosed to partner organisations to help us:
- Monitor and nurture the health of the general public
- Reviewing the care we provide to ensure it is of the highest standard
- Ensure the services we provide can meet patient needs in the future
- Prepare statistics on NHS performance
- Conduct health research and development
- NHS accounts services and audits
- Teaching and onward training of healthcare professionals
- Pay your GP, dentist and hospital for the care they provide
- Investigate complaints, legal claims or other incidents
Some of this information will be held centrally, but where it is used for statistical purposes, stringent measures are taken to ensure that individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units, drug companies and research institutions.
This surgery is supporting vital and health care planning by sharing your data with NHS Digital. For more information about this, please see the GP Practice Privacy Notice for General Practice Data for Planning and Research.
Anonymous and pseudonymised patient data will be shared for use in a population management tool, for purposes of understanding the needs of the patient population and assist in the commissioning and provision of health care. Pseudonymisation of data may be undertaken by a third party. Legal Basis Article 9 2 (h) Health related uses
Where it is not possible to use anonymised information, personally identifiable information may be used for essential NHS purposes. This will only be done with your consent, unless the law requires information to be passed on in any event. You will be specifically asked for consent if there is a proposal to use your records for education or research projects.
We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires information to be passed on. Anyone who receives information from us is also under a legal duty to keep it confidential.
We are required by law to report certain information to the appropriate authorities. Examples of when we must pass information on include notification of births and deaths; where we encounter infectious diseases, which may endanger the safety of others; and where a court order has been made.
Who are the partner organisations? You may be receiving care from other people as well as the NHS. We may need to share some information about you to others involved in your care when it is in your best interests to do so. The principal organisations are:
- NHS England
- NHS Trusts, including Primary Care Trusts and Hospitals
- Ambulance Service
- Social Services
- Education Services
- Strategic Health Authorities.
Your information may also be shared with local authorities, prison liaison, voluntary sector providers and private sector providers. This sharing would be subject to strict agreements called information sharing protocols.
Do I have a choice? Yes, of course. If you do not want your data to be used in this way, then you can opt out. If you do opt out, then we will still use your personal information to provide your individual medical care.
To find out more about the use of your personal information or to register your decision to opt out of data sharing, you need to go to https://www.nhs.uk/your-nhs-data-matters/
You can change your decision at any time.
For how long do we keep your information? We will only keep your information for as long as necessary for the purposes set out in this Privacy Notice. In any event, and in accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
Do I have rights to access my personal information? You have a right to see the information we hold that relates to you, and to request a copy. Please request a Subject Access request in writing and we will reply with what we will do and how this will be processed. In most cases you are entitled to receive this information free of charge, but there may be charges applied in certain limited circumstances.
You have the right to have the personal information we hold about you corrected, removed (subject to certain limitations), or transferred to another person or organisation. Again, please contact us in writing if you would like to do any of these things.
There may be references to third parties in your records. The law states that we must remove any such references that would allow that third party to be identified before we release copies of your information. Third parties could include spouses/partners (both current and former); children; other family members; and unrelated individuals.
What do I do if I need to complain? If you have any concerns or questions about the use of your personal information, in the first instance we would ask you to notify us in writing so it can be investigated. If you are still not satisfied with what has happened, you have a right to complain to the Information Commissioners Office. Full details of how to contact them can be found at www.ico.org.uk.
The Sussex Shared Care Record is being developed to provide the ability to enable appropriate and effective sharing of information for direct care purposes, through the integration of current health and care record systems, to facilitate improved outcomes for patient and service users.
Access to shared information is for the purposes of direct care by those who have a legitimate relationship with the patient or service user.
Personal information is shared with other secondary care trusts and providers in order to provide you with direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physiotherapy, community nursing, ambulance service.
Legal Basis – The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 1 (a) Consent (c) Vital Interest and (e) Direct Care and Article 9 2 (a) Explicit Consent; 9 2 (c) Vital Interest and 9 2 (h) to provide health or social care. In some cases patients may be required to consent to having their record opened by the third party provider before patientsinformation is accessed. Where there is an overriding need to access the GP record in order to provide patients with life-saving care, their consent will not be required.