Privacy Policy

 

BACK TO MAIN INDEX

 

Amherst Medical Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.    

 

What information do we collect about you?

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

 

How we will use your information

GP Data for Planning and Research Programme: GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner. This programme is a planned replacement for the GP Extraction Service (GPES) currently used to collect data for planning and research from general practices in England.

It is a legal obligation for the practice to comply with the Data Provision Notice ‘DPN’ for this programme as a result of a new direction from the secretary of state for health and social care as part of the Health and Care Act 2012. Once fully established, this new collection will replace multiple other data collections from general practices including the GPES in due course.

It is important to state that this new GPDPR programme is not a new processing of GP data in any way; what it does is to carry out an ongoing processing i.e. extraction of patients’ data by NHS Digital for planning and research purposes via a more efficient means. NHS Digital has set out that, whilst general practice will still retain data controllership over patient records within their practice, once data has been extracted from patient records and shared with NHS Digital, NHS Digital will be the responsible and accountable data controller under the UK GDPR for data access and dissemination for planning and research. Full details on the processing of patients’ data for this programme can be found in the NHS Digital’ privacy notice here: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.  

In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure. 

NHS Digital has issued a Transparency Notice for this data collection. It is intended that General Practices should be able to link to the information included in the NHS Digital Transparency Notice to enable them to perform their legal duty in providing adequate fair processing information to their patients.

CVDprevent is a national primary care audit to support professionally led quality improvement in the prevention of cardiovascular events in people with and without pre-existing CVD through the detection and management of significant risk factors, including atrial fibrillation, high blood pressure, high cholesterol, diabetes, non-diabetic hyperglycaemia and chronic kidney disease (NHS RightCare CVD Prevention Pathway)

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR. 

 

Maintaining confidentiality and accessing your records

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.

 

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Amherst Medical Practice; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

 

Invoice validation

Your information may be shared if you have received treatment to determine which Kent & Medway Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

 

Opt-outs

For patients who do not want their identifiable patient data (personally identifiable data) to be shared outside of your GP practice for purposes except for your own care, you can register a Type 1 Opt-out using this form.

Any patients who do not currently have a Type 1 opt out in place and wish to opt out before GPDPR takes effect must register with practices before the 1st of September 2021 to avoid the extract by NHS Digital. After this date, the Type 1 opt out would still be respected, however, this would be on new data extracted post the deadline of 1st of September 2021 and would not apply to data that has already been extracted.

It is important to note that the Type 1 opt-out  won’t apply where there is a legal requirement for GP practices to share  data with NHS Digital.You have a right to object to your information being shared. 

 

Retention periods

In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.

 

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

Contact the practice’s data controller via email at gp.g82013@nhs.net. GP practices are data controllers for the data they hold about their patients

Write to the data controller at Amherst Medical Practice, 21 St Botolph's Road, Sevenoaks, Kent, TN13 3AQ

Ask to speak to the practice manager Ravi Iyer, or their deputy Cathy Todman

The Data Protection Officer (DPO) for Amherst Medical Practice is:

Helen Foreman NHS Medway Clinical Commissioning Group, Unit A, Compass Centre North, Pembroke Road, Chatham Maritime, Kent, ME4 4YG

Tel: 03000 425100 Email: mccg.northkentgpdataprotection@nhs.net

 

Complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit the Information Commissioners Office website and select ‘Raising a concern’.

 

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed April 2020. The full policy can be found by Clicking Here

 

Supplementary privacy note on Covid-19 for patients using GP Surgeries based in Kent and Medway

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available described above.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on the government's website and some FAQs on this law are available via the NHS website

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing with in Kent and Medway CCG we are using AccuRx. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.   

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

The COPI Regulations is valid until 31st March 2021, so in effect this COVID privacy notice is valid until then or until any other time when the COPI Regulations is no longer in effect. We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

 

Practice Call Recording Policy 

Our practice may record incoming telephone calls to:

  • Check for accuracy of the request, content of the conversation and details given, should a query arise later.
  • Train staff
  • Assist in complaints investigations
  • Provide evidence of abusive behaviour should it occur

Our practice may record outgoing telephone calls to:

  • Check for accuracy of the request, content of the conversation and details given, should a query arise later.
  • Train staff
  • Assist in complaints investigations
  • Provide evidence of abusive behaviour should it occur

If you object to this you will need to end the call when you are told that calls may be recorded.

Alternative methods of communication are available: call in person at the surgery.

Your telephone recorded information will not be transferred outside the European Economic Area.

 

1. Data Controller contact details:

The Amherst Medical Practice 21 St Botolphs Road, Sevenoaks, Kent TN13 3AQ

 

2. Caldicott Guardian contact details:

Dr Kaushal Kansagra

 

3. Purpose of the processing:

To ensure we offer a safe, efficient and effective telephone service to our patients and contacts and to protect our staff, clinicians and partners.

 

4. Lawful basis for processing:

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  1. Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

And

  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
 

5. Recipient or categories of recipients of the processed data:

The data may be shared with Health and care professionals and support staff in this surgery, NHS England, Police Service.

 

6. Rights to object:

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

 

7. Right to access and correct:

You have the right to access the data that is being, recorded, shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

 

8. Retention period:

The data will be retained in line with the law and national guidance.

 

9. Right to Complain:

You have the right to complain to the Information Commissioner’s Office, you can visit their website  or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

 

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge‐made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.
 

GP Data for Planning and Research Programme:

GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner. This programme is a planned replacement for the GP Extraction Service (GPES) currently used to collect data for planning and research from general practices in England.

It is a legal obligation for the practice to comply with the Data Provision Notice ‘DPN’ for this programme as a result of a new direction from the secretary of state for health and social care as part of the Health and Care Act 2012. Once fully established, this new collection will replace multiple other data collections from general practices including the GPES in due course.

It is important to state that this new GPDPR programme is not a new processing of GP data in any way; what it does is to carry out an ongoing processing i.e. extraction of patients’ data by NHS Digital for planning and research purposes via a more efficient means. NHS Digital has set out that, whilst general practice will still retain data controllership over patient records within their practice, once data has been extracted from patient records and shared with NHS Digital, NHS Digital will be the responsible and accountable data controller under the UK GDPR for data access and dissemination for planning and research. Full details on the processing of patients’ data for this programme can be found in the NHS Digital’ privacy notice here

 

Kent and Medway Care Record (KMCR)

The Kent and Medway Care Record (KMCR) is a single, shared care record for each patient who is cared for by the NHS or social services in Kent and Medway. Relevant information from the record will be able to be seen by all the health and care professionals who need to see it, and patients will be able to access their own records as well. You can find out more on their website