Privacy Notice

Our policy

Principal Medical Limited (PML) processes information relating to individuals whilst carrying out daily business. Personal information or data that is processed includes information about current, past and prospective employees, patients, customers, clients, suppliers, professional advisers and other third-party organisations. The collection and use of this information is regulated by the Data Protection Act 2018. Please read the Data Protection Act for more information.

This privacy notice explains why PML collects information about you, what we do with that information, how we keep it safe and confidential and what your rights are in relation to this. Personal Information in this privacy notice means any information about you or other people, to provide you with the most appropriate service.

Why we collect information about you

We collect, store and process data for the purpose of providing healthcare services, running our organisation which includes monitoring the quality of care and service that we provide, maintaining accounts and records, promoting our services and to support and manage our employees.

In carrying out this role, we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form and may include:

• Details about you such as your name, address (including correspondence if different), telephone numbers, date of birth, contacts (next of kin), GP details.
• Further sensitive information may be collected such as your marital status, occupation, religion, email address, place of birth, ethnic origin and other information as required.
• Notes and reports about your health, treatment and care.
• Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you.
• Contact with you by our community service teams e.g. home visits and appointments.
• Financial details
• Employment and educational details

We also record incoming and outgoing telephone conversations in accordance with Article 6 of the general data protection regulations. CCTV recordings are also made to ensure patient and staff safety.

When you use our website, you may give us information about yourself as an individual by filling in forms, completing questionnaires or by corresponding with us by telephone or email. We also collect aggregate information on which pages web users’ access or visit, and information volunteered by the website user (such as survey information and/or site registrations). The information we collect is used to improve the quality of our service.

There are elements of this website which are password protected and in order for us to provide access to these areas, you give us personal information which identifies you individually such as your name and email address. By signing up to these sections of the website, you are consenting to sharing your information with us.

What do we do with personal information?

Personal information captured and processed in our clinical services is used to manage and assist the staff involved in your care, in ensuring that you are assessed and advised on the most appropriate care for you and is communicated and shared with all relevant health professionals.

It may also be used to:

• Remind you about your appointments and send you relevant correspondence
• Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement
• Support the funding of your care, e.g. with commissioning organisations
• Help to train and educate healthcare professionals
• Report and investigate complaints, claims and incidents and report events to the appropriate authorities when we are required to do so by law.
• Contact you with regards to patient satisfaction surveys relating to services you have used to further improve our services.

Personal information captured for maintaining accounts and records, promoting our services and supporting and managing our patients and employees is used purely for the purposes of explained. We may process information about our:

• Staff
• Customers
• Suppliers
• Business Contacts
• Professional advisers

Please see Privacy Notice Appendix A for more details.

Who personal information may be shared with

We may have to share your information, subject to strict agreements on how it will be used.

PML provides health care services and personal information can be shared as part of providing your care with relevant consents. However, importantly, we can also share information about you where there is another legal basis to do so. Some of the organisations we may share information with are:

• Healthcare professionals and providers
• Social and welfare organisations
• Government and Local Authorities and Agencies
• Family, associates and representatives of the person whose personal data we are processing.
• Commissioners
• Suppliers and service providers
• Financial organisations
• Current, past and prospective employers

Security of personal information

PML is strongly committed to protecting the privacy of individuals. When you provide us with personal information through our website or by other means of data capture, in the process of providing healthcare services and running our organisation, it will be treated in the strictest of confidence and in accordance with the Data Protection Act 2018.

We will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• United Kingdom General Data Protection Regulation (UK GDPR)
• Human Rights Act
• Common Law Duty of Confidentiality
• NHS Codes of Confidentiality and Information Security
• Health and Social Care Act 2015
• And all applicable legislation

PML ensures that personal information is held securely and takes appropriate technical and organisational measures; including restricting access to data and securing computers, with access control, through usernames and passwords for electronically held personal information. For personal information held on paper, this information is held in locked facilities with restricted access and where permanently based for archive purposes, the records are held in secure external storage.

No personal information you give us will be passed on to third parties for commercial purposes. Our policy is that all information will be shared among PML members (and any third party) on a need basis, and according to legal regulations and appropriate consent. If we have to confirm or share information with other organisations, this will be in-line with a legal requirement to do so and only kept for as long as is required by law.

We will use your data to provide you with the services for which you have registered with us (e.g. to process job applications) and for the purposes described in this statement. If you have applied for a job with PML through our online application process, your personal information will only be held on our servers until the advertised role is filled. After that, we will only keep it electronically for a maximum period of six months unless you request otherwise.

We manage patient records in line with the Records Management NHS Code of Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice and in line with our records management policy.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website more relevant to your interests. We may also share this information with third parties for this purpose.

Please note that third parties (including, for example, providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site. To find out how to allow, block, delete and manage the cookies on all standard web browsers, please go to the About Cookies website. If you use a mobile phone to browse our websites or other sites that use cookies, please refer to your handset manual for guidance.

What are your rights?

Since GDPR you have important rights to protect your personal data. You can access any of these rights by contacting us. The following is a summary of those rights:

• Right to be informed – individuals have the right to be informed about the collection and use of their personal data.
• Right of Access – you have rights to request access to the personal data we hold about y
• Right of rectification – you have the right to request the correction of inaccurate or incomplete information recorded in the record, subject to certain safeguards.
• Right to erasure – you have the right to refuse/withdraw consent to the storing of personal information and for it to be erased from our records if it is beyond the purpose for which it is collected and held.
• Right to restrict processing – where certain conditions apply, you have a right to restrict the processing.
• Right of portability – you have the right to request personal information to be transferred to others on certain occasions.
• Right to object – individuals have the right to object to the processing of their personal data in certain circumstances e.g. being used for direct marketing. Objections can be made verbally or in writing.

We will not be able to erase or cease processing personal information that is required to maintain our business purpose, we have a legal reason to keep it, or required to facilitate your contract with us.

If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. Should you decide in the future that you want to opt out of receiving communications or cease to be the point of contact for your organisation, please contact us on 01295 981166, at which point all of the personal data we hold for you would be deleted with the exception of information we may still be legally required to hold.

Your right to withdraw consent for us to share your personal information (opt-out)

If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data.

There are two main types of opt-out.

• Type 1 Opt-Out: If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
• National Data Opt-Out (formerly known as Type 2 Opt-Out): NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register for the National Data Opt-Out. For further information visit Opt Out Of Sharing Your Health Records

Access to your information

Under the Data Protection Act 2018 and General Data Protection Regulation 2018 everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. We may charge a reasonable fee for the administration of the request.

If you wish to have a copy of the information we hold about you, please contact us.

Change of details

It is important that you tell us if any of your details such as your name, address or email have changed or if any of your details are incorrect in order for this to be amended. Please inform us of any changes promptly so our records for you are accurate and up to date.

Notification

The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

PML is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 as a data controller. Our registration number is Z1066624 and our registration can be viewed online in the public register

Data protection officer

Please contact our Director of Quality: Tony Summersgill

• Email: t.summersgill@nhs.net
• PML, 3 Barberry Place, Bicester, Oxfordshire, OX26 3HA
• Telephone: 01295 981166

Any changes to this notice will be published on our website.

Complaints

If you have concerns or you are not satisfied with our response or believe we are processing personal information not in accordance with the law you can complain to the ICO:

• Address: The Information Commissioner’s office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF
• Phone: 0303 123 1113
• Fax: 01625 524 510
• Visit the ICO website

Appendix A

PML will share patient information with these organisations where there is a legal  basis to do so.

Commissioning and contractual purposes planning quality and performance 

Purpose

Anonymous data is used by the Integrated Care Board (ICB) for planning, performance and commissioning purposes, as directed in  the practices contract, to provide services as a public authority. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official  authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Patients may opt out of having their personal confidential data used for Planning or research. Please contact your surgery to apply a Type 1 Opt out or logon to the NHS website to apply a National Data Opt Out 

Summary care record Including additional information

Purpose

The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides 
authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Patients have the right to opt out of having their information shared with the SCR by completion of the form which can be downloaded via the NHS England website and returned to the practice. Please note that by opting out of having your information shared with the Summary Care Record could result in a delay to care that may be required in an emergency.  

Processor

NHS England

Research 

Purpose

We may share anonymous patient information with research companies for the purpose of exploring new ways of providing 
healthcare and treatment for patients with certain conditions. This data  will not be used for any other purpose.  

Where personal confidential data is shared your consent will be required. 

Where you have opted out of having your identifiable information shared for this Planning or Research your information will not be shared. 

Legal basis

• Articles 6(1)(a) and 9(1)(h) – explicit consent; or  
• Article 6(1)(c) (where we are legally obligated to share your personal data) for your standard personal data and Article 9(2)(j) (scientific research) for your health data. 

Where identifiable data is required for research, patient consent will be needed, unless there is a legitimate reason under law to do so or there is support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales. 

Sharing of aggregated non identifiable data is permitted. 

Individual funding requests

Purpose

We may need to process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our standard NHS contract. 

The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time but this may affect the decision to provide individual funding.  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Safeguarding adults 

Purpose

We will share personal confidential information with the safeguarding team where there is a need to assess and evaluate any safeguarding concerns and to protect the safety of individuals. 

Consent is not required to share information for this purpose. 

Legal basis

Direct Care under UK GDPR: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine  

Safeguarding children 

Purpose

We will share children’s personal information where there is a need to assess and evaluate any safeguarding concerns and to protect the safety of children. 

Legal basis 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Consent may not be required to share this information.

Risk stratification – preventative care

Purpose

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.  

Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health.  

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions. 

Type of data

Identifiable/Pseudonymised/Anonymised/Aggregate Data 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Public health including screening programmes (identifiable) notifiable disease information (identifiable) smoking cessation (anonymous) sexual health (anonymous) vaccination programmes

Purpose

Personal identifiable and anonymous data is shared. The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service to name a few. The law allows us to share your contact information, and certain aspects of information relating to the screening with Public Health England so that you can be appropriately invited to the relevant screening programme. 

More information can be found on the UK government website or speak to the practice. 

Patients may not opt out of having their personal information shared for Public Health reasons. 

Patients may opt out of being screened at the time of receiving an invitation. 

Legal basis 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Direct care NHS trusts, community providers, pharmacies, enhanced care providers, nursing homes, other care providers 

Purpose

Personal information is shared with other secondary care trusts and providers in order to provide you with individual direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physio, and community nursing, ambulance service.  

Legal basis

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine  

Care quality commission

Purpose

The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data. 
 

More detail on how they ensure compliance with data protection law (including UK GDPR) and their privacy statement is available on the CQC website

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine 

Population health management 

Purpose

Health and care services work together as ‘Integrated Care Systems’ (ICS) and are sharing data in order to: 

• Understand the health and care needs of the care system’s population, including health inequalities 
• Provide support to where it will have the most impact 
• Identify early actions to keep people well, not only focusing on people in direct contact with services, but looking to join up care across different partners. 

Type of data

Identifiable/Pseudonymised/Anonymised/Aggregate Data.

NB only organisations that provide your care will see your identifiable data. 

Anonymous data is also shared with the National Association of Primary Care to support work on health inequalities. 

Legal basis 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine  

Payments

Purpose

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts paid per patient per quarter varies according to the age, sex 
and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national 
initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws. 

Legal basis 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine  

Patient record data base 

Purpose

Your medical record will be processed in order that a data base can be maintained, this is managed in a secure way and there are robust processes in place to ensure your medical record is kept accurate, and up to date.  Your record will follow you as you change surgeries throughout your life. Closed records will be archived by NHS England  

Legal basis  

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Medical reports, subject access requests

Purpose

Your medical record may be shared in order that: 

Solicitors/persons acting on your behalf can conduct certain actions as instructed by you.  

Insurance companies seeking a medical reports where you have applied for services offered by then can have a copy to your medical history for a specific purpose.  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Medicines management team, medicines optimisation

Purpose

Your medical record is shared with the medicines management team pharmacists, in order that your medication can be kept up to date and any necessary changes to medication can be implemented. 

Legal basis  

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

GP federation 

Purpose

Your medical record will be shared with the federation in order that they can provide direct care services to the patient population. This could be in the form of video consultations, Minor injuries clinics, GP extended access clinics, home visits. The Federation will be acting on behalf of the GP practice. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Primary care network (PCN) 

Purpose

Your medical record will be shared with the PCN in order that they can provide direct care services to the patient population.  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Smoking cessation

Purpose

Personal information is shared in order for the smoking cessation service to be provided. 

Only those patients who wish to be party to this service will have their data shared  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Social prescribers

Purpose

Access to medical records is provided to social prescribers to undertake a full service to patients dependent on their health social care needs. 

Only those patients who wish to be party to this service will have their data shared 

Legal basis  

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Police

Purpose

Personal confidential information may be shared with the Police authority for certain purposes. The level of sharing and purpose for sharing may vary. Where there is a legal basis for this information to be shared consent will not always be required.  

The Police will require the correct documentation in order to make a request. This could be but not limited to, DS 2, Court order, s137, the prevention and detection of a crime. Or where the information is necessary to protect a person or community. 

Legal basis

UK GDPR  

• Article 6(1)(c) – to comply with a legal obligation; and 
• Article 9(2)(j) – ‘for reasons of substantial public interest’ 

Coroner 

Purpose

Personal health records or information relating to a deceased 
patient may be shared with the coroner. 

Legal basis

UK GDPR Article 6(1)(c) - to comply with a legal obligation and article 9(2)(h) health data

Medical examiner service 

Purpose

Medical records associated with deceased patients are outside scope of the UK GDPR. However, next of kin details are within the scope of the UK GDPR. We will share specified deceased patient records and next of kin details with the relevant Medical Examiners. 

Legal basis

• Article 6(1)(c) – necessary under a legal obligation to which the controller is subject”; and 
• Article 9(2)(h)– “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” 

Non-commissioned, private healthcare providers (e.g. BUPA, Virgin Care, etc.)

Purpose

Personal information shared with private health care providers in order to deliver direct care to patients at the patient’s request. Consent from the patient will be required to share data with Private Providers. 

Legal basis

Articles 6(1)(a) and 9(2)(a) Consented and under contract between the patient and the provider

Messaging service

Purpose

Personal identifiable information shared with the messaging service in order that messages including; appointment reminders; results; campaign messages related to specific patients health needs; and direct messages to patients, can be transferred to the patient in a safe way. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Remote consultation including: video consultation, clinical photography

Purpose

Personal information including images may be processed, stored and with the patients consent shared, in order to provide the patient with urgent medical advice. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Patients may be videoed or asked to provide photographs with consent. There are restrictions on what the practice can accept photographs of. 

No photographs of the full face, no intimate areas, no pictures of patients who cannot consent to the process. No pictures of children. 

MDT meetings 

Purpose

For some long term conditions, the practice participates in meetings with staff from other agencies involved in providing care, to help plan the best way to provide care to patients with these conditions. 

Personal data will be shared with other agencies in order that mutual care packages can be decided. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

General practice extraction service (GPES) 

1. At risk patients data collection version 3 
2. CVDPREVENT audit 
3. Physical health checks for people with severe mental illness

Purpose

GP practices are required to provide data extraction of their patients personal confidential information for various purposes to NHS England. The objective of this data collection is on an ongoing basis to identify patients registered at General Practices who fit within a certain criteria, in order to monitor and either provide direct care, or prevent serious harm to those patients. Below is a list of the purposes for the data extraction, by using the link you can find out the detail behind each data extraction and how your information will be used to inform this essential work:   

1. At risk patients including severely clinically vulnerable 
2. NHS England has directed NHS England to collect and analyse data in connection with Cardiovascular Disease Prevention Audit 
3. GPES Physical Health Checks for people with Severe Mental Illness (PHSMI) data collection. 

Legal basis

All GP Practices in England are legally required to share data with NHS England for this purpose under section 259(1)(a) and (5) of the The Health and Social Care Act 2012  

Further detailed legal basis can be found in each link.  

Any objections to this data collection should be made directly to NHS  England. Email: enquiries@nhsdigital.nhs.uk 

Medication/prescribing 

Purpose

Prescriptions containing personal identifiable and health data will be shared with organisations who provide medicines management including chemists/pharmacies, in order to provide patients with essential medication regime management, medicines and or treatment as their health needs dictate. This process is achieved either by face to face contact with the patient or electronically. Pharmacists may be employed to review medication, Patients may be referred to pharmacists to assist with diagnosis and care for minor treatment, patients may have specified a nominated pharmacy they may wish their repeat or acute prescriptions to be ordered and sent directly to the pharmacy making a more efficient process. Arrangements can also be made with the pharmacy to deliver care and medication  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Professional training 

Purpose

We are a training surgery. Our clinical team are required to be exposed to on the job, clinical experience, as well as continual professional development. On occasion you may be asked if you are happy to be seen by one of our GP registrars, pharmacists or other clinical team to assist with their training as a clinical professional. You may also be asked if you would be happy to have a consultation recorded for training purposes. These recordings will be shared and discussed with training GPs at the surgery, and also with moderators at the RCGP and HEE. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Recordings remain the control of the GP practice and they will delete all recordings from the secure site once they are no longer required. 

Telephony 

Purpose

The practice use an internet based telephony system that records telephone calls, for their own purpose and to assist with patient consultations. The telephone system has been commissioned to assist with the high volume and management of calls into the surgery, which in turn will enable a better service to patients. 

Legal basis

While there is a robust contract in place with the processor, the surgery has undertaken this service to assist with the direct care of patients in a more efficient way. 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Learning disability mortality programme LeDer

Purpose

The Learning Disability Mortality Review (LeDeR) programme was commissioned by NHS England to investigate the death of patients with learning difficulties and Autism to assist with 
processes to improve the standard and quality of care for people living with a learning disability and Autism. Records of deceased patients who meet with this criteria will be shared with NHS England. 

Legal basis

It has approval from the Secretary of State under section 251 of the NHS Act 2006 to process patient identifiable information who fit within a certain criteria. 

Shared care record  

Purpose

In order for the practice to have access to a shared record, the Integrated Care Service has commissioned a number of systems including GP connect, which is managed by NHS England, to enable a shared care record, which will assist in patient information to be used for a number of care related services. These may include Population Health Management, Direct Care, and analytics to assist with planning services for the use of the local health population.  

Where data is used for secondary uses no personal identifiable data will be used.  

Where personal confidential data is used for Research explicit consent will be required. 

Legal basis 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’

Local shared care record

Purpose

Health and Social care services are developing shared systems to share data efficiently and quickly.  It is important for anyone treating you to be able to access your shared record so that they have all the information they need to care for you. This will be during your routine appointments and in urgent situations such as going to A&E, calling 111 or going to an Out of hours appointment.  It is also quicker for staff to access a shared record than to try to contact other staff by phone or email. 

Only authorised staff can access the systems and the information they see is carefully checked so that it relates to their job.  Systems do not share all your data, just data which services have agreed is necessary to include. 

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

Anticoagulation monitoring 

Purpose

Personal Confidential data is shared with LumiraDX in order to provide an anticoagulation clinic to patients who are on anticoagulation medication. This will only affect patients who are within this criteria.  

Legal basis

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’ 

We keep our Privacy Notice under regular review.