Little Waltham & Great Notley Surgery
Telephone: 01245 360253 & 01376 341411

phone_forwarded

01245 360253
01376 341411

Little Waltham & Great Notley Surgery

Fair Processing Notice (Privacy Notice)

This privacy notice tells you what to expect us to do with your personal information when you contact us or use our services.

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).
The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
This notice reflects how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.

Our contact details

Name: Little Waltham & Great Notley Surgery

Address: Notley Green, Great Notley, Braintree CM77 7GS

General phone number: 01376 341 411

General inquiries email address: admin.f81105@nhs.net

Website: https://www.littlewalthamsurgery.co.uk

Data Controller

As your registered practice we are the controller for your information. A controller decides on why and how information is used and shared.

How do we get information and why do we have it?

The personal information we collect is provided directly from you for one of the following reasons:

  • You have provided information to seek care – this is used directly for your care, and also to manage services we provide, to clinically audit your services, investigate complaints or to be used as evidence as part of an investigation into care
  • You have sought funding for continuing health care or personal health budget support
  • You have applied for a job with us or work for us
  • You have signed up to our patient participation group
  • You have made a complaint

We also receive personal information about you indirectly from others, in the following scenarios:

from other health and care organisations involved in your care so that we can provide you with care
from family members or carers who support your care

What information do we collect?

Personal information & More sensitive information

All personal data must be processed fairly and lawfully, whether received directly from you or from a third party in relation to your care.
We will collect the following types of information from you directly, or about you from a third party (provider organisation) engaged in the delivery of your care:

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and [NHS number/HCN number/ CHI number];
  • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Who do we share information with?

In order to deliver and coordinate your health and social care, we may share information with the following types of organisations:

  • Local GP Practices, as part of a Primary Care Network (PCN), in order to deliver extended primary care services.
  • Planners of healthcare services and care services such as Integrated Care Boards (ICB)
  • NHS Secondary Care, i.e. Hospitals
  • 111 and Out of Hours Service
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by [Mid & South Integrated Cared System]

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.
In addition, we receive data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

In some circumstances we are legally obliged to share information. This includes:

  • When required by NHS England to develop national IT and data services
  • When registering births and deaths
  • When report some infectious diseases
  • When a court orders us to do so
  • Where a public inquire requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • Where a serious crime has been committed
  • Where there are serious risks to the public or staff
  • To protect children or vulnerable adults

We may also process information in order to de-identify it, so it can be used for purposes beyond individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.

Your information will not be transferred outside of the European Union.

What is our lawful basis for using information?

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

  1. We have your consent – this must be freely given, specific, informed and unambiguous.
  2. We have a contractual obligation – between a person and a service, such as a service user and privately funded care home.
  3. We have a legal obligation – the law requires us to do this, for example where NHS or the courts use their powers to require data. Follow link below for the laws that apply when using and sharing information:

Link: https://transform.england.nhs.uk/information-governance/the-laws-that-health-and-care-organisations-rely-on-when-using-your-information/

  1. We need it to perform a public task – a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. Follow above link for laws that apply.
  2. We have a legitimate interest – for examples, a private care provider making attempts to resolve an outstanding debt for one of its service users.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

  1. We need it for employment, social security and social protection reasons (if authorised by law)
  2. We need it for a legal claim or the courts require it.
  3. There is substantial public interest (with a basis in law).
  4. To provided and manage health or social care (with a basis in law).
  5. To manage public health (with a basis in law).
  6. For archiving, research and statistics (with a basis in law).

Follow link below for the laws that apply when using and sharing more sensitive information:

Link: https://transform.england.nhs.uk/information-governance/the-laws-that-health-and-care-organisations-rely-on-when-using-your-information/

Common law duty of confidentiality:

please follow link: https://transform.england.nhs.uk/information-governance/guidance/consent-and-confidential-patient-information/

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • You have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses).
  • We have support from the secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent. https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/#:~:text=The%20Confidentiality%20Advisory%20Group%20(CAG,Health%20for%20non-research%20uses.
  • We have a legal requirement to collect, share and use data
  • For specific individual cases, we have assessed that public interest to share the data overrides the public interest served by protecting the duty of confidentiality – e.g., sharing information to the police to support or prevent a serious crime. This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share particular information, balance against public interest in maintaining a confidential health service.

How do we store your personal information?

My Care Record

Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.
My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This will make it easier and faster for them to make the best decisions. For example, a doctor treating you in hospital or a nurse working in the community could view the information they need from your GP record.
Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed.
The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.
The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.
You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.
It is important to understand that not allowing access to your information may affect the quality of the care you receive.
In many situations it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.
There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety. Please see the My Care Record website www.mycarerecord.org.uk for more information.
More information about the areas where your information may be used can be found on the My Care Record website My Care Record: Privacy Notice

Data Processors

Data processors act on behalf of the Practice, as a data controller and under our authority. In doing so, they serve our interests rather than their own. A processor can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual, for example a consultant.
The following is a list of processors that the practice has engaged, and a description of the work they carry out on our behalf:

(TPP)

  • SystmOne (GP clinical system) – The practice uses a computer system to record and store patient’s clinical information, this is provided by TPP. All information recorded within the system is held on TPP servers, accessible to the practice over the secure Health and Social Care Network (HSCN). All data processed by TPP is used and stored within the UK.

 

Mid & South Essex Integrated Care Board (ICB)

  • Referral Support Service – The service will support you from the time your GP refers you to a specialist service until you get your appointment and provide advice and support along the way, including booking hospital appointments or exercising patient choice (i.e., booking appointment at a different hospital or service) if help is needed.
  • Information Governance (IG) [& Data Protection Officer (DPO)] Services – The IG service supports the practice with GDPR and Data Protection compliance, including advice and assistance with breaches of legislation, data subjects’ rights and other data protection issues raised by patient’s or public, as well as helping with completion of the Data Security & Protection Toolkit, and data protection impact assessments. [The DPO service provides a named experienced IG professional within the team to act on behalf of the practice as their Data Protection Officer, to assist monitoring internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).]

Arden & GEM Commissioning Support Unit (CSU)

  • Primary Care Enabling Services (IT) – The IT service includes access to the secure network (including HSCN) and cyber security, including electronic storage of information on hosted servers.
  • Business Intelligence (BI) – The BI function within the CSU, receives pseudonymised patient data, combines this with other pseudonymised data sets provided by the ICB (including hospital, community, mental health and ambulance data), then supports practices with analysis of that information, in order for the practice to better target services to their population. This includes population health management and risk stratification (more detail on these programmes of work is available below).

NHS Digital

  • Data Services for Commissioners Regional Office (DSCRO) – Hosted within Arden & GEM CSU, but contracted to work for NHS Digital, the DSCRO receives clear patient identifiable information and applies a key to scramble this information, this is called pseudonymisation and renders the data essentially anonymous although still linkable across other datasets pseudonymised using the same key. This data is then shared with the CSU BI Team for linkage and analysis.
  • NHSmail – Provides the practice with a secure email service, common across much of the NHS. This includes access to Microsoft Teams and other software.

Econsult

  • Econsult is a digital communication tool that facilitates communication channels between GP practice staff and patients, both online consultations and messaging.

Accrux

  • Accrux is a digital communication tool that facilitates communication channels between GP practice staff and patients, both online consultations and messaging.

You have the right to object to data processors handling your personal information, though bear in mind that this is not an absolute right, the practices legitimate grounds can override objections raised. Please raise any issues with the practice manager who will arrange for a discussion and consideration of any objections. Further information on this right is available here:
https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/

What are your data protection rights?

We are committed to protecting your privacy and will only use information that has been collected lawfully.  Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.
Information is not held for longer than is necessary.   We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Under data protection law, you have rights including:

Your right of access – you have the right to ask us for copies of your personal information known as a subject access request. https://transform.england.nhs.uk/information-governance/guidance/subject-access-requests/

Your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate. https://transform.england.nhs.uk/information-governance/guidance/amending-patient-and-service-user-records/ You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – you have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at: admin.f81105@nhs.net, 01376 341411, Notley Surgery, Notley Green, Braintree, CM77 7GS if you wish to make a request.

Consent and Objections

The GDPR sets a high standard for consent.  Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation.  However, consent is only one potential lawful basis for processing information.  Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.  Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice.  Your consent will be documented within your electronic patient record.

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing.  Please contact your GP Practice for further information and to raise your objection.
Population Health Management
Population Health Management (PHM) – is helping us understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.
We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.
This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.
In order to carry out this data linkage, your pseudonymised data will be passed to Arden & GEM Commissioning Support Unit, part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses.
PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in addressing the interdependent issues that affect people’s health and wellbeing.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the population health management tools used by the ICB include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.
Section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence, if the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 2018 and the Human Rights Act 1998.
A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.
There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data Processing Activities

The practice processes this data internally.
Data is also processed by Arden & GEM Commissioning Support Unit and Mid and South Essex ICB.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the PHM service (even though it is in a format which does not directly identify you) you can choose to opt-out.
In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.
Instead, please inform the practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Sub-licensing

Integrated Care Systems (ICSs) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of the ICS is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs.
The new Health and Care act 2022 established 42 Integrated Care Boards (ICBs) across England as statutory bodies and abolished the 106 Clinical Commissioning Groups (CCGs). The ICB will take on the NHS commissioning functions of the former CCGs as well as some of NHS England’s commissioning functions. It will also be accountable for NHS spend and performance within the system. The Board of the ICB will, as a minimum, include a chair, the CEO and representatives from NHS providers, general practice and local authorities.
In order to assure a smooth transition to the new commissioning landscape, the ICB need to be able to share data with providers and local authorities within their ICS so they are fully able to contribute to commissioning decisions.
The ICS Sub-License approach will allow the ICB to share data they receive from NHS Digital via their commissioning agreements with members of their ICS. This will be limited to pseudonymised commissioning data without the provider unique local patient id included.
Re-identification – This is permitted but the ICB will be responsible for determining which users will have this ability. They must be a health or social care professional with a legitimate (direct care) relationship to the patient.
It is important to note that direct care relies on the “implied consent” legal basis. Therefore, the patient must be aware of this relationship through clear communication.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information used by the ICS Partners include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

 Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.
A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.
The legal basis for sharing the data with ICS members is:
Article 6 (1) (e) – processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller
and Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Data Processing Activities

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit.
The ICS Partners currently involved in the Sub-Licensing process are:

  • Essex County Council
  • Southend City Council
  • Thurrock Council
  • Mid and South Essex NHS Foundation Trust
  • East of England Ambulance
  • Essex Partnership University NHS Foundation Trust
  • North East London NHS Foundation Trust
  • Provide CiC

The ICS Partners will become Data Controllers in their own right for the data received under the sub-licensing, however certain rules will apply to this:

  • Onward sharing of the data by ICS members is not permitted.
  • Data must be segregated from other datasets and additional linkage is not permitted.

Opt out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included (even though it is in a format which does not directly identify you) you can choose to opt-out.
In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.
Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The ICB also uses risk stratified data to understand the health needs of the local population to plan and commission the right services. This is called risk stratification for commissioning.
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.
There is currently s251 support in place for the ICB to be able to receive data with the NHS Number as an identifier from both NHS Digital and the GP Practice to enable this work to take place.  The Data is sent directly into a risk stratification tool from NHS Digital /GP Practices to enable the data to be linked and processed as described above.  Once the data is within the tool ICB staff only have access to anonymised or aggregated data.
GPs can identify individual patients from the risk stratified data when it is necessary discuss the outcome and consider preventative care.
Your GP will use computer-based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third-party accredited Risk Stratification provider.  The risk stratification contracts are arranged by Mid and South Essex Integrated Care Board in accordance with the current Section 251 Agreement. Neither the CSU nor your local Integrated Cared Board (ICB) will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.
Your GP will routinely conduct the risk stratification process outside of your GP appointment.  This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the risk stratification tools used by the ICB:

  • Age
  • Gender
  • GP Practice and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.
A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

Data Processing Activities

The practice processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit and Prescribing Services Ltd on behalf of the practice.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out.
In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.
Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.
As mentioned above, you have the right to object to your information being used in this way.  However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care.  Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare.  Our local electronic systems (such as SystmOne, EMIS and Eclipse) enables your record to be shared with organisations involved in your direct care, such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.
In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, considering all aspects of a person’s physical and mental health.  Many patients are understandably not able to provide a full account of their care or may not be able to do so.  The shared record means patients do not have to repeat their medical history at every care setting.
Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record.  This will mean that the information recorded by your GP will not be visible at any other care setting.
You can also reinstate your consent at any time by giving your permission to override your previous dissent.

Your Right of Access to Your Records

The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format.  This is known as the “right of access”.  If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information.  This can be your GP, or a provider that is or has delivered your treatment and care.  You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.  If you would like access to your GP record, please submit your request in writing to:

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at: admin.f81105@nhs.net, 01376 341411, Notley Surgery, Notley Green, Braintree, CM77 7GS.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review: November 2024

 

Accessibility Toolbar