Privacy Notice

Introduction

At Holland House Surgery, we have a legal duty to explain how we use any personal information we collect about you at the organisation. This is in both electronic and paper format.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Bronwen Casey, Lancashire Enterprise Business Park, Jubilee House, Leyland PR26 6TR 01772 214200

The main things the law says we must tell you about what we do with your personal data are:

• We must let you know why we collect personal and healthcare information about you
• We must let you know how we use any personal and/or healthcare information we hold about you
• We need to inform you in respect of what we do with it
• We need to tell you about who we share it with or pass it on to and why
• We need to let you know how long we can keep it for

The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 at Part 2, Chapter 2 titled The UK GDPR.

For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).
 

Using your information

We will use your information so that we can check and review the quality of care we provide. This helps us improve our services to you.

We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital or your GP will send details about your prescription to your chosen pharmacy.

Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information see NHS E Summary Care Record or alternatively speak to this organisation.

You have the right to object to information being shared for your own care. Please speak to this organisation if you wish to object. You also have the right to have any mistakes or errors corrected.

Registering for NHS care

All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS England, a national organisation which has legal responsibilities to collect NHS data.

More information can be found at NHS England - Spine

Identifying patients who might be at risk of certain diseases

Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.

This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this organisation.

The data is run through a computer-based programme, often referred to as a risk stratification tool, which assigns ‘risk scores’ to patients. By doing this, the tool calculates which people are at high risk of experiencing certain outcomes, such as unplanned emergency care. It can also help identify and support patients with long term conditions and reduce the risk of certain diseases developing such as Type 2 Diabetes.

Risk stratification tools are operated by Processors. NHS Lancashire and South Cumbria ICB has contractual arrangements in place with these risk stratification Processors:

• NHS Midlands and Lancashire Commissioning Support Unit (NHS ML). NHS ML’s risk stratification tool is Aristotle.
• Prescribing Services Limited (PSL). PSL’s risk stratification tool is Eclipse VISTA.

Risk stratification Processors are not part of the ICB or any GP Practice. They are separate organisations that are carrying out their duties under contract. The contract instructs them what they can and cannot do with the data and sets out their obligations.

GPs and the Lancashire and South Cumbria Integrated Care Board (LSC ICB) are individual Data Controllers. A Data Controller makes material decisions relating to the processing of personal data, for example processing data for risk stratification purposes. Your data is used in two ways by GPs and the LSC ICB for risk stratification purposes:

• By targeting individuals at high-risk of needing additional preventive care interventions. This is known as risk stratification for case-finding. Typically, GPs use the case-finding method to prevent health issues, to prevent unexpected hospital visits, and to help identify and support patients with long term conditions. The risk stratification tool ‘finds’ registered patients who are most at risk. The tool will produce an electronic report that is reviewed by clinical staff at your Practice. You might then be contacted should the report identify changes needed to your care, and you may be offered additional health care services. Clinical staff are able to re-identify individual patients from the risk stratified data so that they can discuss the outcome and consider additional health care services with the patient.
• By analysing a population to predict future care needs so that services can be planned and commissioned. This is known as risk stratification for commissioning. The NHS Lancashire and South Cumbria ICB uses this method to understand the current and future needs of the local population so that they can commission the right services. The risk stratification tool assesses the potential scale of future adverse events among patients based on risk score. The tool will produce an electronic report that can be used by ICB staff to assist with the planning and commissioning of services. ICB staff can never identify an individual from the risk stratified data they are able to view.

Under the UK General Data Protection Regulation (GDPR), the lawful basis we rely on to process personal data is: Article 6(1)(e); “necessary in the exercise of official authority vested in the controller”.

The lawful basis we rely on to process your special category data is: Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine”.

Risk stratification activity is undertaken under Section 251 of the NHS Act 2006 which enables the Common Law Duty of Confidentiality (CLDC) to be temporarily lifted. This means that the data can be processed without patient consents as long as there are specific technical and security measures in place. ICB staff can never identify an individual from the risk stratified data.

Risk stratification tools are operated by Processors. A Processor feeds a mix of personal information about patients (age, gender, diagnoses, admissions to hospital, etc.) into their tool where it gets automatically processed under appropriate contractual and security measures. The tool analyses the data to produce risk scores. The risk scores are a non-identifiable data set.

The law says commissioners, including the NHS Lancashire and South Cumbria ICB, are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. ICB staff therefore do not have access to Personal Confidential Data as part of the risk stratification purposes.

Identifiable risk stratification data is made available to Clinicians/GPs who have a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce risks.

Personal data used for risk stratification purposes is processed, retained, and securely deleted/disposed of at the end of its lifecycle in accordance with NHS England’s Records Management Code of Practice for Health and Social Care

Safeguarding

Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare, and we do not need your consent or agreement to do this.

Please see our local policies for more information: Safeguarding - Lancashire County Council

Medical research

This organisation shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We will also use your medical records to carry out research within the organisation.

The use of information from GP medical records is very useful in developing new treatments and medicines; medical researchers use information from these records to help to answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with the following medical research organisations with your explicit consent or when the law allows: Trialmed Clinical Research (formerly Synexus) and Cancer Research UK.

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the organisation if you wish to object.

Checking the quality of care – national clinical audits

This organisation contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers to measure and check the quality of care that is provided to you.

The results of the checks or audits can show where organisations are doing well and where they need to improve. These results are also used to recommend improvements to patient care.

Data is sent to NHS England, a national body with legal responsibilities to collect data.

The data will include information about you, such as your NHS Number and date of birth, and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure.

We will only share your information for national clinical audits or checking purposes when the law allows.

For more information about national clinical audits see the Healthcare Quality Improvement Partnership

You have the right to object to your identifiable information being shared for national clinical audits. Please contact the organisation if you wish to object.

We are required by law to provide you with the following information about how we handle your information

Data Controller

Holland House Surgery, Lytham Primary Care Centre, Victoria Street, Lytham, FY8 5DZ
Tel: 01253 955350

Data Protection Officer

Bronwen Casey, Lancashire Enterprise Business Park, Jubilee House, Leyland PR26 6TR
Tel: 01772 214200

Purpose of the processing

• To give direct health or social care to individual patients.
• To check and review the quality of care. (This is called audit and clinical governance).
• Medical research and to check the quality of care which is given to patients (this is called national clinical audit).

Lawful basis for processing

These purposes are supported under the following sections of the GDPR:

• Article 6(1)(e): ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
• Article 9(2)(h): ‘necessary for the purposes of preventative or occupational medicine...’
• Article 9(2)(a): ‘the data subject has given explicit consent…’
• Article 9(2)(j): ‘processing is necessary for… scientific or historical research purposes or statistical purposes...’

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

• Healthcare professionals and staff in this surgery
• Out of hours services
• Diagnostic and treatment centres
• Local hospitals (e.g., Blackpool Teaching Hospitals NHS Foundation Trust, Trinity Hospice, North West Ambulance Services)
• NHS Midlands and Lancashire Commissioning Support Unit
• Engage Health Systems, Heidi Health, Eclipse Data Systems
• Cancer Research UK and Trialmed (for medical research)
• NHS England (for national clinical audits)

Rights to object and the national data opt-out

You have the right to object to information being shared between those who are providing you with direct care. You are not able to object to demographic data being sent to NHS England or to information shared for safeguarding reasons. The national data opt-out allows you to opt out of data being used for research and audit.

Right to access and correct

You have the right to access your medical record and request corrections. See our Access to Medical Records Policy for details.

Retention period

Records will be kept in line with the law and national guidance. See the Records Management Code of Practice.

Right to complain

If you are unhappy with our data-processing methods, contact the Practice Manager. You may also lodge a complaint with the ICO or by calling 0303 123 1113.

Data we get from other organisations

We receive health information from other organisations (e.g., hospitals) to keep your GP medical record up-to-date.

Using your health data for planning and research

You can decide whether you wish to have your information extracted and there are two main options available to you.

Option 1

Type 1 opt-out applies at organisational level and means that your medical record is not extracted from the organisation for any purpose other than for direct patient care. You can opt-out at any time. Opting out will mean that no further extractions will be taken from your medical record.

For a Type 1 Opt-out, you need to contact the organisation by phone, email or post to let us know that you wish to opt-out. Further information available on the NHS website.

Option 2

The National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes. You can opt-out at any time.

NDO-O – you need to inform NHS England. Unfortunately, this cannot be done by this organisation for you. You can opt in or out at any time and complete this by any of the following methods:

• Online service – You will need to know your NHS number or your postcode as registered at this organisation via Make your choice about sharing data from your health records
• Telephone service – 0300 303 5678 (open between 9am to 5pm Monday to Friday)
• NHS App – For patients aged 13 and over, downloadable from the App Store or Google Play