From 25 May 2018, new data protection regulations come into force, called the EU General Data Protection Regulations (or GDPR for short). Below is a brief overview of how the new regulations affect the information we hold.
The Pulteney Practice is the data controller for your personal data relating to your NHS health record, including information you have provided and that we have obtained from other sources (for example hospitals and insurance companies). This means we are responsible for the information we collect about you in relation to your health record, and that we only collect information which is necessary, we store it safely and securely, and do not hold it for longer than is necessary .
Your personal data has historically been used to process details in connection with your health and will continue to be used for the ongoing administration of your health needs.
We do not sell your personal data. We may occasionally share some of it with other organisations such as Virgin Care Limited (physio, health visitors, and district nurses etc), Dorothy House, local hospitals and surgeries, who may operate both in and out of the European Economic Area (EEA). This may mean that your personal information may be accessed from these locations but will be protected by European data protection standard.
The GDPR gives you some rights relating to your personal data;
- Right to be informed – about the collection and use of your data.
- Right to erasure – the right to request that we delete your data.
- Right of access and data portability – the right to ask for a copy of the data we hold about you.
- Right to rectification – the right to have any data errors corrected.
- Right to restrict processing – the right to ask that data processing is restricted.
- Right to object – the right to object to certain types of processing
The GDPR says that firms can only use personal data where there is a fair reason to do so. Some of the acceptable reasons it states are when;
- The processing is necessary to do with your record, or
- We have a legal duty to process the data, or
- We have a legitimate interest in processing the data, or
- We have your specific consent.
If you have previously asked us not to send you marketing information, we will of course continue to honour your wishes, We will, however still send you information when we are obliged to, such as invitations for health screening, information regarding your referral etc.
What is the lawful basis for Pulteney Practice to process my data?
There are six available lawful bases for processing. The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
How will Pulteney Practice use my data?
- We will handle all medical records according to the laws on data protection and confidentiality.
- We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
- Some of your data is automatically copied to the Shared Care Summary Record
- We may share some of your data with local out of hours, urgent or emergency care services
- Data about you is used to manage national screening campaigns such as Flu, Cervical cytology and Diabetes prevention.
- Data about you, usually anonymised, is used to manage the NHS and make payments.
- We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
- Your data is used to check the quality of care provided by the NHS.
- We may sometimes share medical records, usually anonymised, for medical research.
How long will my data be kept for?
Data will be retained in accordance with the Records Management Code of Practice for Health and Social Care 2016 which sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement. For example:
GP patient records
10 years after the death of the patient
Adult Health & Social care records
Until 25th birthday
Mental Health records
20 years (or 8 years after the patient’s death)
Maternity (ante-natal & post-natal)
30 years after diagnosis (or 8 years after the patient’s death)
8 years (or 10 years if an implant or device has been fitted)
The full list of retention periods for all data is available on request from the Practice Manager.
What if I am unhappy with how Pulteney Practice handles my data?
You can complain by following the Practice’s complaints procedure. Details of how to raise a complaint with the Practice are contained in our complaints leaflet, available from the surgery or on our website at: www.pulteney.co.uk
The Data Protection Officer (DPO) for The Pulteney Practice is Dr Laurence Heywood and he is based at Banes Enhanced Medical Services + (BEMS+) Tel: 01225 560805 or firstname.lastname@example.org
If you are still not happy once we have responded to your complaint, you can raise your concern with the Information Commissioners Office (ICO) at:
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Both your paper and computer records are confidential. We comply with the Data Protection Act 1998 which lays down legal requirements for computer users such as ourselves.
We only ever use or pass on information about you if people have a genuine need for it e.g. in making clinical referrals. Anyone who receives information from us is also under a legal duty to keep it confidential.
Sometimes the law requires us to pass on information e.g. to notify a birth or when we encounter infectious diseases that may endanger the safety of others. Data may be gathered for audit purposes and in development of medical care or other NHS services.
Everyone working for the NHS has a legal duty to keep information about you confidential. The Caldicott Guardian (the person responsible for the confidentiality of medical information) for the practice is Mr Chris Clapp.
The practice complies with the Freedom of Information Act 2000. You have a right of access to your health records.
Rights and Responsibilities
The practice is dedicated to achieving and maintaining a quality health service to meet the needs of our patients. We aim to see all patients who wish to see a healthcare professional within 48 hours. We provide all our services in a courteous manner.
You can help us by:
Providing us with any change of address, telephone number or name so that our records are kept up to date.
Arriving promptly for your appointment.
Treating our staff politely. We know you are often unwell when you visit us and we do our best to help you.
Cancelling any appointment you do not need so that someone else can take your place (if you do not attend and do not cancel we may consider removing you from our list).
Ordering your repeat prescriptions in plenty of time.
Switching off mobile phones whilst on the practice premises.
Removal of Patient From Practice List
We would remove patients from our list in the following circumstances:
Living outside of the practice area.
Irretrievable breakdown of the doctor-patient relationship.
Violence or threatening behaviour to any practice staff.
Rudeness to any practice staff.
Persistent non attendance without cancelling booked appointments.
We will not remove patients from our list because of:
We have a zero tolerance policy of violence against all practice staff. We will immediately remove any patient from our list for violence or abuse against any practice partner or employee.