We have used a computer for every consultation since 1987 and for many years have relied only on the computer and not paper for recording your medical information. We do retain your old paper records for historical reference.
Your computer record and confidentiality
We are registered under the Data Protection Act 2018 and are GDPR Compliant. Your medical records are held on EMIS Web, probably the most widely used GP system, which is a hosted on the secure HSCN network provided solely for the NHS and Social Care and protected to the highest standards. All incoming paper correspondence is scanned into your record and the original shredded and increasingly much is received electronically directly into your record, particularly all pathology test results, hospital discharge summaries and outpatient letters and out of hours contact information and we are linked electronically to NHS England for administrative purposes. GP practices are also connected to the National Data Spine where your registration details are held and the parts of your record uploaded to form a Summary Care Record (unless you opted out) - see below.
We are 'data controllers' and it is our responsibility to protect your data to then highest standards and we have complex legislation and guidance to follow. If your data is passed on to other organisations acting as 'data processors' we must ensure they will handle your data to the same standards.
Nobody outside the practice has access to any of your identifiable data without your consent and within the practice all our staff are trained to respect the rules of confidentiality. Nobody has the right to view your record except on a 'need to know' basis, for instance if inputting data or answering a query from the patient. Any breach of our strict data rules would result in dismissal and possibly further action. Any computer engineers or outside health professionals requiring access to the records sign a security agreement before they are allowed access.
Everyone looking at your record, whether on paper or computer, must keep the information confidential. We will aim to share only as much information as people need to know to play their part in your healthcare. When we provide health care, we will share your record with the people providing and supporting your care or checking its quality (unless you have asked that we limit how we share your record).
We will not share health information that identifies you for any reason, other than providing your direct care, unless:
• You ask us to do so;
• We ask and you give us specific permission;
• We have to do so by law;
• We have special permission for health or research purposes;
• We have special permission because the public good is thought to be of greater importance than your confidentiality.
Dr Selwyn acts as the GP responsible for ensuring data security and probity at this practice (Caldicott Lead) and Ms Amanda Ure, the Practice Manager is Senior Information Risk Owner (SIRO), ensuring all our systems and procedures are data-safe.
Your personal data and the NHS
There are, broadly, two main categories of data: data which is identifiable as being connected with you and data which is anonymous and cannot be connected with any individual. Identifiable data may be linked to you by unique items such as date of birth or NHS number or by a number of different less specific items which, when used together, could point to you as an individual; such as a rare diagnosis and a postcode. Anonymous data cannot be traced in any way. There is a third category: pseudonymised where a person with authorisation holds a 'key' to unlock data without which it would be anonymous and unable to be linked back to anyone.
Your confidential identifiable personal information is used in two different ways in the NHS:
• Your individual care
Health and care professionals may use your confidential patient information to help with your treatment and care. For example, when you visit your GP, they may access your records for important information about your health and if you need a referral to another healthcare professional, sufficient personal information will need to be passed on to ensure good care.
• Research and planning
Confidential patient information is also used to plan and improve health and care services or for research to develop treatments for serious illnesses. Usually this is presented as anonymous data but if it needs to be identifiable we will need your permission. There are one or two special exceptions to this set out in law, for instance if information is required by a statutory authority for the public good, maybe during an epidemic.
If you don’t want your confidential patient information to be used for research and planning, you can opt out of this (see below). Your confidential patient information will still be used to support your individual care. Any choice you set using this service will not change this.
Click here for full details on health records in the NHS.
We provide data in an anonymised form to the Clinical Practice Research Database, part of the Medicines & Healthcare products Regulatory Agency (MHRA) at the Department of Health. The CPRD is a highly respected and ethically approved organisation has provided data for a great many important published medical studies in this and other countries over the past few years - you may well have heard some of the results in the national press. None of this data can be identified in any way with any individual and we have strict controls to check this.
Similarly we provide non-identifiable data to QResearch, a medical research organisation now based at the University of Oxford, which has produced invaluable research about risk and provided many useful clinical risk assessment tools for GPs based on the evidence analysed from 30 million patients' records in general practice.
Your care may have been improved though knowledge obtained from these two bodies.
Access to Medical Records (Subject Access Requests)
We receive many requests for releasing specific parts or all of your medical records or preparing reports for insurance companies, solicitors or other outside agencies. We can only ever release such information with your written consent and we have strict procedures. You may be asked to sign additional practice consent if we are unsure about whether you have been fully informed before giving your content.
You - or a nominated representative - have the right to view or receive copies your medical records, in most cases without a fee (though if the request is excessive we may inform you of a charge). This is called a Subject Access Request (SAR). Though we have up to one month to provide the information, we try to do it more quickly, normally within 21 days. You may request this verbally though we prefer in writing or by email. We have a request form which, though not a requirement, helps us to understand what information you are looking for. Often it does not require the time-consuming copying and printing of all of your records. We may agree with you to provide the record by secure email, on a CD or other media. Don't forget you may view your more recent medical records online using Patient Access.
A full version is available here for viewing and printing.
We also have a basic version written for younger people (which is also easier to understand for everyone!).
How we use your information
A Privacy Notice explains why the GP Practice collects information about you, what his collected and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice may hold about you may include the following information:
• Details about you, such as address, contact details and next of kin
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, phone calls, correspondence by any media etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information (unless it is anonymised).
Patient Segmentation and Risk stratification tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by the Brent CCG as the data processor and is only provided back to your GP or member of your care team as data controller in an identifiable form. Patient Segmentation and Risk stratification enables your GP to focus on the preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.
Please note that you have the right to opt out.
Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.
Further information on Fair Processing of data within the NHS can be obtained here
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
• NHS Trusts (hospitals, clinics, community services)
• Specialist Trusts
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• Local Authorities
• Education Services
• Fire and Rescue Services
• Other ‘data processors’
More on Third Party data processors
In addition to sharing data within the NHS, the practice will use carefully selected third party service providers as listed above. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately.
Some examples of functions that may be carried out by third parties includes:
Companies that provide IT services & support, including our core clinical systems (such as our EMIS clinical computer); systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
Delivery services (for example if we were to arrange for delivery of any medicines to you).
Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Further details regarding specific third party processors can be supplied on request.
Access to personal information ('Subject Access Request')
You have a right under the Data Protection Act 2018 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.
If you would like to make a ‘subject access request’ please request from a staff member. We have a request form to help decide what you need (though it is not a requirement)
If you would like further information about how we use your information, or if you do not want us to use your information in this way, please contact the Practice Manager.
Your right to withdraw consent
At any time you have the right to refuse/ withdraw consent to information sharing - see below.
The possible consequences will be fully explained to you and could include delays in receiving care.
If you have any questions or concerns regarding the information we hold on you or the use of your information, please contact us at the practice.
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Phone: 08456 30 60 60 or 01625 54 57 45 Fax: 01625 524 510 Website: www.ico.gov.uk
National Summary Care Record
Everyone registered with a GP in England has a Summary Care Record - an electronic record uploaded to the secure National Data Spine which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had. Having this information stored in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed. Only those with the required security level can access your record and even then, only when it is absolutely necessary. Security and confidentiality is treated very seriously.
There is also the ability, with your expressed consent, to 'enrich' the Summary Care Record with additional information to contain significant medical history (past and present), reason for medication, anticipatory care information (such as information about the management of long term conditions) , end of life care information (from the SCCI1580 national dataset) and immunisations. This might be especially useful for frail people who may need special care from many people, end of life care, patients with long term conditions, those with special needs, people with dementia and so on.
Under NHS protocols, you have consented to upload your basic Summary Care Record but you can withdraw your consent at any time by letting us know in person or in writing and at registration all new patients are given that option. See below.
NHS Data Opt-out
The NHS Opt-out programme explains that unless you have chosen to opt out, your confidential patient information can be used for research and planning. This online service allows you to make or change your decision at any time. You can also download a form to manage a choice on behalf of another individual by proxy. For example, if you are a parent or guardian of a child under the age of 13.
If you choose to opt out, your data may still be used during some specific situations, for example, during an epidemic where there might be a risk to other people’s health. Other situations are detailed here.
You can manage your options online .