Stacks Image 190

Medical Records , Confidentiality

We have used a computer for every consultation since 1987 and for many years have relied only on the computer and not paper for recording your medical information. We do retain your old paper records for historical reference.
Your computer record We are registered under the Data Protection Act 2018 and are GDPR Compliant.

Systems and services used:

  • Your medical records are held in EMIS Web, probably the most widely used GP system, which is a hosted on the secure HSCN network provided solely for the NHS and Social Care and protected to the highest standards.
  • All incoming paper correspondence is scanned into your record and the original shredded. Increasingly information is received electronically directly into your record, particularly all pathology test results, hospital discharge summaries, outpatient letters, out of hours contact and emergency care information, mental health and some social care information. It is processed and stored on Docman 10, a secure cloud based document management system.
  • We are linked electronically to NHS England for administrative and payment purposes.
  • GP practices are also connected to the National Data Spine where your registration details are held and the parts of your record uploaded to form a Summary Care Record (unless you opted out) - see below.
  • We send electronic referrals using eRS, the Electronic `Referral System, via the National Data Spine.
  • We use third party systems linked through the the secure HSCN network for SMS messages (AccuRx, MJOG) and online consultations, Patchs and Urgent Care Plans mainly for End of Life care and for frail patients and for patient care advice & guidance from hospital specialists and referrals NEC Rego.
  • We use email service with is securely transmitted through the HSCN network and is safe for patient identifiable information.
We are 'data controllers' and it is our responsibility to protect your data to the highest standards and we have complex legislation and guidance to follow. If your data is passed on to other organisations acting as 'data processors' we must ensure they will handle your data to the same standards.


Nobody outside the practice has access to any of your identifiable data without your consent and within the practice all our staff are trained to respect the rules of confidentiality. Nobody has the right to view your record except on a 'need to know' basis, for instance if inputting data or answering a query from the patient. Any breach of our strict data rules would result in dismissal and possibly further action. Any computer engineers or outside health professionals requiring access to the records sign a security agreement before they are allowed access.

In summary:
  • Everyone looking at your record, whether on paper or computer, must keep the information confidential.
  • We will aim to share only as much information as people need to know to play their part in your healthcare.
  • When we provide health care, we will share the appropriate amount of your record with the people providing and supporting your care or checking its quality (unless you have asked that we limit how we share your record).
We will not share health information that identifies you for any reason, other than providing your direct care, unless:
  • You ask us to do so;
  • We ask and you give us specific permission;
  • We have to do so by law;
  • We have special permission for health or research purposes; or
  • We have special permission because the public good is thought to be of greater importance than your confidentiality.
Special Cases in Law
The law can require us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.
Dr Selwyn acts as the GP responsible for ensuring data security and probity at this practice, Caldicott Lead and Ms Amanda Ure, the Practice Manager is Senior Information Risk Owner (SIRO), ensuring all our systems and procedures are data-safe.

Your personal data and the NHS

There are, broadly, two main categories of data: data which is identifiable as being connected with you and data which is anonymous and cannot be connected with any individual.

Identifiable data may be linked to you by unique items such as date of birth or NHS number or by a number of different less specific items which, when used together, could point to you as an individual; such as a rare diagnosis and a postcode. Anonymous data cannot be traced in any way.

There is a third category: pseudonymised where a person with authorisation holds a 'key' to unlock data without which it would be anonymous and unable to be linked back to anyone.

Your confidential identifiable personal information is used in two different ways in the NHS:
• Your individual care
Health and care professionals may use your confidential patient information to help with your treatment and care. For example, when you visit your GP, they may access your records for important information about your health and if you need a referral to another healthcare professional, sufficient personal information will need to be passed on to ensure good care.
• Research and planning
Confidential patient information is also used to plan and improve health and care services or for research to develop treatments for serious illnesses. Usually this is presented as anonymous data but if it needs to be identifiable we will need your permission. There are one or two special exceptions to this set out in law, for instance if information is required by a statutory authority for the public good, maybe during an epidemic.

Opting out:
If you don’t want your confidential patient information to be used for research and planning, you can opt out of this (see below). Your confidential patient information will still be used to support your individual care. Any choice you set using this service will not change this right.

Click here for full details on health records in the NHS.

Research Data

We provide data in an anonymised form to the Clinical Practice Research Database (CPRD), part of the Medicines & Healthcare products Regulatory Agency (MHRA) at the Department of Health. The CPRD is a highly respected and ethically approved organisation has provided data for a great many important published medical studies in this and other countries over the past few years - you may well have heard some of the results in the national press. None of this data can be identified in any way with any individual and we have strict controls to check this.

Similarly we provide non-identifiable data to QResearch, a medical research organisation based at the University of Oxford, which has produced invaluable research about risk and provided many useful clinical risk assessment tools for GPs based on the evidence analysed from 30 million patients' records in general practice.

We provide similar data to the Royal College of GPs Research & Surveillance Centre (operating since 1957) run in conjunction with Oxford University Clinical Information Digital Hub (ORCHID). This takes regular pseudonymised feeds of patient data to enable rapid surveillance of infections such as influenza and Covid-19 to help Public Health England monitor these rapidly changing conditions and to engage especially in quick and agile clinical trials (such as the emerging treatments and vaccines for Covid-19). You may also be invited to take part in research projects.

Your care may well have been improved though knowledge obtained from these three bodies and they are of international importance.

Medical images and videos

We may need to take photos of bits of you, for your direct medical care, for instance skin lesions, rashes or other parts. This may be to aid the diagnostic process so we can keep a record of a condition progressing or to assess treatment. We may also need to share the images with a colleague dealing your care, for instance if we refer you.

You may also be asked to send your own pictures taken on your smartphone when we are conducting a remote consultation by Patchs.

All images are dealt with securely through NHS approved systems and processes and are saved in your medical record unless you specify otherwise. We ask your consent before taking a picture and Patchs records your agreement to loading images to us (with a warning to omit sensitive personal areas unless asked specially).

You may occasionally be asked if your consultation with a trainee doctor can be video'd. These videos form a vital part of the training of future GPs. A signed consent is needed for these and you will be given more information.

If you do not want photos or videos to be taken or saved in your record, it will not affect your medical care in any way.

We have a policy dealing with clinical images.

Access to Medical Records (Subject Access Requests)

We receive many requests for releasing specific parts or all of your medical records or preparing reports for insurance companies, solicitors or other outside agencies. We can only ever release such information with your written consent and we have strict procedures. You may be asked to sign additional practice consent if we are unsure about whether you have been fully informed before giving your content.

You - or a nominated representative - have the right to view or receive copies your medical records, in most cases without a fee (though if the request is excessive we may inform you of a charge). This is called a Subject Access Request (SAR). Though we have up to one month to provide the information, we try to do it more quickly, normally within 21 days.

You may request this verbally though we prefer in writing or by email. We have a request form which is not a requirement but helps us to understand what information you are looking for. Often it does not require the time-consuming copying and printing of all of your records (can be hundreds of sheets of paper stretching back decades). To save trees, we may agree with you to provide the record by secure email, on a CD or other media.

Don't forget you may view your more recent medical records online using Patient Access and this is a convenient way of accessing your information instantly.

Privacy Notice

A Privacy Notice explains why the GP Practice collects information about you, what is collected and how that information may be used.

A full version (13 pages) of this Privacy Notice updated Oct 2020 is available here .
We also have a more basic version written for younger people (which is also easier to understand for everyone!).

Why we hold information about you:
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). We also keep a running commentary on current problems, creating a contemporaneous record to enable any professional involved in your care to understand what is happening and help to give you the best joined up care, avoiding risks, duplication and omissions. It also allows a record of your concerns and expectations. It allows the clinical decision making systems we have to optimise your care. In all it helps to provide you with the tools to deliver the best possible healthcare.

What we hold:
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice may hold about you may include the following information:
  • Details about you, such as address, contact details and next of kin
  • Any contact the surgery has had with you, such as appointments, real or virtual by any means, clinic visits, emergency appointments, phone calls, SMS messages, correspondence by any media etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health or social care professionals or organisations involved in your care, relatives or those who care for you
How the information may be used:
  • To ensure you receive the best possible care, your records are used to facilitate the care you receive. It is vital that someone else providing treatment or care has enough information to be able to do this safely and effectively.
  • Information held about you may be used to help protect the health of the public and to help us manage the NHS.
  • Information may be used for clinical audit to monitor the quality of the service provided.
  • Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
  • Sometimes your information may be requested to be used for vital medical research purposes to help develop new treatments or for improving our understanding of health and diseases – the surgery will always endeavour to gain your consent before releasing the information (unless it is anonymised).
  • Patient Segmentation and Risk stratification tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then calculated through an analysis of your de-identified information using software managed by the NW London CCG as the data processor and is provided in identifiable form ONLY to your GP or member of your care team. Patient Segmentation and Risk stratification enables your GP to focus on the preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out.
  • Safeguarding duties may require us to share sensitive information to protect adults and children, subject to strict legal and ethical frameworks.
  • Should you participate in any group consultations you will be asked not to disclose any information that you do not wish to and at the start will be asked for your permission to disclose personal information pertinent to the group discussion which may include your test results or other relevant aspects of your medical history or personal experiences which will help others in the group.
You may participate in online patient meetings , webinars or Q&A sessions in which case it will be stated at the start whether the meeting will be recorded. Please ensure if you do not wish to have your name or image shared to switch off your camera and remove or disguise your name so others will not see it. Meetings may be joined by any of our patients and may be recorded for later access on our website or via Facebook so other patients may benefit from the information. You will be reminded not to discuss any personal medical details or any other information of a confidential nature.

Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.

Further information on fair processing of data within the whole NHS can be obtained in the NHS Privacy Notice here.

How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the GDPR, Data Protection Act 2018 (both overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

Which are our partner organisations?

We may share relevant information about you, subject to strict agreements on how it will be used and the context, with the following organisations:
  • NHS Trusts (hospitals, clinics, community services, hospices)
  • Specialist Trusts
  • NHS 111
  • Independent Contractors such as dentists, opticians, pharmacists
  • National Screening Programmes (eg breast, cervical, bowel cancer)
  • Private Sector Providers
  • Charities such as RM Partners (West London Cancer Alliance)
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Public Health
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Care Quality Commission (CQC)
  • Health Services Ombudsman
  • Education services
  • NHS Digital
  • Other ‘data processors’
  • Healthtech-1 (semi-automated registrations for the practice) Patient privacy statement
More on Third Party data processors:
In addition to sharing data within the NHS, the practice will use carefully selected third party service providers as listed above. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately.

Some examples of functions that may be carried out by third parties includes:
  • Companies that provide IT services & support, including our core clinical systems (such as our EMIS clinical computer), communication (eg SMS, electronic consultation and video consultation systems), systems which manage patient facing services (such as our website and services accessible through the same or apps.); data hosting service providers; systems which facilitate appointment bookings, referrals or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Further details regarding specific third party processors can be supplied on request.

Local information sharing arrangements
In order to provide you with health and social care services your GP practice works in close collaboration with several other practices locally in Harness North Primary care Network (PCN). (These include The Surgery, Pearl Medical, Wembley Park Drive Medical Centre, SMS Medical Practice, Lanfrac Medical Centre, Sunflower Practice, Church Lane Surgery, Preston Road Surgery, Sudbury & Alperton Surgery). This PCN is part of Harness Federation which provides certain services.

Staff working within the PCN are trained to understand their legal and professional responsibilities of confidence to their patients and will only access your records when they are required to do so to support you care. They will identify themselves and their role using their NHS smart card and access to your PCN record is logged, monitored, and audited.

In all cases, your information is only accessed and used by authorised staff who are involved in providing or supporting your direct care. Your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).

Access to personal information ('Subject Access Request'):
You have a right under the Data Protection Act 2018 to access / view the information the surgery holds about you and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.
If you would like to make a ‘Subject Access Request’ please request from a staff member. We have a request form to help decide what you need (though it is not a requirement) - it is usually not necessary to view or copy the whole of your medical record.

If you would like further information about how we use your information, or if you do not want us to use your information in this way, please contact the Practice Manager.

Your right to withdraw consent:
At any time you have the right to refuse / withdraw consent to information sharing - see below. The possible consequences will be fully explained to you and could include delays in receiving care.

If you have any questions or concerns regarding the information we hold on you or the use of your information, please contact the Practice Manager.

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner (Tel: 08456 30 60 60 or 01625 54 57 45 ).

National Summary Care Record

Everyone registered with a GP in England has a Summary Care Record - an electronic record uploaded to the secure National Data Spine which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had as well as your name, address, DoB and NHS Number. Having this information stored in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed. Only those with the required security level can access your record and even then, only when it is absolutely necessary. Security and confidentiality is treated very seriously.

There is also the ability, with your expressed consent, to 'enrich' the Summary Care Record with additional information to contain significant medical history (past and present), reason for medication, anticipatory care information (such as information about the management of long term conditions) , end of life care information (from the SCCI1580 national dataset) and immunisations. This might be especially useful for frail people who may need special care from many people, end of life care, patients with long term conditions, those with special needs, people with dementia and so on.

Under NHS protocols, you have consented to upload your basic Summary Care Record but you can withdraw your consent at any time by letting us know in person, by completing this form or at registration when we ask all new patients.

NHS Data Opt-Out

The NHS Opt-out programme explains that unless you have chosen to opt out, your confidential patient information can be used for research and planning.

This online service allows you to make or change your decision at any time. You can also download a form to manage a choice on behalf of another individual by proxy. For example, if you are a parent or guardian of a child under the age of 13.

If you choose to opt out, your data may still be used during some specific situations, for example, during an epidemic where there might be a risk to other people’s health.

Disclaimer This website is to inform our patients of our services and provide general educational material concerning health. Any information, opinions, data or images are provided in good faith for the interest and benefit of our patients and not for any commercial gain. We are not offering professional advice concerning the particulars of any individual's health and cannot be responsible for the accuracy of the information presented or the content and reliability of information on linked external sites and request that you make your own judgements and use the information at your own risk. We cannot always keep all the information up to date, though we try our best. If you have any concerns about any of the content on this site, broken links etc please contact us.

SITEMAP   Privacy Policy    © Willow Tree Family Doctors 2020