Coronavirus (COVID-19) pandemic and your information The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the COVID-19 pandemic.
The ICO also recognise that 'Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.' The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic. Please note that this notice has now been revised and extended by a further notice from 29th July 2020 until 31st March 2021.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease. Additionally, the use of your information is now required to support NHS Test and Trace.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs. The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 31st March 2021 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind. If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.
For Patients Aged 13 and Over
Why we need your information and how it will be used by health staff for your healthcare
The health professionals who work with you to provide your care will keep records about the treatment and support you receive. Having this information available will help these professionals to work together and share vital information about your health and wellbeing needs.
Health and social care professionals will be able to use the information to assess your needs and work in partnership with you to decide the most suitable treatment or support. We also use your information to inform you of services, for example reminding you of an appointment. We do not use your information for marketing purposes.
Who will be controlling your information?
The Practice (we) will be controlling your data and healthcare information.
All of our partners are required to maintain the same standard as the Practice when processing your information.
Each of our partners has a legal duty to protect your personal information and act as data controller. We take your confidentiality very seriously. We are committed to make sure all personal and identifiable information is managed in accordance with the relevant legalisation to ensure your information is safe, secure and confidential.
The data we are sharing
It is important that the Practice has up to date and accurate information about you to make sure you receive the best quality care possible.
Your care record with the Practice contains key information such as:
- Personal details – for example your name, address, date of birth and next of kin (such as your parents or guardian(s))
- Names of the health and care professionals looking after you
- Any medications you are taking
- Any allergies you have
- Any health concerns about you
- Your previous referrals to various services
- Dates and reasons for any occasions where you have been admitted to hospital
- Appointments and emergency department attendances
- Care plans and care packages
- Emergency contact details
- Personal data from other sources associated with your care
Please be aware that our records may contain information about your parent(s) or guardian(s), if they are named as your next of kin.
What is the lawful basis for sharing your information?
In order for the Practice to process your information, we need what we call a 'lawful basis' to do so. There are a number of lawful bases that the Practice uses to process your data, depending on the information we need to collect.
In the majority of cases, the lawful basis will be for your care. Other bases may be a legal requirement, public task, or a mandatory obligation on the practice for the protection of individuals. We may also use consent.
How will your information be used and accessed?
Personal information contained in your health records will only be used with a lawful basis.
Only authorised individuals are allowed to access personal information.
The information within your health record is used to provide you with the most suitable care and support that you need. The information in your health record helps professionals make better decisions about your care in conjunction with you and ensure it is safe and effective.
How long do we keep your information?
Records are retained according to NHS guidance and any statutory or legal requirements for prescribed time spans.
Who will see and share your information?
The Practice releases your information to other authorised parties that it has a legal duty to share it with, those who you may have given consent to, those who need to know to continue your care and those who have a lawful basis.
Your information will only be shared with authorised parties who are providing you with direct care, or third parties authorised by the Practice (who do not have a lawful basis), only if you have first given your consent.
Where disclosure is necessary to safeguard you, or others, or is in the public interest
Where there is a legal duty to do so, for example a court order or prevention of crime.
Your data might be shared in exceptional circumstances with countries other than the UK, where it is required for continuation of care.
Your rights as a 'Data Subject'
Under the General Data Protection Regulation, you have certain rights:
These rights are:
Right to be informed – the Trust will inform you about the information we hold
- Access to the information the Trust holds about you
- Access to have the information corrected if it is incorrect (rectification)
- Right to be forgotten (erasure) – to have all your information removed
- Right to restrict processing
- Data portability
- Right to object to processing or remove consent
- Rights in relation to automated processing
Some of these rights are dependent on the circumstances around which the information is held.
If at any point you believe the information we hold or process is incorrect, please contact the Data Protection Officer by emailing the details below.
If you wish to raise a concern or a complaint you can do so by contacting the care professional providing your care or treatment, or the organisation's Data Protection Officer.
If you are not satisfied with the response you receive or believe we are processing your personal data not in accordance with the law, you can make a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/
If you have a question regarding you or your data, please contact:
Daljeet Sharry-Khan – Data Protection Officer