Privacy Notice

We are a Primary Care General Practice providing a wide range of services including:

  • Patient consultations – GP’s and Practice nurses
  • Chronic disease management
  • Minor surgery
  • Phlebotomy
  • Anticoagulant clinics
  • Dispensing
  • Family planning including antenatal
  • Research
  • Counselling

We have approximately 12,200 patients registered, we have 6 Partners and employ 40 staff across 3 sites; Brockham, North Holmwood and Newdigate.

Your Information, What you Need to Know

This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential.

  • What information are we collecting?
  • Who collects the data?
  • How is it collected?
  • Why do we collect it?
  • How will we use the data?
  • Who will we share it with?
  • What is the effect on the individuals?

Why we Collect Information

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare. We collect and hold data for the sole purpose of providing healthcare services to our patients.

In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services.

We keep your information in written form and/or in electronic form. The records may include basic details about you and they may also contain more sensitive information about your health.

Details we Collect About You

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g., NHS Trusts, GP Surgeries, Walk-in Clinics, etc). We keep data on you which will be used to support delivery of appropriate care and treatment and this may include:

  • Details such as your name, address, date of birth, next of kin
  • Any contact the surgery has had with you such as appointments, clinics visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.

Sensitive data relates to genetic data, sexual orientation, race, your religious or beliefs, whether you have a disability, allergies and health records.

Information is collected via you, healthcare professionals and hospital correspondence.

How we Keep your Information Confidential and Safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence and the Data Protection Act 2018. Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law.

The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared.

All our staff undertake annual mandatory training in data protection, confidentiality, information governance. All our staff are expected to make sure information is kept confidential and safe and they are aware of their personal responsibility. Our doctors, nurses and other healthcare professionals are registered, regulated and governed by professional bodies.

NHS health records may be electronic, on paper or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure. Information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personal. Records are backed up securely in line with NHS procedures.

We may be asked to share basic information about you, such as your name and parts of your address which does not include sensitive information from your health records. We ensure external data processors are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

For example, healthcare services, public health or national audits. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2015
  • Records Management Code of Practice Health & Social Care 2016
  • Information Security Management NHS Code of Practice

Non-NHS organisations may include but are not restricted to; social services, education services, local authorities, the police, voluntary sector providers and private sector providers.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your consent unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

How we use Your Information

Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

You can object to your personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Occasionally your information may be requested to be used for research purposes. We will always gain your consent before releasing any information for this purpose.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to:

  • Improve individual care, diagnosis and safety
  • Help protect the health of the general public
  • Understand more about disease risks and causes
  • Develop new treatments and preventions
  • Plan services and to help us manage the NHS
  • Train healthcare professionals
  • Help with research and audits
  • Provide data on performance

We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function. We will assume you are happy to for your information to be shared unless you choose to opt-out (see below).

This means you will need to express an explicit wish not to have your information shared with the other NHS organisations; otherwise they will be automatically shared. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued. Our guiding principle is that we are holding your records in strictest confidence.

NHS Digital – Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

Our Legal Basis for Sharing Data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The Type of Personal Data we are Sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with the Practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients.

It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital Will use and Share your Data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

Supporting Locally Commissioned Services

CCGs and Public Health Surrey County Council support GP practices by auditing pseudonymised data to monitor locally commissioned services, measure prevalence and support data quality. The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.

Your Right to Object or Withdraw Consent for us to Share your Information (opt-out)

We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.

Where we are using, storing and sharing your information based on explicit consent, you have a right to withdraw your consent to personal data being used at any time.

National Data Opt Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘National Data Opt-Out’. For further information about Opt-Out, please contact NHS Digital Contact Centre at enquiries@hscic.gov.uk referencing ‘National Data Opt-Out – Data Requests’ in the subject line; or call NHS Digital on 0300 303 5678; or visit the website www.nhs.uk/your-nhs-data-matters. If you wish to discuss or change your opt-out preferences at any time, please contact the Practice.

NHS Digital is developing a new system to give you more control over how your identifiable information is used. We will tell you more once details are released.

Your Right to Correction

If information about you is incorrect you are entitled to request that we correct it. There may be occasions where we are required by law to maintain the original information.

Who will the Information be Shared with?

We may need to share information about you with others, subject to strict agreements on how it will be used. These are the type of organisations we may share your information with:

  • NHS Trusts/Specialist Trusts
  • Private Healthcare Organisations
  • Independent Contractors such as dentists, opticians, pharmacists
  • Primary Care Networks
  • Voluntary Sector Providers
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Ambulance Trusts
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘Data Processors’

Clinical Audits

Information may be used for clinical audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes. Where we do this we take strict measures to ensure that individual patients cannot be identified e.g. the National Diabetes Audit.

Clinical Research

Occasionally your information may be requested to be used for research purposes. The surgery will always gain your consent before releasing any information for this purpose.

Software

We may use other software within the practice as part of our data processing but data is not shared with anyone else and is not stored outside of the practice.

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Population Health Management

The GP Practice and the Surrey Heartlands Partnership work with partners to link local data together to make better decisions on the care of our patients. What this means is that data that is held in GPs, Hospitals and community care can be linked to see what the needs of the local population are. This will help partners improve care for groups of people in the community. This is called a Population Health approach. Whilst the data will be linked, those partners will not be able to identify individuals as any identifiable data will be removed. If there is a need to identify individuals then this can only be done by the GP or other organisation that holds that data.

Surrey Care Record

The Surrey Care Record is an Electronic Health Record (EHR) linking system that brings together patient/client’s information across health and care systems in a secure manner, giving a summary of your information which is held within a number of local records. For more information see: https://www.surreyheartlands.uk/surrey-care-record-privacy-notice

You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Safeguarding

To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Summary Care Record (SCR)

NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information (SCR-AI) can also include reason for medication, vaccinations, significant diagnoses/problems, significant procedures, anticipatory care information and end of life care information.

Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please contact the Practice.

Summary Care Record Update During COVID Pandemic

Based on the legal Notice issued on 20th March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 requiring confidential patient information to be shared in the circumstances set out in the Notice. Changes will be made to the Summary Care Record and these changes will remain in force during the period of the COVID-19 emergency period as set out in the Notice (unless extended or reduced) at which point systems will return to their current state unless alternative arrangements have been put in place before then.

Our clinical system provider will enable Summary Care Record Additional Information (SCR-AI) changes to be made to share confidential information in response to COVID-19 with other healthcare professionals. Safeguards required to keep information safe have not been compromised. NHS access to the SCR and to medical records is traceable and auditable. Only those staff who require access to do their jobs can view this information, and it remains the case that all staff should always seek permission to view an SCR from the patient before doing so. Further information is available: Supplementary Privacy Notice for Summary Care Records.

Supporting Medicines Management

CCGs support local GP practices with prescribing queries which generally do not require identifiable information. CCG pharmacists work with the Practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective.

Risk Stratification

Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services.

Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness, i.e. diabetes, heart disease, risk of falling. Information about you is collected from a number of sources including NHS Trusts who link our records to other records that they access such as hospital attendance records. This shared information enables other healthcare workers to provide the most appropriate advice, investigations and treatments.

Access to your Information

Under the new General Data Protection Regulation (GDPR) 2018 everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data.

Every patient can have access to their medication records on-line but if you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld. If you wish to have a copy of the information we hold about you, please contact the Practice.

Data Protection Officer

If you wish to discuss or exercise any of your rights, please contact the Practice directly in the first instance: Liz Spreadbury, Practice Manager.

Email: lizspreadbury@nhs.net
Tel: 01737 843259
Address: Brockwood Medical Practice, Tanners Meadow, Brockham, Betchworth, Surrey, RH3 7NJ.

Alternatively, the Practice’s Data Protection Officer can be contacted directly.

Every practice is required to have a Data Protection Officer, responsible for overseeing data privacy compliance and manage data protection. Our Data Protection Officer is:

Adam Spinks, Surrey Heartlands Primary Care Data Protection Officer Service,

Tel: 0203 887 6923
Email: ajspinksltd.surreyheartlandsdpo@nhs.net

Change of Details

It is important that you tell the Practice if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended. Please inform us of any changes so our records for you are accurate and up to date.

Mobile Numbers & Email Addresses

If you provide us with your mobile phone number/email address, we may use this to send you reminders about your appointments, other health screening information or to make an appointment for a review. Please let us know if you do not wish to receive reminders on your mobile and/or email address.

Further information Brockwood Medical Practice is registered with the Information Commissioners Office (ICO). Other privacy notices are available. These are listed below.

  • Public Health
  • Care Quality Commission
  • Emergencies
  • National Screening Programmes
  • Direct Care
  • Payments
  • Safeguarding
  • Summary Care Record
  • NHS Digital
  • Surrey Heartlands Population Health Management