We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly. Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

As a registered patient, Southcote Clinic has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection service.

DATA PROTECTION SERVICE CONTACT DETAILS:

The contact details for North West London Data Protection service : [email protected]

In addition to our Data Protection service, we also have a senior person within the practice who is responsible for protecting the confidentiality of our records and ensuring that any use of your data is fair and appropriate- this person is the Caldicott Guardian. The Caldicott Guardian for the practice is: Dr Asoka Wijayawickrama

The main things the law says we must tell you about what we do with your personal data are:

• We must let you know why we collect personal and healthcare information about you
• We must let you know how we use any personal and/or healthcare information we hold about you
• We need to inform you in respect of what we do with it
• We need to tell you about who we share it with or pass it on to and why
• We need to let you know how long we can keep it for

What is a privacy notice?

A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the organisation must:

• Have lawful and appropriate reasons for the use or collection of personal data
• Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)
• Be open about how the data will be used and provide appropriate privacy notices when collecting personal data
• Handle personal data in line with the appropriate legislation and guidance
• Not use the collected data inappropriately or unlawfully

What is fair processing?

Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.

Southcote Clinic manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• UK General Data Protection Regulations 2016
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality and Information Security
• Information: To Share or Not to Share Review

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Hospital Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Who is the data controller?

Southcote Clinic is registered as a data controller under the Data Protection Act 2018. Our registration number is Z7630105 and our registration can be viewed online in the public register at www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

What type of information do we collect about you?

Information held by this organisation may include the following:

• Your contact details (such as your name, address and email address)
• Details and contact numbers of your next of kin
• Your age range, gender, ethnicity
• Details in relation to your medical history
• The reason for your visit to the organisation
• Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
• Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
• Details about the treatment and care received
• Results of investigations such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you
• Recordings of telephone conversations between yourself and the organisation

Information collected about you from others

We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

• It is required by law
• You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes
• It is justified to be in the public interest

To ensure you receive the best possible care, your records are used to enable the care you receive. Information held about you may be used to help protect the health of the public and to help us to manage the NHS.

Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may be used for statistical purposes. Where we do this, we ensure that patient records cannot be identified. Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. When the organisation is about to participate in any new data-sharing scheme, we will make patients aware by displaying prominent notices and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

What is special category data?

The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information may be as follows:

The legal justification for collecting and using your information

The law says we need a legal basis to handle your personal and healthcare information.

Contract	We have a contract to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.
Consent	Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.
Necessary care	Providing you with the appropriate healthcare where necessary The law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.
Law	Sometimes the law obliges us to provide your information to an organisation

How do we use your information?

Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.

In order to comply with its legal obligations, this organisation may have to send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Who can we provide your personal information to and why?

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:

• Hospital professionals (such as doctors, consultants, nurses etc.)
• Other GPs/doctors
• Primary Care Networks
• NHS Trusts/Foundation Trusts/Specialist Trusts
• NHS Commissioning Support Units
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi-agency Safeguarding Hub (MASH)
• Independent contractors such as dentists, opticians, pharmacists
• Any other person who is involved in providing services related to your general healthcare including mental health professionals
• Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
• Voluntary sector providers
• Ambulance Trusts
• Integrated Care Systems
• Clinical Commissioning Groups
• Local authority
• Social care services
• Education services
• Other ‘data processors’, e.g., Diabetes UK

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Who may we provide your information to:

• For the purposes of complying with the law, e.g., the police

• Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed

• Computer systems – we operate a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication. We will make information available to our partner organisations (above) unless you have declined data sharing to ensure you receive appropriate and safe care. Wherever possible, staff will ask your consent before your information is viewed.

• Extended access – we provide extended access services to our patients so that you can access medical services outside of our normal working hours. To provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group whereby certain key ‘hubs’ offer this service for you as a patient to access outside of our opening hours. This means those key ‘hubs’ will have to have access to your medical record to be able to offer you the service. Please note to ensure that those hubs comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only

• Data extraction by the North West London Integrated Care Board at times extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them

Your rights as a patient

The law gives you certain rights to your personal and healthcare information that we hold as set out below:

Access and Subject Access Requests	You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the organisation holds about you and to have it amended should it be inaccurate. There is no charge to have a copy of the information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive For information from a hospital or other Trust/NHS organisation you should write directly to them.
Correction	We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is especially important that you make sure you tell us if your contact details including your mobile phone number have changed
Removal	You have the right to ask for your information to be removed. However, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible
Objection	We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g., medical research, educational purposes etc.
Transfer	You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation but we will require your clear consent to be able to do this.

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2021.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.

Southcote Clinic uses a clinical system provided by a data processor called EMIS. With effect from 10 June 2019, EMIS started storing the organisation’s EMIS web data in a highly secure, third-party cloud hosted environment, namely Amazon Web Services (‘AWS’).

Maintaining your confidentiality and accessing your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of

authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for Southcote Clinic, an appropriate contract (Article 24-28) will be established for the processing of your information.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Sharing your information without consent

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

• Where there is a serious risk of harm or abuse to you or other people
• Safeguarding matters and investigations
• Where a serious crime, such as assault, is being investigated or where it could be prevented
• Notification of new births
• Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
• Where a formal court order has been issued
• Where there is a legal requirement, for example if you had committed a road traffic offence.

Third party processors

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the organisation will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.
• Further details regarding specific third-party processors can be supplied on request to the data protection officer as below.

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Computer System

This organisation operates a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.

To provide around the clock safe care, unless you have asked us not to, we will make information available to our partner organisations. Wherever possible, their staff will ask your consent before your information is viewed.

GP connect service

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised clinicians such as GPs, NHS 111 clinicians, care home nurses (if you are in a care home), secondary care trusts and social care clinicians are able to access the GP records of the patients they are treating via GP connect.

The NHS 111 service (and other services determined locally e.g., other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Patient communication

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the organisation know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.

Primary care networks

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of the Celandine and Metrocare PCN.

This arrangement means that practices within the same PCN may share data with other practices within the PCN, to provide you with your care and treatment. Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

Risk stratification

Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

Typically, the ones used in the practice may include: Qrisk– a cardiovascular risk assessment tool which uses data from your record such as your age, blood pressure, cholesterol levels etc to calculate the probability of you experiencing a cardiovascular event over the next ten years.

Safeguarding

The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:

• Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

• Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information such as referrals to safeguarding teams is retained by Southcote Clinic when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

Shared care

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.

You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Summary care records

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare. You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare.

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it to support direct patient care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your SCR preferences, you will still have the same options that you currently have in place to opt out of having a SCR, including the opportunity to opt back in to having a SCR or opt back in to allow the sharing of additional information

Telephone system

Our telephone system records all telephone calls. Recordings are retained for up to three years and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training. Access to these recordings is restricted to named senior staff Practice Manager. Please see separate privacy notice about recording telephone calls.

Opt-outs

National opt-out facility

This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following:

• Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice
• Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
• “Print and post” registration form: https://assets.nhs.uk/prod/documents/Manage_your_choice_1.1.pdf. Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.
• Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS Digital and a proxy form is available to assist in registration.

Note: Unfortunately, the national data opt-out cannot be applied by this organisation.

General Practice Data for Planning and Research opt out (GPDPR)

The NHS needs data about the patients it treats to plan and deliver its services and to ensure that the care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, patient data can help the NHS to:

• Monitor the long-term safety and effectiveness of car
• Plan how to deliver better health and care services
• Prevent the spread of infectious diseases
• Identify new treatments and medicines through health research

GP practices already share patient data for these purposes but this new data collection will be more efficient and effective. This means that GPs can get on with looking after their patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

What patient data is shared about you with NHS Digital?

The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:

• Any living patient registered at a GP practice in England when the collection started – this includes children and adults
• Any patient who died after the data collection started and was previously registered at a GP practice in England when the data collection started

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that no one will be able to directly identify you from the data. The diagram helps to explain what this means.

Objections or complaints

If you are happy for your information to be used, and where necessary shared, for the purposes described in this notice then you do not need to do anything.

Should you have any concerns about how your information is managed at the practice, please contact us.

If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via:

Their website: www.ico.org.uk

Email: [email protected]

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed in June 2024 or as legislation changes.