Practice Policies & Patient Information
Data Privacy, Protection & Data Security
The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees. We ensure that the practice treats personal information lawfully and correctly.
These policies provide direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.
Data Protection & Privacy Policies
Commissioning, Planning, Risk Stratification and Research Privacy Notice
Rochester Road Surgery uses data insightfully for Research, auditing and healthcare planning (population health management).
We are required by law to provide you with the following information about how we handle your information. Our full list of Privacy Notices can be found https://www.rochesterroadandbeaumontdrivesurgeries.nhs.uk/
| Data Controller contact details
|
Rochester Road Surgery
115 Rochester Road, Gravesend, Kent, DA12 2HU
|
| Purpose of the processing
|
If data from many patients are linked up or pooled, Researchers and Doctors can look for patterns in the data, helping them to develop new ways of predicting illness, and identify ways to improve clinical care. This information can be used to help:
· Understand more about disease risk and causes · Improve diagnosis · Develop new treatments and prevent diseases · Plan NHS and GP Services · Improve patient safety · Evaluate Government and NHS Policy A list of Practice processing activities can be found here. |
| Information we collect and use | · Pseudonymised data: information about individuals but with identifying details (such as name or NHS number) replaced with a unique code
· Anonymised data: information about individuals but with identifying details removed · Aggregated data: anonymised information grouped together so that it does not identify individuals
In certain circumstances, where we have a lawful basis it may be necessary to use:
· Demographics: name, address, date of birth, postcode, and NHS number · Medical history |
| Lawful basis for processing
|
These purposes are supported under the following sections of the UK General Data Protection Regulations:
Article 6(1)(c) … ‘necessary for compliance with a legal obligation to which the controller is subject Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;’ Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’ Article (9)(2)(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018 Schedule 1, Part1(3) Public Health, Data Protection Act 2018 Schedule 1, Part 1(4) Research etc, Data Protection Act 2018 Schedule 1 Part 2(6) Statutory etc and government purposes, Data Protection Act 2018 The Practice recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential. Even though consent is not the legal basis for processing personal data for secondary purposes such as service evaluations and audit, the common law duty of confidentiality is not changing, therefore consent is still needed for people outside the care team to access and use confidential patient information for clinical audit, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK. |
| Strategic Health and Care Board (SHcAB) | Your information will be passed, with all identifiers removed, to a collaborative programme called the Kent & Medway Shared Health and Care Analytics Board. It will be used for population health management purposes beyond your individual care, including, for example, planning services, managing finances, early treatment of illnesses (known as risk stratification), coordinating and improving patient and service user’s movement through the health and care system, research, and public health enhancement. |
| Kent and Medway Care Record (KMCR) | Rochester Road Surgery are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data.
For further information about the Kent and Medway Care Record and the ways in which your data is used for this system please click here.
|
| General Practice Extract Service (GPES) | NHS Digital, collects data from Practices to support vital health and care planning and research. This information is used insightfully to better understand what causes ill health and, importantly, what we can do to prevent or treat it and provide better care. |
| Health Service (Control of Patient Information) Regulations 2002 (COPI) | The Secretary of State for Health and Social Care has issued Notices under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which required organisations to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes (COPI Notices).
Further guidance on processing personal data, when the COPI Notice expires can be found here. |
| Population Health Management | Your information is passed, with all identifiers removed to NHS Kent and Medway for public health management. This enables the Practice to identify the appropriate level of care and services for distinct groups of patients. It is the process of assigning a risk status to patients, then using this information to direct care and improve overall health outcomes. |
| National Data Opt-Out | The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.
The National Data opt-out can be applied here.
It is worth noting that in a small number of exceptional circumstances, where senior health care professionals can decide to share information based on public interest, and in these cases the National Data Opt-out does not apply.
The Confidentiality Advisory Group (CAG) considers applications for the use of patient data without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:
Regulation 2 – for diagnosis and treatment of cancer Regulation 5 – for general medical and research purpose
Specific exemptions to the national data opt-out policy have been made for disclosure of data for:
· Public Health England National Disease Registers · Assuring Transformation · National patient experience surveys
There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012. |
| Rights to object
|
The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.
The National Data opt-out can be applied here.
|
| For further details on your rights and how to complain please see the main privacy notice |
Data Protection Privacy Notice
Data Protection Privacy Notice
General Practices are usually the first point of contact if you have a health problem. They can treat many conditions and give health advice. They also refer patients to hospitals and other medical services for urgent and specialist treatments.
The data we hold may also be used to shape the way we work together to plan service improvements, improve the health and wellbeing of our communities, and take action to prevent illness and disease for individuals as well as wider communities.
The categories of personal information
Dependent on the purpose of processing, different categories of data may be used by the Practice. Data can be categorised using the following terms:
Anonymised data – data where personal identifiable identifiers have been removed. Data protection laws and the Common Law of Confidentiality to do not apply to anonymised data.
Pseudonymised data – data where any information which could be used to identify an individual has been replaced with a fake identifier. Pseudonymised data remains personal data and as such the Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.
Person identifiable information (or personal data) – any information about an individual from which, either on its own or together with other information, that person may be identified. The Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.
To find out more about the data processed for each purpose, please click on the links below (The Purpose(s) of Processing).
In addition to the above types of data, some information is considered protected regardless of the purpose of processing; this information does not form part of your shared care record and is not disclosed to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on such information.
The purpose(s) of processing personal data
Processes data for the following purposes:
What is the lawful basis for the sharing?
Each purpose of sharing has its own lawful basis, and these can be found in detail on the associated Privacy Notices above.
Organisations we share your personal information with
Personal Data (including special category data) will only be shared between the general Practice and health and social care organisations that have signed a Joint Controller or Data Processing Agreement. These currently include:
- Dartford and Gravesham NHS Trust (D&G)
- East Kent Hospitals University NHS Foundation Trust (EKHUFT)
- Medway Maritime Hospital – Medway NHS Foundation Trust (MFT)
- Maidstone and Tunbridge Wells NHS Trust (MTW)
- Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
- North East London Foundation Trust (NELFT)
- Kent Community Health NHS Foundation Trust (KCHFT)
- HCRG Care Group Limited
- Medway Community Healthcare (MCH)
- South East Coast Ambulance Service (SECAmb)
- Integrated Care 24 (IC24)
- Out of hours providers (currently IC24, SECAmb, MCH and KCC Children’s Services)
- NHS Kent and Medway
- Kent County Council (children and adults social care departments) (KCC)
- Medway Council (children and adults social care departments) (MWC)
- GP federations.
- Other Practice’s that form the Malling PCN Primary Care Network
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Health care partnerships
- Other Primary Care networks that we work in partnership with
- Mental Health providers
- Community trusts
- Kent County Council/Medway council Social Care Services
- NHS England
- Local Authorities
- School Nurse
- Police & Judicial Services
How long do we keep your record?
The Practice maintains your records in accordance with the NHS Records Management Code of Practice 2021.
How we keep your personal information safe and secure
To protect personal and special category data, we make sure the information we hold is kept in secure locations and access to information is restricted to authorised personnel only.
Our appropriate technical and security measures include:
- all employees and contractors who are involved in the processing of personal data are suitably trained, on an annual basis, in maintaining the confidentiality and security of the personal data and are under contractual or statutory obligations of confidentiality concerning the personal data.
- robust policies and procedures for example password protection
- technical security measures to prevent unauthorised access
- use of ‘user access authentication’ mechanisms to make sure all instances of access to any personal data held on clinical systems are auditable against an individual, such as role-based access and Smartcard use to make sure appropriate and authorised access reminding staff of their responsibilities in complying with data protection legislation
- encrypting information transmitted between partners
- implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
- completion of the Data Security and Protection Toolkit (DSPT) an annual self-assessment requirement that ensure organisation are compliant with the latest data protection and cyber requirements.
- regular audit of policies and procedures to ensure adherence against these criteria
The NHS Digital Code of Practice on Confidential Information applies to all staff who access clinical systems. They are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
What are your rights?
Under data protection legislation, you have the right:
- to be informed of the uses of your data: this enables you to be informed how your data is processed
- of access: this enables you to have sight of or receive a copy of the personal information held about you and to check the lawful processing of it
- to rectification: this enables you to have any incomplete or inaccurate information held about you corrected
- to erasure: this enables you to request we erase personal data about you we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data
- to restrict processing: this enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it
- to data portability: this enables you to transfer your electronic personal information to another party, where appropriate.
- to object: this enables you to object to processing of personal data about you on grounds relating to your situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
- in relation to automated decision making and profiling: this enables you to be told if your data is being processed using automated software in relation to automated decision making and profiling note: No automated decision making or profiling is undertaken by the Practice.
Please note not all these rights are absolute, please see our ROPA for more details
If you wish to exercise your rights in any of the ways described above, you should in the first instance contact Rochester Road Surgery gp.g82648@nhs.net
Right to complain
You can get further advice or report a concern directly to gp.g82648@nhs.net
Our Data Protection Officer function is provided by NHS Kent and Medway who can be contained via email kmicb.gpdpoteam@nhs.net
You also have the right to contact the UK’s data protection supervisory authority (Information Commissioner’s Office) by:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Phone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
Email: https://ico.org.uk/concerns/handling/
Information about the way in which the NHS uses personal information and your rights is published by NHS Digital.
The NHS Constitution
The constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain, if things go wrong.
NHS England
NHS England collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.
Reviews of and changes to this privacy notice
We will review the information contained within this notice regularly and update it as required. We therefore recommend you check this webpage regularly to remain informed about the way in which we use your information.
Direct Care Privacy Notice
Rochester Road Surgery uses your information to provide you with healthcare.
This practice keeps medical records confidential and complies with data protection legislation.
We hold your medical record so that we can provide you with safe care and treatment.
We are required by law to provide you with the following information about how we handle your information.
| Data Controller contact details
|
Rochester Road Surgery
115 Rochester Road, Gravesend, Kent, DA12 2HU
|
| Purpose of the processing
|
To give direct health or social care to individual patients.
For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
|
| Information we collect and use | · Special data information including racial or ethnic origin; religious or philosophical beliefs; genetic data;
biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation. · Demographics: name, address, date of birth, postcode, and NHS number · Medical history · Adult and Children safeguarding information · Third party identifying data: basic details about other individuals that may be involved in providing your care and support services, e.g. emergency contacts, relatives, mobility services providers, home care support |
| Lawful basis for processing
|
These purposes are supported under the following sections of the UK General Data Protection Regulations:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018 The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’).
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.
|
| Recipient or categories of recipients of the processed data
|
Please see our main privacy notice for a full list of organisation we share information with
The Practice may also receive information about your health from these organisations who are involved in providing you with health and social care. This means your GP medical record is kept up-to date when you receive care from other parts of the health service. |
| NHS Summary Care Record | The Summary Care Record is an electronic record of important patient information created from GP Medical Records. They can be seen and used by authorized staff in other areas of the health and social care system involved in a patient’s direct care. |
| National Screening Programmes | The NHS provides national screening programmes so that certain diseases can be detected at an early stage. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Information regarding screening programmes can be found here. |
| Kent and Medway Care Record (KMCR) | Are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data.
For further information about the Kent and Medway Care Record and the ways in which your data is used for this system please click here.
|
| Population Health Management | Your information is passed, with all identifiers removed to NHS Kent and Medway for public health management. This enables the Practice to identify the appropriate level of care and services for distinct groups of patients. It is the process of assigning a risk status to patients, then using this information to direct care and improve overall health outcomes. |
| National Data Opt-out | The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.
The National Data opt-out can be applied here.
It is worth noting that in a small number of exceptional circumstances, where senior health care professionals can decide to share information based on public interest, and in these cases the National Data Opt-out does not apply.
The Confidentiality Advisory Group (CAG) considers applications for the use of patient data without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:
Regulation 2 – for diagnosis and treatment of cancer Regulation 5 – for general medical and research purpose
Specific exemptions to the national data opt-out policy have been made for disclosure of data for:
· Public Health England National Disease Registers · Assuring Transformation · National patient experience surveys
There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012. |
| For details on your rights and who to complain please see the main privacy notice |
GDPR
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.
The regulation applies from 25th May 2018, and will apply even after the UK leaves the EU.
What GDPR will mean for patients:
The GDPR sets out the key principles about processing personal data, for staff or patients
- Data must be processed lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purpose for which it is processed
- Information must be accurate and kept up to date
- Data must be held securely
- It can only be retained for as long as is necessary for the reasons it was collected
- For more information please visit www.nhs.uk/your-nhs-data-matters
Our Privacy Notices can be viewed at Reception
How we Use Your Medical Records
Important information for patients
- This practice handles medical records in-line with laws on data protection and confidentiality
- We share medical records with those who are involved in providing you with care and treatment
- In some circumstances we will also share medical records for medical research, for example to find out more about why people get ill
- We share informatin when the law requires us to do so, for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe.
- You have the right to be given a copy of your medical record
- You have the right to object to your medical records being shared with those who provide you with care.
- You have the right to object to your information being used for medical research and to plan health services.
- You have the right to have any mistakes corrected and to complain to the information Commissioner’s Office.
- For more informatin please visit www.nhs.uk/your-nhs-data-matters
Requesting Your Medical Information
To request a copy of your medical data you are required to fill out a Subject Access Request (SAR’S) form which will be available from reception.
GP Net Earnings
NHS England require that the mean (average) earnings of doctors engaged in the practice is published, and the required disclosure is shown below. However, it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other Practice.
The average pay for GP working at Rochester Road Surgery part-time in the last year was £55,000 before tax. The average earning of a part-time Locum working at the Practice is £50,000 before tax and national insurance.
Human Resources Privacy Notice
This Privacy Notice describes how Rochester Road Surgery collect and use personal information about you during and after your working relationship with us.
We are required by law to provide you with the following information about how we handle your information. The full range of Privacy Notices can be found https://www.rochesterroadandbeaumontdrivesurgeries.nhs.uk/
| Data Controller contact details
|
Rochester Road Surgery
115 Rochester Road, Gravesend, Kent, DA12 2HU
|
| Purpose of the processing
|
Reasons for processing your personal data include:
|
| Information we collect and use | Personal Information
Job Information
Performance Information
Information about your family
Special Category Data
· equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief · Trade union affiliations, where applicable · Information about past criminal convictions (Disclosure and Barring Service), and or your fitness to practise in certain regulated professions |
| Lawful basis for processing
|
Article 6(1)(b)…‘necessary for the performance of a contract with employee’
Article 6(1)(c)…’necessary for compliance with a legal obligation’ Article 6(1)(f)…’in the Practice’s legitimate interests, which are not outweighed by the fundamental rights and freedoms of the data subject’ Article 9(2)(b) Employment, social security, and social protection Article 9(2)(g) Reasons of substantial public interest Schedule 1, Part 1(1) Data Protection Act 2018 – Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security, or social protection. Schedule 1, Part 2(8) Data Protection Act 2018 – necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained Schedule 1, Part 2(14) Data Protection Act – is necessary for the purposes of preventing fraud or a particular kind of fraud |
| Recipient or categories of recipients of the processed data
|
Professional Bodies (ie GMC, RCN, etc.)
Payroll Provider Ignitio Accountants Pension Provider (NHS PENSION) Occupational Health Provider HM Revenue and Customs Education Establishments Police & Judicial Services CQC NHS jobs Rochester Road Surgery as lead for shared Gravesend Central ARRS Roles Workforce tools? Solicitors? If there is an incident claim? Disclosure and Barring Service (DBS) Your previous or prospective employer
The Practice may also receive information about you from these organisations. |
| Right of access | Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”). |
| Rights in relation to inaccurate personal or incomplete data | You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable.
|
| Rights to object to or restrict our data processing
|
Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.
This right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes. |
| Right to erasure | Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.
We may not be able to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims. |
| How to exercise your rights | To exercise your rights, please contact gp.g82648@nhs.net |
| Retention period
|
Your personnel records are kept in compliance with law and national guidance. Details on how long records are kept are set out in the NHS England, Record Management Code of Practice 2021. |
| Right to complain
|
If you are unhappy with how your personal data is processed, you have the right to complain to the Information Commissioners Office (ICO). Their helpline number is 0303 123 1113.
We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please do contact us gp.g82648@nhs.net in the first instance. |
| Data Protection Officercontact details
|
Dr Jawad Saad
GP Data Protection Officer NHS Kent and Medway |
Statutory Disclosure Privacy Notice
Where there is a statutory requirement Rochester Road Surgery will share personal data with a range of organisations and agencies.
We are required by law to provide you with the following information about how we handle your information. Our full list of Privacy Notices can be found <insert hyperlink>
| Data Controller contact details
|
Rochester Road Surgery
115 Rochester Road, Gravesend, Kent, DA12 2HU
|
| Purpose of the processing
|
· Safeguarding: to prevent serious abuse or neglect or death of a child or vulnerable adult from taking place
· Regulatory bodies: such as the Care Quality Commission, who undertake audits to ensure the Practice comply with standards and provide safe health care · Law enforcement: prevention and detection of crime or apprehension and prosecution of offenders · Medico-legal: where the Practice are defending a legal claim · Complaint management: sometimes it is necessary to share information with NHS England or the Health Service Ombudsman or Information Commissioners Office · Planning and Research: information may be shared for securing, planning, and paying for primary care or and specialised NHS Services · Health Protection: information may be shared with Public Health bodies for the management of certain health condition, epidemics, and infections · Cancer pathways: the Practice participates in the National Cancer Diagnosis Audit
|
| Information we collect and use | · Demographics – name, address, date of birth, postcode, and NHS number
· Medical history |
| Lawful basis for processing
|
These purposes are supported under the following sections of the UK General Data Protection Regulation:
Article 6(1)(c) … ‘necessary for compliance with a legal obligation to which the controller is subject Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;’ Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’ Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018 Schedule 1, Part1(3) Public Health, Data Protection Act 2018 Schedule 1 Part 2(6) Statutory etc and government purposes, Data Protection Act 2018
|
| Recipient or categories of recipients of the processed data
|
Where required the Practice will share your information with:
Care Quality Commission Public Health England Police Courts of Justice HM Revenue and Customs Kent County Council or Medway Council General Medical Council (GMC) Royal College of nursing (RNC) NHS England/Digital Health Service Ombudsman Information Commissioners Office GMC, MDDUS and MDU providing medico/legal advice |
| For full details on your rights and how to complain please see the main privacy notice |