The NHS operate a zero tolerance policy with regard to violence and abuse. The staff at the practice should be free to come to work without being subjected to violence, abuse or threats. The practice has the right to remove violent patients or patients that threaten violence from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety.

In this situation, we will notify the patient in writing, of their removal from the list and record in the patient’s medical records the facts of the removal and the circumstances leading to it.

Abusive patients will normally be give a warning letter that will be logged on the medical records and any repeat incidents of violence or abuse within a 12 month period will also result in immediate removal.

1. Introduction

1.1 Policy Statement

The purpose of this document is to ensure that appropriate procedures are in place at St Clements Surgery, to enable individuals to apply for access to information held about them, and for authorised individuals, information held about other people. This policy is written in conjunction with the following government legislation:

1. The Access to Health Records Act 1990
2. The Access to Medical Reports Act 1988
3. The General Data Protection Regulation
4. The Data Protection Act 2018
5. The Freedom of Information Act 2000
6. The Data Protection (Subject Access Modification) (Health) Order 2000

1.2 Status

This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.

1.3 Training and support

The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy

2. Scope

2.1 Who it applies to

This document applies to all employees of the practice and other individuals performing functions in relation to the practice, such as agency workers, locums and contractors.

2.2 Why and how it applies to them

In accordance with the General Data Protection Regulation individuals have the right to access their data and any supplementary information held by St Clements Surgery; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

• Confirmation that their data is being processed
• Access to their personal data
• Access to any other supplementary information held about them

This policy will outline the procedure to access health records at St Clements Surgery as follows:

• For an individual, for information about themselves
• For access to the health records of a deceased individual
• Access to health records of an individual by an authorised person (by a court), when the individual does not have the capacity to make such a decision
• Organisations requesting information about an individual for employment or insurance purposes (governed by The Access to Medical Reports Act 1988)

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.

3. Policy

3.1 Right to access

In accordance with the Access to Health Records Act 1990 individuals have the right to access health records held by a healthcare provider that has treated that individual, and/or to access a summary care record (SCR) created by the individual’s GP. The Data Protection Act (DPA 1998) gives individuals the right to ask for a copy of the information an organisation holds about them; this right is commonly known as a Data Subject Access Request (DSAR). In the case of health records, a request for information has to be made with the organisation that holds the individual’s health records, otherwise known as the data controller.

St Clements Surgery has mechanisms in place to inform patients of their right to access the information held about them, and how long it will take for a DSAR process to be completed.

With effect from April 2016, NHS practices are, as part of their contractual obligation, to provide patients with access to coded information held within their health records. Such information includes:

• Demographics
• Allergies
• Immunisations
• Medication
• Results
• Procedures
• Values
• Problems/diagnoses
• Other (ethnicity, QOF, etc.)

NHS England have published an information leaflet Patient Online which provides further detailed information about this obligation and how patients can access their health record online.

There are occasions when a GP may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals, or when the record has information relating to a third party.

Patients may request paper copies of health records and, regardless of the preferred method of access, patients and authorised third parties must initially complete a DSAR form. However, patients may request access to their health records informally: any such requests should be annotated within the individuals health record by the clinician dealing with the patient

3.2 Requests

Requests may be receieved from the following:

• Competent patients may apply for access to their own records or authorise third party access to their records.
• Children and young people may also apply in the same manner as other competent patients and St Clements Surgery will not automatically presume a child or young person has capacity under the age of 16. However, those aged 12 or over are expected to have the capacity to consent to medical information being disclosed.
• Parents may apply to access their child’s health record as long as it is not in contradiction to the wishes of the competent child.
• Individuals with a responsibilty for adults who lack capacity are not automatically entitled to access the individuals health records. St Clements Surgery will ensure that the patient’s capacity is judged in relation to particular decisions being made. Any considerations to nominate an authorised individual to make proxy decisions for an inidvidual who lacks capacity will comply with the Mental Capacity Act in England and Wales and the Adults with Incapacity Act Scotland.
• Next of kin have no rights of access to health records.
• Police are not able to access health records without first obtaining a court order or warrant. However, health professionals at St Clements Surgery may disclose relevant information to the police if the patient has consented or if there is no overriding public interest. For detailed information, see section 4.1.6 of footnote 2.
• Solicitors and insurance companies in most cases will provide the patients signed consent to release information held in their health record. St Clements Surgery will ensure that patients are fully aware of the information being provided to the solicitor who is acting for that patient. In the case of a solicitor requesting information, the BMA has provided more information here. St Clements Surgery will ask solicitors to use the appropriate form when requesting information.
• Deceased patients retain the right of confidentiality. There are a number of considerations to be taken into account prior to disclosing the health record of a deceased patient. Such considerations are detailed in the Access to Health Records Act 1990. Under the terms of this Act, St Clements Surgery will only grant access if you are either:

1. A personal representative (executor of the deceased person’s estate) or
2. Someone who has a claim resulting from the death

The medical records of the deceased will be passed to Primary Care Support England (PCSE) for storage. St Clements Surgery can advise you of who you need to contact in such instances. PCSE will retain the GP records of deceased patients for ten years, after which time they will be destroyed. PCSE have provided an application form which can be used to request copies of a deceased patient’s record

In the cases of any third-party requests, St Clements Surgery will ensure that the patient has consented to the disclosure of this information by means of a valid signature of the patient.

In accordance with the GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the DSAR. In order to ensure full compliance regarding DSARs, St Clements Surgery will adhere to the guidance provided in the GDPR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the data subject must be informed and the reasons for the extension given.

Under The Data Protection (Subject Access Modification) (Health) Order 2000, St Clements Surgery will ensure that an appropriate healthcare professional manages all access matters. At St. Clements Surgery there are a number of such professionals, and wherever possible the individual most recently involved in the care of the patient will review and deal with the request. If for some reason they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

Furthermore, to maintain GDPR compliance, the data controller at St Clements Surgery will ensure that data is processed in accordance with Article 5 of the GDPR and will be able to demonstrate compliance with the regulation (see GDPR policy for detailed information). Data processors at St Clements Surgery will ensure that the processing of personal data is lawful and at least one of the following applies:

• The data subject has given consent to the processing of his/her personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the controller is subject
• Processing is necessary in order to protect the vital interests of the data subject or another natural person

3.3 Procedure for access

A DSAR form must be completed and passed to the data controller; all DSARs should be processed free of charge unless they are either complex, repetitive or unfounded (see GDPR Policy). The GDPR states that data subjects should be able to make access requests via email. St Clements Surgery is compliant with this and data subjects can complete an e-access form and submit the form via email.

Upon receipt of a DSAR, St Clements Surgery will record the DSAR within the health record of the individual to whom it relates, as well as annotating the DSAR log. Furthermore, once processed, an entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual.

Individuals will have to verify their ID at St Clements Surgery and it is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the practice’s Data Subject Access Request (DSAR) form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e. a driving licence or passport

A poster explaining how to access health records, for use in waiting-room areas, can be found at Annex D.

3.4 Additional Privacy Information notice

Once the relevant information has been processed and is ready for issue to the patient, it is a requirement, in accordance with Article 15 of the General Data Protection Regulation (GDPR), to provide an Additional Privacy Information notice (APIn).

3.5 Third-party requests

Third-party requests will continue to be received following the introduction of the GDPR. The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject.

The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject.

3.6 Summary

Having a robust system in place will ensure that access to health records is given only to authorised personnel. Patient confidentiality is of the utmost importance and any third-party requests must be accompanied by a valid patient signature. Staff are to adhere to this guidance at all times and where doubt exists, they are to discuss their concerns with St Clements Surgery.

Further Information

• Annex A – Application form for access to health records
• Annex D: Accessing Your Medical Records at St Clements Surgery – Proxy Access

Introduction

In accordance with the General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by St Clements Surgery; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

• Confirmation that their data is being processed
• Access to their personal data
• Access to any other supplementary information held about them

Options for access

As of April 2016, practices have been obliged to allow patients access to their health record online. This service will enable the patient to view coded information held in their health record. Prior to accessing this information, you will have to visit the practice and undertake an identity check before being granted access to your records.

In addition, you can make a request to be provided with copies of your health record. To do so, you must submit a Data Subject Access Request (DSAR) form; this can be submitted electronically and the DSAR form is available on the practice website. Alternatively, a paper copy of the DSAR is available from reception. You will need to submit the form online or return the completed paper copy of the DSAR to the practice. Patients do not have to pay a fee for copies of their records.

Time frame

Once the DSAR form is submitted, St Clements Surgery will aim to process the request within 21 days; however, this may not always be possible. The maximum time permitted to process DSARs is one calendar month.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At St Clements Surgery the data controller is the Practice Manager and should you have any questions relating to accessing your medical records, please ask to discuss this with the practice manager.

The practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances: 

• To provide further medical treatment for you – e.g. from district nurses or hospital services
• To help you get other services – e.g. from the social work department (this requires your consent)
• Anonymised patient information will also be used locally and nationally to help plan future services

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in the Review of Data Security, Consent and Opt-Outs.

Patients can view or change their national data opt-out choice at any time by using the online service at NHS: Your Data Matters or by calling 0300 3035678.

If you do not wish for anonymous information about you to be used, please let a member of staff know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are all bound by the same rules of confidentiality as the medical staff.

For more information about how we use your health records please click here

Freedom of Information

Information about the general practitioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

Access to records

In accordance with the Data Protection Act 1998 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager and may be subject to an administration charge. No information will be released without the patient’s consent until we are legally obliged to do so.

At St Clements Surgery, we take the security of your data very seriously. We value your privacy and have robust security in place to ensure we protect your personal data. We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation, which includes monitoring the quality of care that we provide. Secondly, we ensure that the information we hold about you is relevant, useful and timely.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation. In carrying out this role, we may collect information about you which helps us respond to your queries or secure specialist services.

We may keep your information in written and/or digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health as well as information such as assessment outcomes.

We do not sell your personal data to third parties.

For more information, please refer to the St Clements Surgery, Practice Privacy Notice

We have concise information leaflets to help and explain how we use your data and the options available to you, please take a look:

• Privacy Information Leaflet
• Children’s Privacy Information Leaflet

For more information regarding the Subject Access Request Policy, please see the Access To Medical Records Policy.

General Practice Transparency Notice for sharing Data for Planning and Research (Replacement for GPES)

NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps us to understand whether the health and care system as a whole is working for patients.

In addition to replacing what GPES already does, the General Practice Data for Planning and Research service will also help to support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including coronavirus (COVID-19) and enable many different areas of research.

For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research

OpenSAFELY Covid 19 – NHS England has been directed by the Government to establish and operate the OpenSAFELY service. This service provides a Trusted Research Environment that supports COVID-19 research and analysis.

Each GP practice remains the controller of its own patient data but is required to let researchers run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym, through OpenSAFELY.

Only researchers approved by NHS England are allowed to run these queries and they will not be able to access information that directly or indirectly identifies individuals.

More information about OpenSAFELY is available.

The NHS has launched the national data opt-out as part of the ‘Your Data Matters to the NHS’ campaign. This campaign informs the public of the strict rules about how health and care data can and cannot be used. The NHS is committed to keeping patient information safe and always being clear about how it is used. The campaign will also let the public know that they can choose whether their confidential patient information is used for research and planning. The following website allows the public to find out more about how their data is used across health and care to make this choice. If you are happy about how your confidential patient information is used, you do not need to do anything – you can change your choice at any time.

Type 1 Opt-out: Medical records held at your GP practice

You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This opt-out request can only be recorded by your GP surgery. Please fill out our secure online form

Type 2 Opt-out: Information held by NHS Digital

Previously it was possible to tell your GP surgery if you did not want NHS Digital to share confidential patient information, for purposes other than your individual care – this was called a type 2 opt-out. From 25th May 2018, type 2 opt-out was replaced with National Data opt-out. Previously recorded type 2 opt-outs have automatically been converted to national data opt-outs. For more information about the difference between type 2 opt-out and the national data opt-out, please click here

NHS England require that the net earnings of doctors engaged in the practice is publicised and that the required disclosure is shown below. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors working in the practice and should not be used for any judgement about GP earnings, nor to make comparisons with other practices.

“All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in St Clements Surgery in the last financial year was £126,927 before tax and National Insurance. This is for 3 part time GPs who worked in the practice for more than six months.”

.

What is a privacy notice?

A privacy notice is a statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.

Why do we need one?

To ensure compliance with the General Data Protection Regulation (GDPR), St Clements Surgery must ensure that information is provided to patients about how their personal data is processed in a manner which is:

• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge

What is the GDPR?

The GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR comes into effect on 25 May 2018.

How do we communicate our privacy notice?

At St Clements Surgery the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration (by means of this leaflet). We will:

• Inform patients how their data will be used and for what purpose
• Allow patients to opt out of sharing their data, should they so wish

What information do we collect about you?

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

How do we use your information?

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.

Maintaining confidentiality

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO).

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including St Clements Surgery; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care

Invoice validation

Your information may be shared if you have received treatment, to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

Opt-outs

The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used for their individual care and treatment or also used for research and planning purposes. Patients who wish to opt out of data collection will be able to set their national data opt-out choice online. An alternative provision will be made for those patients who are unable to or do not want to use the online system.

Accessing your records

You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

• Contact the practice’s data controller via email using our secure online form. GP practices are data controllers for the data they hold about their patients. Click here to find out more
• Write to the data controller at St Clements Surgery, 39 Temple Street, Oxford, OX4 1JS
• Ask to speak to the practice manager.

Complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’. We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.

What is a privacy notice?

A privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your healthcare record.

Why do we need one?

Your doctor’s surgery needs a privacy notice to make sure it meets the legal requirements which are written in a new document called the General Data Protection Regulation (or GDPR for short).

What is the GDPR?

What a great question! The GDPR is a new document that helps your doctor’s surgery keep the information about you secure. It’s new and will be introduced on the 25th May 2018, making sure that your doctor, nurse and any other staff at the practice follow the rules and keep your information safe.

How do you know about our privacy notice?

At your surgery, we have posters in our waiting room and leaflets to give to children and adults and we also have lots of information about privacy on our website, telling you how we use the information we have about you.

What information do we collect about you?

Don’t worry; we only collect the information we need to help us keep you healthy – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.

How do we use your information?

Another great question! Your information is taken to help us provide your care. But we might need to share this information with other medical teams, such as hospitals, if you need to been seen by a special doctor or sent for an X-ray. Your doctor’s surgery may be asked to help with exciting medical research; but don’t worry, we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.

How do we keep your information private?

Well, your doctor’s surgery knows that it is very important to protect the information we have about you. We make sure we follow the rules that are written in the GDPR and other important rule books.

What if I’ve got a long-term medical problem?

If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them help you, making sure you get the care you need when you need it!

Don’t want to share?

All of our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 16 this is something which your parents or adults with parental responsibility will have to decide. They can get more information from a member of staff at the surgery, who can also explain what this means to you

How do I access my records?

Remember we told you about the GDPR? Well, if you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). Your parents or adults with parental responsibility will do this on your behalf if you’re under 16. But if you are over 12, you may be classed as being competent and you may be able to do this yourself.

What do I do if I have a question?

If you have any questions, ask a member of the surgery team or your parents or adults with parental responsibility. You can:

• Contact the practice’s data controller via email at using our secure online form. GP practices are data controllers for the data they hold about their patients. Click here to find out more information
• Write to the data controller at St Clements Surgery, 39 Temple Street, Oxford, OX4 1JS
• Ask to speak to the practice manager Weiwei Mao

What to do if you’re not happy about how we manage your information

We really want to make sure you’re happy, but we understand that sometimes things can go wrong. If you or your parents or adults with parental responsibility are unhappy with any part of our data processing methods, you can complain. For more information, visit ico.org.uk and select ‘Raising a concern’. We always make sure the information we give you is up to date. Any updates will be published on our website, in our newsletter and leaflets, and on our posters.

1. Introduction

1.1 Policy Statement

NHS Digital collects information with the purpose of improving health and care for everyone. The  information collected is used to:

• Run the health service
• Manage epidemics
• Plan for the future
• Research health conditions, diseases and treatments

1.2 Principles

NHS Digital is a data controller and has a legal duty, in line with the General Data Protection  Regulation (GDPR), to explain why it is using patient data and what data is being used. Similarly, St Clements Surgery has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.

1.3 Status

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.

This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.

1.4 Training and support

The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

2. Scope

2.1 Who it applies to

This document applies to all employees, partners and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are encouraged to use it.

2.2 Why and how it applies to them

Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the practice will share that information.

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the General Data Protection Regulation.

3. Definitions of Terms

3.1 Privacy notice

A statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.

3.2 Data Protection Act 2018 (DPA18)

The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

3.3 Information Commissioner’s Office (ICO)

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

3.4 General Data Protection Regulation (GDPR)

The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR comes into effect on 25 May 2018.

3.5 Data controller

The entity that determines the purposes, conditions and means of the processing of personal data.

3.6 Data subject

A natural person whose personal data is processed by a controller or processor.

4. Compliance with Regulations

4.1 GDPR

In accordance with the GDPR, this practice will ensure that information provided to subjects about how their data is processed will be:

• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge

4.2 Article 5 compliance

In accordance with Article 5 of the GDPR, this practice will ensure that any personal data is:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.3 Communicating privacy information

At St Clements Surgery, the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration. We will:

• Inform patients how their data will be used and for what purpose
• Allow patients to opt out of sharing their data, should they so wish

4.4 What data will be collected?

At St Clements Surgery, the following data will be collected:

• Patient details (name, date of birth, NHS number)
• Address and NOK information
• Medical notes (paper and electronic)
• Details of treatment and care, including medications
• Results of tests (pathology, X-ray, etc.)
• Any other pertinent information

4.5 National data opt-out programme

The national data opt-out programme will give patients the opportunity to make an informed choice about whether or not they wish for their confidential patient information to be used just for their individual care and treatment or if they wish for it to also be used for research and planning purposes. This programme has been live with effect since 25th May 2018.

Patients who wish to opt out of data collection will be able to set their national data opt out choice online. An alternative provision will be made for those patients who are unable to do so or who do not want to use the online system.

Individuals who have opted out using the existing type 2 opt out will be automatically transferred to the new national data opt out system and will be notified on an individual basis of the change.

The following resources are available for staff at St Clements Surgery:

• Pack A – The NDG Review and Government Response
• Pack B – Taking the National Data Opt-out Forward
• Pack C – National Data Opt-out Approach
• Pack D – National Data Opt-out Operational Policy
• Pack E – Preparing for Implementation
• Pack F – Not published yet
• Pack G – Fit with Data Protection Bill (GDPR)

Should any queries arise regarding the national data opt out programme, our staff will email the query  to the national data opt out enquires email: newoptoutenquiries@nhs.net

To ensure that St Clements Surgery is ready for the introduction of the national data opt out programme, they will use the readiness checklist.

4.6 Privacy notice checklists

The ICO has provided a privacy notice checklist which can be used to support the writing of the practice privacy notice. The checklist can be found by following this link.

4.7 Privacy notice template

A privacy notice template can be found at Annex A.

4.8 Summary

It is the responsibility of all staff at St Clements Surgery to ensure that patients understand what information is held about them and how this information may be used. Furthermore, the practice must adhere to the DPA18 and the GDPR, to ensure compliance with extant legal rules and legislative acts.

4.9 Annex A – Practice privacy notice

St Clements Surgery has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.

What information do we collect about you?

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

How we will use your information

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.

In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.

Maintaining confidentiality and accessing your records

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with longterm conditions, e.g. cancer. Your information is collected by a number of sources, including St Clements Surgery; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

Invoice validation

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

Opt-outs

You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information; this is done by registering to opt out online (national data optout programme) or if you are unable to do so or do not wish to do so online, by speaking to a member of staff.

Retention periods

In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

1. Contact the practice’s data controller via email. GP practices are data controllers for the data they hold about their patients.
2. Write to the data controlled at St Clements Surgery, 39 Temple Street, Oxford, OX4 1JS.
3. Ask to speak to the practice manager.

Complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.

IT/Electronic Patient Records – Statement of intent for St Clements Surgery

New contractual requirements came into force in April 2015, requiring that GP practices should make available a statement of intent in relation to the following IT developments:

1. Referral Management
2. Electronic Appointment Booking
3. Online booking of repeat prescriptions
4. Summary Care Record
5. GP2GP transfers
6. Patient access to records

Please find below details of the practice stance with regards to these developments:

1. Referral management

All practices must include the NHS number as the primary identifier in all NHS clinical correspondence issued by the practice.

St Clements Surgery include the NHS Number on all correspondence

2. Electronic appointment booking

Practices are required to promote and offer the facility for all patients, who wish to, book/view/amend/cancel/print appointments online.

St Clements Surgery currently offer the facility for booking and cancelling appointments online.

3. Online booking of repeat prescriptions

Practices are required to promote and offer the facility for all patients, who wish to, order online, view and print a list of their repeat prescriptions for necessary drugs, medicines or appliances.

St Clements Surgery currently offer the facility for ordering repeat prescriptions online.

4. Summary Care Record

Practices are required to enable successful automated upload of any changes to a patient’s summary information, at least on a daily basis to the Summary Care Record. Having your Summary Care Record available will help anyone treating you without your full medical record. They will have access to information about any medication you may be taking and any drugs.

St Clements Surgery is already actively using Summary Care Record. However, if you do not want your medical records to be available in this way, then please let a member of staff know so that your record can be updated. You can complete the ‘opt out form’ either at the surgery or download it here

5. GP2GP record transfers

There is a contractual requirement to utilise the GP2GP facility for the transfer of patient records between practices, when a patient registers or de-registers. It is important that you are registered with a doctor at all times. If you leave your GP and register with a new GP, your medical records will be removed from your previous doctor and be forwarded onto your new gP via NHS England. It can take several weeks for your paper records to reach your new surgery. With GP2GP record transfers, your electronic record is transferred to your new practice much quicker.

St Clements Surgery confirms that GP2GP record transfers are already active and we send and receive patient records using this system.

6. Patient access to their GP record

Practices are required to promote and offer the facility for patients to view online, export or print the detailed information their medical record. For example, information held in coded form.

St Clements Surgery confirms that since January 2016, this facility has been available to patients.

Information about the general practitioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager. 

We make every effort to give the best service possible to everyone who attends our practice. However, we are aware that things can go wrong, resulting in a patient feeling that they have a genuine cause for complain. If this is the case, we would like the matter to be settled as quickly and amicably as possible. To pursue a complaint please contact the practice manager who will deal with your concern appropriately.

Who can make a complaint?

In line with the Regulations, a complaint may be made by “a person who receives or has received services” or “a person who is affected, or likely to be affected, by the action, omission or decision…..which is the subject of the complaint”.

A complaint may be made by a representative acting on behalf of a person mentioned above who:

A- Has died

The complainant would usually be the personal representative of the deceased. In order to respond to the personal representative, St Clements may request some formal documentation from this person such as copy of a will (to demonstrate their role as executor) or a lasting power of attorney relating to health care.

B- Is a child

NHS England must be satisfied that there are reasonable grounds for the complaint to be made by a representative of the child (rather than by the child themselves), and that the representative is making the complaint in the best interest of the child (a child is considered anyone up to the age of 18).

C- Has physical or mental incapacity

In the case of a person who is unable to make the complaint themselves because of either physical incapacity or who lacks capacity within the meaning of the Mental Capacity Act 2005, St Clements needs to be satisfied that the complaint is being made in the best interest of that person. In relation to points a, b and c above, where St Clements is satisfied that the representative is not conducting the complaint in the best interests of the person on whose behalf the complaint is made, the complaint will not be considered under this policy. St Clements must notify the representative in writing of this decision and state the reason for that decision.

D- Has given consent to a third party acting on their behalf

In this case St Clements will require the following information; • Name and address of the person making the complaint • Name and either date of birth or address of the person who is the subject of the complaint • A consent form signed by the person who is the subject of the complaint This information is recorded as part of the complaint file.

E- Has delegated authority to act on their behalf

For example in the form of a registered Power of Attorney which must cover health affairs

F- Is an MP

acting on behalf of and by instruction from a constituent Where the constituent is not the patient or the person who is the subject of the complaint, we will pursue consent in the usual way.

Time limit for making a complaint

A complaint must be made not later than 12 months after the date on which the matter, which is the subject of the complaint occurred or, if later, the date on which the matter which is the subject of the complaint came to the notice of the complainant. The time limit shall not apply if St Clements is satisfied that the complainant had good reasons for not making the complaint within that time limit and, notwithstanding the delay, it is still possible to investigate the complaint effectively and fairly. If we do not see a good reason for the delay or we think it is not possible to properly consider the complaint (or any part of it) we will write to the person making the complaint to explain this.

Acknowledgement

Where a complainant has specified the way in which they wish to be addressed all communication from the acknowledgement stage onwards will follow that request, including the use of pronouns. An acknowledgement to a complaint:

• Must be within 3 working days;
• Will be in writing unless in exceptional circumstances where it may be verbal (if made verbally it must be followed up in writing as soon as is possible);
• Must include an offer to discuss the handling of the complaint;
• Must include an offer to discuss the timeframe for responding to the complaint;
• Should include a summary of what the complaint is about and, where unclear, offer to discuss the desired outcome;
• When the complaint has been made verbally, it must include the written statement which has been recorded as the formal complaint;
• Will address any issues of consent; and Must include the name and title of the complaints handler who will be the point of contact for the complainant throughout the complaints process.

This will enable health and care professionals to have better medical information about you when they are treating you at the point of care. This change will apply for the duration of the coronavirus pandemic only. Unless alternative arrangements have been put in place before the end of the emergency period, this change will be reversed.

All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives health and care professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.

Your Summary Care Record contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, have previously agreed to have additional information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

During the coronavirus pandemic period, your Summary Care Record will automatically have additional information included from your GP record unless you have previously told the NHS that you did not want this information to be shared.

There will also be a temporary change to include COVID-19 specific codes in relation to suspected, confirmed, Shielded Patient List and other COVID-19 related information within the additional information.

By including this additional information in your SCR, health and care staff can give you better care if you need health care away from your usual GP practice:

• in an emergency
• when you’re on holiday
• when your surgery is closed
• at out-patient clinics
• when you visit a pharmacy

Additional information is included on your SCR

In response to the coronavirus (COVID-19) pandemic we are temporarily removing the requirement to have explicit consent to share the SCR additional information. This change of requirement will be reviewed when the pandemic is over.

You can be reassured that if you have previously opted-out of having a Summary Care Record or have expressly declined to share the additional information in your Summary Care Record, your preference will continue to be respected and applied.

Additional information will include extra information from your GP record, including:

• health problems like dementia or diabetes
• details of your carer
• your treatment preferences
• communication needs, for example if you have hearing difficulties or need an interpreter

This will help medical staff care for you properly, and respect your choices, when you need care away from your GP practice. This is because having more information on your SCR means they will have a better understanding of your needs and preferences.

When you are treated away from your usual doctor’s surgery, the health care staff there can’t see your GP medical records. Looking at your SCR can speed up your care and make sure you are given the right medicines and treatment.

The only people who might see your Summary Care Record are registered and regulated healthcare professionals, for example doctors, nurses, paramedics, pharmacists and staff working under their direct supervision. Your Summary Care record will only be accessed so a healthcare professional can give you individual care. Staff working for organisations that do not provide direct care are not able to view your Summary Care Record.

Before accessing a Summary Care Record healthcare staff will always ask your permission to view it, unless it is a medical emergency and you are unable to give permission.

Protecting your SCR information

Staff will ask your permission to view your SCR (except in an emergency where you are unconscious, for example) and only staff with the right levels of security clearance can access the system, so your information is secure. You can ask an organisation to show you a record of who has looked at your SCR – this is called a Subject Access Request.

Find out how to make a subject access request.

Opting out

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR opt-out form and return it to your GP practice.

Regardless of your past decisions about your Summary Care Record consent preferences, you can change your mind at any time. You can choose any of the following options:

1. To have a Summary Care Record with additional information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a enriched Summary Care Record if they need to provide you with direct care.
2. To have a Summary Care Record with core information only. This means that any authorised, registered and regulated health and care professionals will be able to see information about allergies and medications only in your Summary Care Record if they need to provide you with direct care.
3. To opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete the SCR patient consent preferences form and return it to your GP practice.

More information on your health records

Read more about your medical records.

St Clements Surgery Surgery is a training practice that provides teaching and mentoring, that are an integral part of our culture and identity.

All the GPs at St Clements Surgery enjoy training and our trainees benefit from the wealth of experience and diverse interests of our team. All of our GPs and our practice nurse are involved with mentoring medical students.

We are located in the East of Central Oxford in a vibrant multicultural community. We are unique among Oxfordshire training practices in terms of the social, cultural and ethnic diversity of our patients.

Our working environment is pleasant and highly rated by both our patients and staff. Our trainees have their own main consulting room. The practice also has additional clinics running from the premises  for – CAB benefits advice, Councelling, Social prescribing, Antenatal midwife care and MIND. We offer a full range of services, have monthly primary health care team meetings, regular lunch time educational meetings and place a lot of emphasis of effective team working. We use clinical systems of EMIS web, Docman, Computerised dictation, Electronic prescribing, ICE, GPTeamNet.

The practice has received excellent feedback from Training practice approval visits and patient survey reports. We have good relationships with our neighbouring practices (who are also training practices) and organise a variety of joint training events.

We are pleased to welcome registrars from a wide variety of clinical backgrounds. Experience and teaching are tailored to fit the needs of the trainee. We are compliant with working time regulations and trainees attend the Oxford VTS education on Tuesdays.

We would be happy to speak with prospective trainees on the phone to provide further information or arrange an informal visit to the practice if wished. Please contact our current trainees for an alternative view.