Practice Privacy Notice (GDPR Policies)
We have revised our patient privacy information to include compliance with GDPR (General Data Processing Regulations 2018).
How We Use Your Information
This document explains why we collect information about you and how that information may be used.
The healthcare professionals who provide your care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
Records may be held in electronic or manual (written down) format, and may include the following information:
- Details about you, such as address and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc
- Notes and reports about your health
- Details about your treatment and care, including prescriptions
- Results of investigations, such as laboratory tests, x-rays, etc
- Relevant information from other health professionals, relatives or those who care for you and know you well
Your medical record is retained until death unless you move to another GP surgery, in which case it is transferred to your new surgery.
Your record-sharing consents and dissents and specific communication preferences are contained in your electronic medical record. You can let us know at any time if you want to change them.
To ensure you receive the best possible care, your records are used to facilitate the services you receive. Information held about you may also be used by the NHS for statistical purposes in connection with helping to protect the health of the public and to help to manage the NHS.
Information may be used for clinical audit to monitor the quality of the service provided. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information.
Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.
How do we maintain the confidentiality of your records?
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts
- Specialist Trusts
- Independent contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other ‘data processors’
Access to your Information
Under the General Data Protection Regulations 2018, you have a right to:
- Confirmation that your data is being processed
- Access/view what information we hold about you and have it amended or removed should it be inaccurate
The practice must provide a copy of this information, known as a “subject access request” free of charge. However, a “reasonable fee” can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive.
A “reasonable fee” based on the administrative cost of providing the information can also be charged to comply with requests for further copies of the same information. Information must be provided without delay and within one month of receipt of the request.
Where the requests are complex or numerous, the surgery will be able to extend the period of compliance by a further two months. If this is the case, the surgery must inform the individual within one month of receipt of the request and explain why the time extension is necessary.
Where requests are manifestly unfounded, excessive or repetitive, the surgery can charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond.
When there is a refusal to respond, the surgery must explain the reason to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
The surgery must verify the identity of the person making the request, using “reasonable means.” If the request is made electronically, it should provide the information in a commonly used electronic format.
Where the surgery processes a large quantity of information about an individual, the GDPR permits the practice to ask the individual to specify the information to which the request relates. The GDPR does not include an exemption for requests relating to large amounts of data but the practice can take into consideration whether the request is manifestly unfounded or excessive.
Requesting Further Information
If you would like to make a ‘subject access request’ or further information about how we use your personal data, please contact the Practice Manager.
The Data Protection Officer for Royal Crescent Surgery is:
Caroline Dominey-Strange – GP Data Protection Officer (DPO) in Gloucestershire
You also have the right to raise issues with the Information Commissioner’s Office:
Information Commissioner’s Office,
Joining Up Your Information – JUYI
For the patients who have consented to sharing their information under the JUYI scheme, the patient privacy notice for JUYI can be read in full here.