The General Data Protection Regulation (GDPR) is a European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how The Practice Group handles personal data.
The GDPR applies to ‘personal data’ which means any information which relates to an identified or identifiable living person, an identifiable natural person is one who can be identified from a name or other information about them which we have or which is reasonably available to us. It does not include data where the identity has been removed (anonymous data).
Important information and who we are
Purpose of this privacy notice
This privacy notice tells you how we use your personal data, your privacy rights and how the law protects you.
The GDPR says that Hodge Hill Family Practice must process the data it holds fairly, lawfully and transparently. This means we must be open and transparent about how personal data is used, we must handle personal data in line with how we say we are going to handle data and we must only use or process personal data in accordance with the law. To fulfill these requirements we set out in this privacy notice how Hodge Hill Family Practice collects, uses, retains and discloses personal information.
It is important that you read this privacy notice so that you understand how and why we are collecting or processing personal data about you and what we are using your data for.
Controller
The practice is the trading name of Hodge Hill Family Practice at Hodge Hill Primary Care Centre, 1st Floor, Roughlea Avenue, Birmingham B36 8GH
Hodge Hill Family Practice has appointed a data protection officer (DPO) for the practice who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, any requests to exercise your legal rights, or any complaints about the way we handle your personal data please contact our DPO.
Contact details
DPO: Paul Couldrey
Email address: couldrey@mac.com
Telephone number: 07525 623939
How we collect data
We collect data from:
- Information you give us when you register with us, allowing us access to your healthcare records or when you talk to our staff, correspond with us by phone, writing or e-mail. We may also receive personal information about you as a result of any services you use or book with us (including appointments, tests and prescriptions).
- Information we collect about you during each of your appointments. Our clinicians make a note of what you say to them which is recorded in the consultation records.
- Information about your visit if you provide feedback to us via the Friends and Family test, our patient feedback surveys and our compliments and complaints procedures.
- Information we receive from other sources if you are under the care of other clinicians they may inform us of their consultation records and any observations and/or recommendations they may have for a patient’s continued care.
The type of data we collect
The personal information we may collect, use, store and transfer may include your name, address, NHS number, e-mail address and phone number, personal description and image.
We also process the following special categories of sensitive personal data:
- Your health conditions
- Genetic and biometric data
- Race or ethnicity
- Religious or philosophical beliefs
- Political opinions
- Sex life
- Sexual orientation
- Medical records
- Physical and mental performance
- Any ailments
- Diseases or disabilities
- Gender
- Age
These special categories of sensitive personal data require a higher level of protection.
How we use your data
The GDPR says there are certain reasons we can process your data (these are referred to as the legal basis for processing):
Consent: You give your consent to the processing of your personal data for one or more specific purposes
Contract: Processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps to enter into a contract
Legal Obligations: Processing is necessary for compliance with our legal obligations
Vital Interests: Processing is necessary in order to protect your vital interests or those of another person
Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested us
Legitimate Interest: Processing is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not outweigh those interests.
We will normally only process your data in order to comply with our legal obligations and the performance of a task carried out in the public interest or in the exercise of official authority. Sometimes, we may process your data to protect your vital interests or because we have a legitimate interest to do so.
We only process special categories of data, such as your Health Records to provide you with medical care, for example booking your care, assessments, diagnosis, provision of care of the management of our care or the systems of our care to you.
The above can be summarised as follows:
- Type of data we collect: Identity and contact details.
- What we use it for: To register you as a patient.
- Why we need to collect it: Compliance with our legal obligations.
- Type of data we collect: Identity, contact details and health records.
- What we use it for: Provide healthcare and related services. Refer you on for further treatment. To identify local healthcare needs and trends. Inviting you to attend immunisations programmes and clinics relating to certain conditions. Patient engagement and communications.
- Why we need to collect it: Compliance with our legal obligations. For the performance of a task carried out in the public interest e.g. keeping our records up to date and to study how patients use our services so that we can help those who commission healthcare services to understand local healthcare needs.
- Type of data we collect: Identity, contact details, health records.
- What we use it for: To pass it on to third parties whom you authorise to receive your information e.g. your life assurance provider.
- Why we need to collect it: You have instructed (and therefore will have consented) us to do this.
- Type of data we collect: Identity and contact details.
- What we use it for: To manage our relationship with you. Asking you to leave a review or take a survey. To enable you to partake in a competition.
- Why we need to collect it: Performance of our legal obligations in relation to a contract we have been commissioned to provide and improvement of the services we are delivering.
- Type of data we collect: Identity and contact details.
- What we use it for: To capture online patient feedback and undertake on line patient surveys via Hodge Hill Family Practice website.
- Why we need to collect it: Performance of our legal obligations in relation to a contract we have been commissioned to provide and improvement of the services we are delivering.
- Type of data we collect: Identity, contact details and health records.
- What we use it for: Manage payments, fees and charges for example if you have holiday vaccinations or request insurance reports.
- Why we need to collect it: You will have asked us (and therefore consented) to do this.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, or those who commission us to provide care and you fail to provide that data when requested, we may not be able to care for you. In this case, we may have to discharge you from our care but we will notify you if this is the case at the time.
Do I have to consent to the processing of my data?
Normally the law says that you must obtain a person’s consent before you can process their health or other sensitive data. Under the GDPR The Practice Group does not have to obtain our NHS patients’ consent because processing health data has a lawful basis. This is not new. There has been an exemption from obtaining consent for processing health data since the Data Protection Act 1998 came into force.
Health data is data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person’s health status.
Opting out
There is a national data opt-out programme that gives patients more control over how their identifiable health and care information is used. Patients who do not want their personally identifiable data to be used for planning and research purposes will be able to set their national data opt-out choice online or via a non-digital alternative for patients who do not want to use an online system.
Please contact the DPO for further details.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and the change meets the requirements of the GDPR.
If we need to use your personal data for an unrelated purpose, we will update this privacy notice and we will explain the legal basis which allows us to do so.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the DPO.
Disclosure of personal data
There are a number of reasons why we share information. This can be due to:
- Our obligations to comply with current legislation.
- Our duty to comply with a court order.
- You have consented to disclosure.
- For the purposes set out in the table above.
There are a number of parties with whom we may share information. For example:
- External third parties (i.e. service providers based in the UK who provide NHS related IT and systems administration services, lawyers, insurance providers, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances).
- Specific third parties (i.e. commissioners of healthcare services that we provide to you, the Care Quality Commission who is the independent regulator of all health and social care services, the General Medical Council and Nursing and Midwifery Council who are the regulators of healthcare professionals, the clinicians who work for us either in a self-employed manner or via an agency.
We require third parties we share data with to respect the security of your data, to process your personal data only in accordance with our instructions and to treat it in accordance with the law.
Retaining information
We will only retain information for as long as necessary. Records are maintained in line with the NHS retention schedule which determines the length of time records should be kept. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting the DPO.
Data security
Hodge Hill Family Practice takes its duty to protect our patients’ personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Everyone who works for Hodge Hill Family Practice is required to undertake annual information governance training and is provided with an information governance user handbook that they are required to read, understand and agree to adhere to.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.
Additionally everyone working for Hodge Hill Family Practice is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required by the law.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your legal rights
- Request access to your personal data. The GDPR gives you the right to see the information that Hodge Hill Family Practice holds about you and why.
- Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. However, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data. Where there is information about you that you would not want to share with a third party in certain circumstances you can ask us not to share it.
- Request restriction of processing your personal data. You can ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy
- Where our use of the data is unlawful but you do not want us to erase it
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your personal data. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contractual obligation.
- Right to withdraw consent. Where we are relying on consent to process your personal data you can withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact the DPO at:
Email: couldrey@mac.com
You will need to provide:
- Adequate information e.g. your full name, address, date of birth, NHS number, etc. so that your identity can be verified and your information located.
- An indication of what information you are requesting to enable us to locate this in an efficient manner.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Questions
If you have any questions about our privacy notice, information we hold about you or complaints about how we process your personal information please contact the DPO:
Email: couldrey@mac.com
Complaints can also be made to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.