Privacy Notice

1. Introduction

1.1. Policy statement

NHS England collects information with the purpose of improving health and care for everyone. The information collected is used to:

Run the health service
Manage epidemics
Plan for the future
Research health conditions, diseases and treatments

NHS England is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using patient data and what data is being used. Similarly, Staverton Surgery has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.

All staff should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the organisation will share that information.

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the UK GDPR.

Find further information on how ee look after your health and care

1.2. Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2. Compliance with regulations

2.1. UK GDPR

The background to the UK GDPR was that in May 2018, GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.

Post-Brexit, in January 2021, the GDPR became formally known as UK GDPR and was incorporated within the Data Protection Act 2018 (DPA18) at Chapter 2.

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Free of charge

DPA18 will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

2.2. Article 5 compliance

For clarity, a data controller is an entity that determines the purposes, conditions and means of the processing of personal data, whereas a data subject is a natural person whose personal data is processed by a controller or processor.

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is:

Processed lawfully, fairly and in a transparent manner in relation to the data subject
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.

2.3. Communicating privacy information

A privacy notice is to provide a statement that discloses some or all the ways in which the organisation gathers, uses, discloses and manages a patient’s data, its purpose it to fulfil a legal requirement to protect a patient’s privacy.

At this organisation, this privacy notice is displayed on our website, through signage in the waiting room and in writing during patient registration. We will:

Inform patients how their data will be used and for what purpose
Allow patients to opt-out of sharing their data, should they so wish

2.4. What data will be collected?

The following data will be collected:

Patient details (name, date of birth, NHS number)
Address and NOK information
Medical notes (paper and electronic)
Details of treatment and care, including medications
Results of tests (pathology, X-ray, etc.)
Any other pertinent information

2.5. National data opt-out programme

The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used solely for their individual care and treatment or also used for research and planning purposes.

NHSE have provided a document titled Understanding the national data opt-out.

Patients who wish to opt-out of data collection can register a national data opt-out. Further reading can be found at this NHSE webpage titled Setting or changing a national data opt-out choice. This includes information regarding children and their privacy.

This organisation has proved compliance by publishing the organisational privacy notice and submitting the Data Security and Protection Toolkit assessment.

Further information about opting out can be found in the NHS England webpage titled Make a choice about sharing data from your health records.

2.6. Patients in secure settings

There are special arrangements for patients in prison or other similar secure settings known as detained and secure estates. A health and care professional can help register a patient’s opt-out choice.

Further reading can be found at the NHS Digital webpage titled Guidance for detained and secure estates.

3. General practice data for planning and research data collection

3.1. About

This data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this.

The GPDPR is designed to help the NHS to:

Monitor the long-term safety and effectiveness of care
Plan how to deliver better health and care services
Prevent the spread of infectious diseases
Identify new treatments and medicines through health research

3.2. Data sharing

Data may be shared from GP medical records for:

Any living patient registered at a GP practice in England when the collection started. This includes children and adults
Any patient who died after this data sharing started and was previously registered at a GP practice in England when the data collection started

NHS England will not share the patient’s name or demographic details.

Any other data that could directly identify the patient will be replaced with unique codes which are produced by de-identification software before the data is shared with NHSE including:

NHS number
General Practice Local Patient Number
Full postcode
Date of birth

This process is called pseudonymisation and means that no one will be able to directly identify the patient in the data.

It should be noted that NHSE will be able to use the same software to convert the unique codes back to data that could directly identify the patient in certain circumstances, and where there is a valid legal reason.

For further reading, refer to the NHSE webpage titled About the GPDPR programme

3.3. What information can and cannot be shared

NHSE will collect structured and coded data from patient medical records including:

Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments including information about physical, mental and sexual health
Data on sex, ethnicity and sexual orientation
Data about staff who have treated patients

NHSE will not collect:

Name and address (except for postcode, protected in a unique coded form)
Written notes (free text), such as the details of conversations with doctors and nurses
Images, letters and documents
Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
Coded data that GPs are not permitted to share by law – for example certain codes about gender re-assignment

Further reading can be sought from the NHSE webpage titled Looking after your data

3.4. Opting out

Primary care organisations have been required to honour the National Data Opt-out (NDO-O) since 31 July 2022 and practices should now be complying with the NDO-O unless there is a specific reason not to do so.

This means that patients who do not want their identifiable patient data to be shared for purposes except for their own care can opt-out by registering to Type 1 opt-out on the NHS website, completing our Type 1 opt-out form or, set out their data opt-out choice via the national data opt-out (NDO-O).

Patients can do both.

Further reading can be found in NHS E webpage titled Compliance with the national data opt-out.

3.5. Available resources

The following resources are available for staff at this organisation:

4. Further information

4.1. Privacy notice checklists

The Information Commissioner’s Office has provided a privacy notice checklist that can be used to support.

4.2. Privacy notice

A practice privacy notice can be found at Annex A.

Functional Cookies

3rd Party Cookies