How We Use Your Health Record
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.
The regulation applies from 25th May 2018, and will apply even after the UK leaves the EU.
What GDPR will mean for patients
The GDPR sets out the key principles about processing personal data, for patients AND staff:
a Data must be processed lawfully, fairly and transparently
a It must be collected for specific, explicit and legitimate purposes
a It must be limited to what is necessary for the purposes for which it is processed
a Information must be accurate and kept up to date
a Data must be held securely
a It can only be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include:
a Being informed about how their data is used
a Patients to have access to their own data
a Patients can ask to have incorrect information changed
a Restrict how their data is used
a Move their patient data from one health organisation to another
a The right to object to their patient information being processed (in certain circumstances)
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we needs your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euros
What is ‘patient data’?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records. Individuals also have the right to withdraw their consent at any time.
For more information - view our leaflet HERE or Contact us
01202 679234 or email@example.com
Mrs Kimberley King, Service Delivery Manager
- We ask you for information so that you can receive proper care and treatment.
- We keep this information, together with details of your care, because it may be needed if we see you again.
- We may use some of this information for other reasons: for example, to help us protect the health of the public generally and to contribute to improving the efficiency of the NHS, plans for the future, trains its staff, pays its bills and can account for its actions.
- Information may also be needed to help educate tomorrow's clinical staff and to carry out medical and other health research for the benefit of everyone.
- Sometimes the law requires us to pass on information: for example, to notify a birth. The NHS Central Register for England & Wales contains basic personal details of all patients registered with a general practitioner. The Register does not contain clinical information.
- You have a right of access to your health records
EVERYONE WORKING FOR THE NHS HAS A LEGAL DUTY TO KEEP INFORMATION ABOUT YOU CONFIDENTIAL.
You may be receiving care from other people as well as the NHS. So that we can all work together for your benefit, we may need to share some information about you.
We only ever use or pass on information about you if people have a genuine need for it in your and everyone's interests. Whenever we can we shall remove details which identify you. Law strictly controls the sharing of some types of very sensitive personal information.
Anyone who receives information from us is also under a legal duty to keep it confidential.
The main reasons for which your information may be needed are:
- giving you health care and treatment
- looking after the health of the general public
- managing and planning the NHS. For example:
- making sure that our services can meet patient needs in the future
- paying your doctor, nurse, dentist or other staff, and the hospital which treats you for the care they provide
- auditing accounts
- preparing statistics on NHS performance and activity (where steps will be taken to ensure you cannot be identified)
- investigating complaints or legal claims
- helping staff to review the care they provide to make sure it is of the highest standard
- training and educating staff (but you can choose whether or not to be involved personally)
- research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to see if you are willing)
If at any time you would like to know more about how we use your information you can speak to the person in charge of your care, or to the practice's Service Delivery Manager, Mrs Kimberley King.
Your Summary Care Record (SCR)
Your Summary Care Record (SCR) is a copy of key information held in your GP record. It provides authorised healthcare staff with faster, secure access to essential information about you. Staff who access your SCR will be directly involved in your care and will ask for your permission to view it.
If they cannot ask you (for example if you are unconscious or otherwise unable to communicate), they may look at your record without asking you, because they consider that this is in your best interest. If they have to do this, it will be recorded and checked to ensure that the access was appropriate.
Summary Care Record: the Patient’s Perspective
Additional information: Patient information leaflet
View the Information Governance Alliance paper on the duty to share information
If you wish to add additional information to your summary care record, please email the practice at firstname.lastname@example.org
Voicemails & SMS messages
In accordance with the General Data Protection Regulation (GDPR), the Practice needs your consent for us to leave voicemails, send text messages or email information regarding your medical treatment. By providing the practice with your contact information, you are consenting to be contacted about your medical needs by the practice. However, it is our Practice Policy that in the event where we are unable to reach you via telephone, the practice will only leave a voicemail or send a text message asking you to contact the surgery. We will never leave confidential information regarding the reason for our call.
If you DO NOT want us to leave you voicemails or send text messages, please let a member of staff know, and we shall amend your records.
National Data Opt-out
The NHS wants to make sure you and your family have the best care now and in the future. Your health and adult social care information supports your individual care. It also helps us to research, plan and improve health and care services in England.
There are very strict rules on how this data can and cannot be used, and you have clear data rights. We are committed to keeping patient information safe and will always be clear on how it is used.
You can choose whether or not your confidential patient information is used for research and planning. For more information please visit https://www.nhs.uk/your-nhs-data-matters/