Privacy Notice

Who we are and what we do

Bridgemary Medical Centre is responsible for providing Primary Care services for the local population of Bridgemary, Gosport, Hampshire.

Using your information

Patients

In order to support your care, health professionals maintain records about you.  We take great care to ensure your information is kept securely, that it is up to date, it is accurate and used appropriately.  All of our practice staff are fully trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to. They will only look at what they need to in order to do things like book you an appointment, give general health advice, provide you with care and if necessary refer you to other services.

Staff

We collect staff personal confidential information for personnel purposes. This may include, name, date of birth, address, health related information, bank details, other correspondence.

What kind of information do we use?

As a General Practice we hold information about our patients and staff including medical records, complaints and concerns, and personnel records.  The information they contain include:

  • Your name, address, your date of birth, your NHS number and contact details
  • Next of kin
  • What treatment you have received and where you received it – consultation information
  • Results of investigations, like laboratory tests, x-rays etc.
  • Referrals, communications regarding your care in other organisations
  • Communications from you including concerns or complaints you have raised about your health care provision
  • Staff records, including personal confidential details, health and disciplinary records

What do we use your Personal Confidential Data for?

The areas where we regularly use your personal confidential information include:

Patients

  • For your direct care needs
  • Responding to your queries, compliments or concerns
  • Where there is a provision permitting the use of confidential personal information under specific conditions, for example to:
    • Understand the local population needs and plan for future requirements, which is known as “Risk Stratification for commissioning”

Staff

  • To maintain staff records

We may share your information with other organisations

We may share pseudonymised, anonymised and aggregated statistical information with other organisations for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared against other areas.

We do not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission
  • We need to act to protect children and vulnerable adults
  • When a formal court order has been served upon us
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
  • Emergency Planning reasons such as for protecting the health and safety of others
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
  • To check the quality and efficiency of the health services we provide
  • Prepare performance reports on the services we provide
  • Work out what illnesses people may have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future

The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

A full list of details including the legal basis, any Data Processor involvement and the purposes for processing information is available online.

What safeguards are in place to ensure data that identifies you (patients) is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where we provide identifiable information about you, it has been given in confidence, and should be treated as confidential and only shared for the purpose of providing direct healthcare.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external organisations that process data and support us are legally and contractually bound to operate and proven security arrangements are in place where data that could or does identify a person are processed.

The practice has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian.  Our Caldicott Guardian is, Dr Martin Asbridge, Senior Partner.

How long do we hold information for?

All records held by the practice will be kept for the duration specified by national guidance from Information Governance Alliance: www.systems.digital.nhs.uk.

You have a right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’.  For further information please visit: www.gov.uk/government/publications/the-nhs-constitution-for-england

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

Type 2 opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. To support NHS constitutional rights, patients within England are able to opt out of their personal confidential information being shared by NHS Digital for purposes other than their own direct care. If you do not want your personal confidential information to be shared outside of NHS Digital you can register a ‘Type 2 opt-out’ with GP practice.

More information is available on NHS Digital Your personal information choices.

Your GP surgery and NHS Digital takes the responsibility for looking after care information very seriously. Please follow the NHS Digital links on how we look after information for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.

Gaining access to the data we hold about you

If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to the Practice Manager, the hospital or any other NHS organisation which has provided your health care.

  • View this or request copies of the records by making a subject access request
  • Request information is corrected
  • Have the information updated where it is no longer accurate
  • Ask us to stop processing information about you where we are not required to do so by law

Everyone has the right to see, or have a copy of information that is held about them. If you want to access your data you must make the request in writing to the Practice Manager. Under special circumstances, some information may be withheld. If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (of up to £50).

You can do this by writing to us at:

Bridgemary Medical Centre
2 Gregson Avenue
Gosport
Hampshire
PO13 0HR

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the practice holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act under FOIA. However, you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.

Your request must be in writing to:

Bridgemary Medical Centre
2 Gregson Avenue
Gosport
Hampshire
PO13 0HR

Information Commissioner’s Office

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: casework@ico.org.uk or visit the ICO website

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.  The practice complaints contact details are found below:

Bridgemary Medical Centre
2 Gregson Avenue
Gosport
Hampshire
PO13 0HR

01329 232446

Links to other websites

This privacy notice does not cover the links within this site linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review.  This Fair Processing notice was last updated in September 2017.

Definitions of information/data:

  • Data Processor – An organisation or body that processors, reviews, updates or amends, or stores information about individuals.
  • Personal Confidential Information – this term describes personal information or data about identified or identifiable individuals, which should be kept private or secret. For the purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.
  • Pseudonymised – this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified.
  • Aggregated – anonymised information that is grouped together so that it doesn’t identify individuals.