GDPR & Privacy Notice

As of 25th May 2018, new data protection regulations are being introduced. Keeping your data safe and secure is our top priority. The changes won't alter the way we use and protect your personal information, but it will make it easier for you to find out how we use it.

There is no action that you need to take. However, the surgery has produced a 'Privacy Notice' to give you more information on how we use your information. This is linked below.

patient leaflet

Privacy Notice

Children's Privacy Notice

ACR testing - Healthy.io

PRACTICE FAIR PROCESSING

& PRIVACY NOTICE

Your information, your rights

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

This notice reflects how we use information for:

The management of patient records;
Communication concerning your clinical, social and supported care;
Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
Participation in health and social care research; and
The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.

Data Controller

As your registered GP practice, we are the data controller for any personal data that we hold about you.

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether received directly from you or from a third party in relation to your care.

We will collect the following types of information from you directly, or about you from a third party (provider organisation) engaged in the delivery of your care:

‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and [NHS number/HCN number/ CHI number];
‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

How the NHS and care services use your information

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g., from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Matching Green Medical Centre is one of many practices working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

National Data Opt-Out

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is currently compliant with the national data opt-out policy.

Why do we collect this information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:

Protect your vital interests;
Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
Perform tasks in the public’s interest;
Deliver preventative medicine, medical diagnosis, medical research; and
Manage the health and social care system and services.

Who will we share your information with?

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

Local GP Practices, as part of a Primary Care Network (PCN), in order to deliver extended primary care services
NHS Secondary Care, i.e. Hospitals
111 and Out of Hours Service
Local Social Services and Community Care services
Voluntary Support Organisations commissioned to provide services by [Mid & South Integrated Care System]

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

Your information will not be transferred outside of the European Union.

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.

In addition, we receive data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

My Care Record

Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.

My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This will make it easier and faster for them to make the best decisions. For example, a doctor treating you in hospital or a nurse working in the community could view the information they need from your GP record.

Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed.

The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.

The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.

You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.

It is important to understand that not allowing access to your information may affect the quality of the care you receive.

In many situations it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.

There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety. Please see the My Care Record website www.mycarerecord.org.uk for more information.

More information about the areas where your information may be used can be found on the My Care Record website My Care Record: Privacy Notice

Primary Care Networks

Many people are living with long term conditions such as diabetes and heart disease or suffer with mental health issues and may need to access their local health services more often.

To meet these needs, GP practices are working together with community, mental health, social care, pharmacy, hospital, and voluntary services in their local areas in groups of practices known as primary care networks (PCNs).

PCNs build on existing primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care for people close to home. Clinicians describe this as a change from reactively providing appointments to proactively caring for the people and communities they serve.

We are part of the East Basildon PCN (Primary Care Network) which is a network of GPs practices established to provide integrated services to the local population. Members of the network are:

Matching Green Medical Centre
Aryan Medical Centre
Felmores Medical Centre
Sr Sims and Partners

By operating as a network, we as the PCN are responsible for delivering the following services working collaboratively with other providers:

Social Prescribing; Covid Vaccination Programme; First Contact Physiotherapy; First Contact Psychological Wellbeing Practitioner

Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network and with our collaborative organisations to support safe, efficient and effective care and treatment.

If you are not happy for your health data to be shared with the organisations detailed above if you wish to access PCN services, then you can object to this. To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.

Data Processors

Data processors act on behalf of the Practice, as a data controller and under our authority. In doing so, they serve our interests rather than their own. A processor can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual, for example a consultant.

The following is a list of processors that the practice has engaged, and a description of the work they carry out on our behalf:

The Phoenix Partnership (TPP)

SystmOne (GP clinical system) – The practice uses a computer system to record and store patient’s clinical information, this is provided by TPP. All information recorded within the system is held on TPP servers, accessible to the practice over the secure Health and Social Care Network (HSCN). All data processed by TPP is used and stored within the UK.

Mid & South Essex Integrated Care Board (ICB)

Information Governance (IG) [& Data Protection Officer (DPO)] Services – The IG service supports the practice with GDPR and Data Protection compliance, including advice and assistance with breaches of legislation, data subjects’ rights and other data protection issues raised by patient’s or public, as well as helping with completion of the Data Security & Protection Toolkit, and data protection impact assessments. [The DPO service provides a named experienced IG professional within the team to act on behalf of the practice as their Data Protection Officer, to assist monitoring internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).]

Arden & GEM Commissioning Support Unit (CSU)

Primary Care Enabling Services (IT) – The IT service includes access to the secure network (including HSCN) and cyber security, including electronic storage of information on hosted servers.
Business Intelligence (BI) – The BI function within the CSU, receives pseudonymised patient data, combines this with other pseudonymised data sets provided by the ICB (including hospital, community, mental health and ambulance data), then supports practices with analysis of that information, in order for the practice to better target services to their population. This includes population health management and risk stratification (more detail on these programmes of work is available below).

NHS Digital

Data Services for Commissioners Regional Office (DSCRO) – Hosted within Arden & GEM CSU, but contracted to work for NHS Digital, the DSCRO receives clear patient identifiable information and applies a key to scramble this information, this is called pseudonymisation and renders the data essentially anonymous although still linkable across other datasets pseudonymised using the same key. This data is then shared with the CSU BI Team for linkage and analysis.
NHSmail – Provides the practice with a secure email service, common across much of the NHS. This includes access to Microsoft Teams and other software.

E-Consult
- E-Consult provides a text-based clinical consultation service which guides patients through a consultation algorithm to assess their symptoms and recommend appropriate next steps, which may include arranging a GP appointment, self-care advice or signposting to other services (e.g. NHS111, pharmacies, etc.) It does not facilitate real-time consultations between patients and GPs but does make GPs aware of all assessments undertaken on their patients.

You have the right to object to data processors handling your personal information, though bear in mind that this is not an absolute right, the practices legitimate grounds can override objections raised. Please raise any issues with the practice manager who will arrange for a discussion and consideration of any objections. Further information on this right is available here:

https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Consent and Objections

Do I need to give my consent?

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However, consent is only one potential lawful basis for processing information. Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent at any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

Population Health Management

Population Health Management (PHM) – is helping us understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.

We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.

In order to carry out this data linkage, your pseudonymised data will be passed to Arden & GEM Commissioning Support Unit, part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses.

PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in addressing the interdependent issues that affect people’s health and wellbeing.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the population health management tools used by the ICB include:

Age
Gender
GP Practice, Community and Hospital attendances and admissions
Medications prescribed
Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

Section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence, if the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 2018 and the Human Rights Act 1998.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data Processing Activities

The practice processes this data internally.

Data is also processed by Arden & GEM Commissioning Support Unit and Mid and South Essex ICB.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the PHM service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform the practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Sub-licensing

Integrated Care Systems (ICSs) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of the ICS is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs.

The new Health and Care act 2022 established 42 Integrated Care Boards (ICBs) across England as statutory bodies and abolished the 106 Clinical Commissioning Groups (CCGs). The ICB will take on the NHS commissioning functions of the former CCGs as well as some of NHS England’s commissioning functions. It will also be accountable for NHS spend and performance within the system. The Board of the ICB will, as a minimum, include a chair, the CEO and representatives from NHS providers, general practice and local authorities.

In order to assure a smooth transition to the new commissioning landscape, the ICB need to be able to share data with providers and local authorities within their ICS so they are fully able to contribute to commissioning decisions.

The ICS Sub-License approach will allow the ICB to share data they receive from NHS Digital via their commissioning agreements with members of their ICS. This will be limited to pseudonymised commissioning data without the provider unique local patient id included.

Re-identification - This is permitted but the ICB will be responsible for determining which users will have this ability. They must be a health or social care professional with a legitimate (direct care) relationship to the patient.

It is important to note that direct care relies on the “implied consent” legal basis. Therefore, the patient must be aware of this relationship through clear communication.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information used by the ICS Partners include:

Age
Gender
GP Practice, Community and Hospital attendances and admissions
Medications prescribed
Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

The legal basis for sharing the data with ICS members is:

Article 6 (1) (e) – processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

and Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Data Processing Activities

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit.

The ICS Partners currently involved in the Sub-Licensing process are:

Essex County Council
Southend City Council
Thurrock Council
Mid and South Essex NHS Foundation Trust
East of England Ambulance
Essex Partnership University NHS Foundation Trust
North East London NHS Foundation Trust
Provide CiC

The ICS Partners will become Data Controllers in their own right for the data received under the sub-licensing, however certain rules will apply to this:

Onward sharing of the data by ICS members is not permitted.
Data must be segregated from other datasets and additional linkage is not permitted.

Opt out details

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The ICB also uses risk stratified data to understand the health needs of the local population to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.

There is currently s251 support in place for the ICB to be able to receive data with the NHS Number as an identifier from both NHS Digital and the GP Practice to enable this work to take place. The Data is sent directly into a risk stratification tool from NHS Digital /GP Practices to enable the data to be linked and processed as described above. Once the data is within the tool ICB staff only have access to anonymised or aggregated data.

GPs can identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care.

Your GP will use computer-based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third-party accredited Risk Stratification provider. The risk stratification contracts are arranged by Mid and South Essex Integrated Care Board in accordance with the current Section 251 Agreement. Neither the CSU nor your local Integrated Cared Board (ICB) will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the risk stratification tools used by the ICB:

Age
Gender
GP Practice and Hospital attendances and admissions
Medications prescribed
Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

Data Processing Activities

The practice processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit and Prescribing Services Ltd on behalf of the practice.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service you can choose to opt-out by contacting the ICB who will then inform your GP practice and ask them to apply an opt-out code to your record to ensure that your information is not included in the programme.

You can contact the ICB by email, phone or post:

Mseicb.enquiries@nhs.net

01268594350

MSE ICB

Unit 10 Phoenix Court

Christopher Martin road

Basildon

Essex

SS14 3HG

As mentioned above, you have the right to object to your information being used in this way. However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care.

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (such as SystmOne, EMIS and Eclipse) enables your record to be shared with organisations involved in your direct care, such as:

GP practices
Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
Child health services that undertake routine treatment or health screening
Urgent care organisations, minor injury units or out of hours services
Community hospitals
Palliative care hospitals
Care Homes
Mental Health Trusts
Hospitals
Social Care organisations
Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, considering all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care or may not be able to do so. The shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically set up to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.

You can also reinstate your consent at any time by giving your permission to override your previous dissent.

Your Right of Access to Your Records

The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will be in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your GP record, please submit your request in writing to:

The Practice Manager

Matching Green Medical Centre

Email address: practice.managerf81729@nhs.net

Right of Rectification and Erasure

Following a Subject Access Request, or in other circumstances, should you notice anything in your records that you consider to be incorrect, please get in touch with the practice manager (details above) to discuss how this could be reviewed and potentially rectified.

In most circumstances, information would not be able to be removed, as decisions may have been taken with that information in mind, but a note can be added to records to indicate alternative situations.

Data Protection Officer

A Data Protection Officer (DPO) is a role appointed within by public bodies, to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

The practices Data Protection Officer (DPO) is Jane Marley, Head of IG at the ICB.

To contact the DPO, please use the following email address:

MSEGP.DPO@nhs.net

Complaints

In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at:

practice.managerf81729@nhs.net

Information Commissioners Office

The Information Commissioners Office (ICO) is the national authority overseeing Data Protection and Freedom of Information in the UK.

You are able to raise complaints and concerns directly with them, and information on how to do so is available here:

https://ico.org.uk/make-a-complaint/

Parliamentary Health Service Ombudsman

The Ombudsman is independent of government and the NHS. The service is confidential and free of charge. There are time limits for taking a complaint to the Ombudsman although this can be waived if there is good reason to do so. If you have questions about whether the Ombudsman will be able to help you, or about how to make a complaint, you can contact: