Privacy Policylogo

Your Data, Privacy and the Law. How we use your medical records

  • This practice handles medical records according to the laws on data protection and confidentiality.

  • We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.

  • Some of your data is automatically copied to the Shared Care Summary Record

  • We do share some of your data with local out of hours / urgent or emergency care service

  • Data about you is used to manage national screening campaigns such as Flu, Cervical cytology and Diabetes prevention.

  • Data about you, usually de-identified, is used to manage the NHS and make payments.

  • We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.

  • Your data is used to check the quality of care provided by the NHS.

  • We may also share medical records for medical research

For more information read the Privacy Notice pages in the folder within the waiting area / visit the practice web site / ask at reception / e-mail in.

Please download this Summary Care Record ‘Opt Out’ Form if you would like to opt out of data sharing.

You can download this full Privacy Policy here: Privacy notice

This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by Burnley General Practice’s, NHS Digital and NHS England a national organisation which has legal responsibilities to collect NHS data.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will have access to that which they need to fulfil their roles, to ensure patient care is not compromised. It is mandatory for all staff to sign a confidentiality agreement and adhere to these at all times. Regular training is provided to ensure that staff are up to date with any changes.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

  1. Data Controller contact details C Ratcliffe: [email protected]

  2. Data Protection Officer contact details Dr A S Iqbal: [email protected]

  3. Purpose of the processing Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

  4. Lawful basis for processing The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

    Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

    Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

    We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

  5. Recipient or categories of recipients of the processed data The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. East Lancs Hospital Trust, Pennine Acute Trust, North West Ambulance Service.

  6. Rights to object You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-practice-for-Health-and-Social-Care-2016 or speak to the practice.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;

  • where disclosure is in the public interest; and

  • where there is a legal duty to do so, for example a court order.

There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary, we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.

  1. Data Controller contact details C Ratcliffe: [email protected]

  2. Data Protection Officer contact details Anjum Iqbal: [email protected]

  3. Purpose of the processing Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.

  4. Lawful basis for processing This is a Direct Care purpose. There is a specific legal justification;

    Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person” And

    Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent” Or alternatively

    Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

    We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

  5. Recipient or categories of recipients of the shared data The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres.

  6. Rights to object You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.

    You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.

  8. Retention period The data will be retained in line with the law and national guidance

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contacts/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;

  • where disclosure is in the public interest; and

  • Where there is a legal duty to do so, for example a court order.

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screening-programmes or speak to the practice

  1. Data Controller contact details To be appointed.

  2. Data Protection Officer contact details To be appointed.]

  3. Purpose of the processing The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at https://www.gov.uk/topic/population-screening-programmes The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

  4. Lawful basis for processing The sharing is to support Direct Care which is covered under

    Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And

    Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

    We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

  5. Recipient or categories of recipients of the shared data The data will be shared with Burnley General Practices, NHS Digital and NHS England and Public Health England.

  6. Rights to object You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. Contact the Data Controller or the practice. For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.

    See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes

    Or speak to your practice.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period GP medical records will be kept in line with the law and national guidance.

    Information on how long records can be kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

    Or speak to the practice.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;

  • where disclosure is in the public interest; and

  • where there is a legal duty to do so, for example a court order.

The records we keep enable us to plan for your care.

This practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.

This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

  1. Data Controller contact details C Ratcliffe: [email protected]

  2. Data Protection Officer contact details Dr A S Iqbal: [email protected]

  3. Purpose of the processing

    The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

  4. Lawful basis for processing The legal basis for this processing is

    Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’  And

    Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

    We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”*

  5. Recipient or categories of recipients of the shared data The data will be shared for processing with Midlands and Lancashire Clinical Support Unit (MLCSU) and for subsequent healthcare with East Lancashire Clinical Commissioning Group, NHS England Lancashire Area Team.

  6. Rights to object You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the Data Controller or the practice.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

    or speak to the practice.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;

  • where disclosure is in the public interest; and

  • where there is a legal duty to do so, for example a court order.

Plain English explanation

The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.

For more information about the CQC see: http://www.cqc.org.uk/

  1. Data Controller contact details Carol Ratcliffe: [email protected]

  2. Data Protection Officer contact details Dr A S Iqbal: [email protected]

  3. Purpose of the processing To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. They provide specific reporting functions on identified findings in line with legal reporting and monitoring standards.

  4. Lawful basis for processing The legal basis will be

    Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And

    Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

  5. Recipient or categories of recipients of the shared data The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

  6. Rights to object You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller or the practice.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

Please download this Summary Care Record ‘Opt Out’ Form if you would like to opt out of data sharing.

This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by Burnley General Practice’s, NHS Digital and NHS England a national organisation which has legal responsibilities to collect NHS
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles,
We have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details Carol Ratcliffe
As above
2) Data Protection Officer contact details Dr A S Iqbal
As above
3) Purpose of the processing Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for processing The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the processed data The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. [if possible list actual named sites such as local hospital)(s) name]
6) Rights to object You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
9) Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

NHS Digital is the secure haven* for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions  and www.nhsdatasharing.info

  1. Data Controller contact details Carol Ratcliffe: As above
  2. Data Protection Officer contact details Dr A S Iqbal: As above
  3. Purpose of the processing To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. They provide specific reporting functions on unidentified data.
  4. Lawful basis for processing The legal basis will be
    Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
    And
    Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
  5. Recipient or categories of recipients of the shared data The data will be shared with NHS Digital according to directions which can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions
  6. Rights to object You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller or the practice.
  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
  8. Retention period The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

Plain English explanation

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts are paid per patient per quarter and varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research2.

In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws1

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

  1. Data Controller contact details Carol Ratcliffe: As above

  2. Data Protection Officer contact details Dr A S Iqbal: As above

  3. Purpose of the processing To enable GPs to receive payments. To provide accountability.

  4. Lawful basis for processing The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

    Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

    And

    Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

  5. Recipient or categories of recipients of the processed data The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.

  6. Rights to object You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

    or speak to the practice.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

 

  1. NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs and the GMS regulations 2004 (73)1

  2. For more information about payments the English GPs please see; https://digital.nhs.uk/NHAIS/gp-payments , https://digital.nhs.uk/catalogue/PUB30089 and http://www.nhshistory.net/gppay.pdf

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659) the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657) the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658) Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

  1. Data Controller contact details Carol Ratcliffe

  2. Data Protection Officer contact details Dr A S Iqbal

  3. Purpose of the processing There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.

  4. Lawful basis for processing The legal basis will be

    Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

    And

    Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”

  5. Recipient or categories of recipients of the shared data The data will be shared with Public Health England https://www.gov.uk/government/organisations/public-health-england and equivalents in the devolved nations.

  6. Rights to object You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data https://www.gov.uk/government/organisations/public-health-england/about/personal-information-charter.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

This practice may participate in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. We may also use your medical records to carry out research within the practice.

We share information with the following medical research organisations with your explicit consent or when the law allows: For example Synexus, National Diabetes Study and ask at practice for further other clinical research partners.

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

  1. Data Controller contact details Carol Ratcliffe: As Above

  2. Data Protection Officer contact details Dr A S Iqbal: As Above

  3. Purpose of the sharing Medical research.

  4. Lawful basis for processing or sharing Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;

    Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

    or

    Article 6(1)(e) may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

    And in addition there are three possible Article 9 justifications.

    Article 9(2)(a) – ‘the data subject has given explicit consent…’

    or

    Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

    or

    Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

  5. Recipient or categories of recipients of the shared data The data will be shared with appropriate organisations.

  6. Rights to object You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time. Contact the Data Controller or the practice.

  7. Right to access and correct You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

  8. Retention period The data will be retained for the period as specified in the specific research protocol(s).

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

 

  1. Section 251 and the NHS Act, Health Research Authority. https://www.dropbox.com/s/sekq3trav2s58xw/Official%20Section%20251%20guidance%20Health%20Research%20Authority.pdf?dl=0

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),

Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29
and
section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17

  1. Data Controller contact details Carol Ratcliffe: As Above

  2. Data Protection Officer contact details Dr A S Iqbal: As above

  3. Purpose of the processing The purpose of the processing is to protect the child or vulnerable adult.

  4. Lawful basis for processing The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:

    For consented processing;

    6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

    For unconsented processing;

    6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

    and:

    9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

    We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

  5. Recipient or categories of recipients of the shared data The data will be shared with [insert local safeguarding services names and contact details]

  6. Rights to object This sharing is a legal and professional requirement and therefore there is no right to object.

    There is also GMC guidance:

    https://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp

  7. Right to access and correct The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;

  • where disclosure is in the public interest; and

  • where there is a legal duty to do so, for example a court order.

As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: http://www.cqc.org.uk/

We are also required by HMRC and various taxation laws, such as “The Income Tax (Pay As You Earn) Regulations 2003” to keep financial records.

  1. Data Controller contact details Carol Ratcliffe: As above

  2. Data Protection Officer contact details Dr A S Iqbal: As above

  3. Purpose of the processing To comply with the Health and Social Care Act and taxation law.

  4. Lawful basis for processing The legal basis will be

    Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

    And

    Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

  5. Recipient or categories of recipients of the shared data The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC and Horfield and Smith Accountants who process the payroll.

  6. Rights to object You have the right to object to some or all of the information being shared with CQC. Contact the Data Controller or the practice. There is no right to have UK taxation related data deleted except after certain statutory periods.

  7. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law.

  8. Retention period The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.

  9. Right to Complain. You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

    or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

    There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

Burnley GP Practice’s Practice Privacy Notice
Terms of use & Privacy statement

Website Terms of Use

The information, materials and opinions on this website are for general information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.

Certain parts of this website link to other external internet sites and other external internet sites may link to this website. The practice does not accept responsibility for the content of any of these external internet sites. Further, the practice is not responsible for the direct or indirect consequences of you linking to these external websites.

Although we try to make sure that the content of this website is accurate and up to date, the practice makes no express or implied conditions, warranties, terms or representations about the content of this website and accepts no liability whatsoever for the use which you make of the information, except as may be required by law.

Privacy statement

The practice wants to protect the privacy of visitors to our website. Please read the following policy to understand how we use your personal data. We may change our privacy policy at any time, so please check it each time you visit our website

If you have any questions about this statement or your personal information, please contact us at Ightenhill Medical centre


Information collection and use via email
To the extent permitted by law, we may monitor electronic communications for the purposes of ensuring compliance with our legal and regulatory obligations and internal policies.


Information collection and use through our website
You do not have to give us any personal information in order to use most of this website.

The practice is the sole owner of the information collected on this website. We do not sell, share, or transfer this information, except as set out in this statement. We use your information to improve our marketing, for administration and to provide legal services.

The types of information we collect through our website are described below. By using our website you consent to the collection and use of any personal information in the manner described.


Cookies
A cookie is a piece of data stored on a user’s hard drive containing information about the user. The information below explains the cookies we use on our website and why we use them:

  • Google Analytics cookies: we use these cookies to collect information about how visitors use our website, including details of the site where the visitor has come from and the total number of times a visitor has been to our website. We use the information to improve our website and enhance the experience of its visitors.
  • ASP.Net cookie: we use this cookie to allow visitors to view the website without logging in as a registered user. Once you close your browser, the cookie is deactivated.

You can enable or disable cookies by modifying the settings in your browser. You can find out how to do this, and find more information on cookies, at: www.allaboutcookies.org.


IP addresses
We use IP addresses to analyse trends, administer the website, track users’ movements, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


Links
This website contains links to other websites. Please note that we are not responsible for the privacy practices of other websites. This privacy statement applies solely to information collected by this website.


Security
We take all appropriate steps to protect your information both online and off-line. If you would like information on our security procedures please contact us.


Contact us
If you:

  • would like to access the personal information we hold about you;
  • believe that information we hold about you is incorrect; or
  • have any questions in relation to the information concerning privacy and personal information;

Then we ask that you contact us via email to [email protected] and we will take reasonable steps to resolve those concerns as soon as practicable. In some cases we may not be able to give you access to personal information we hold regarding you if making such a disclosure would breach our legal obligations to our client or if prevented by any applicable law or regulation.

Our Privacy Notices explains why we collect your information and how that information may be used.

As of 25 May 2018 Under the General Data Protection Regulation (GDPR) we must ensure that your personal confidential data (PCD) is handled in ways that are transparent and that you would reasonably expect. The Health and Social Care Act 2012 has altered the way that personal confidential data are processed. Consequently, you must be aware and understand these changes and that you have the opportunity to object and understand how to exercise that right.

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

The practice Data Protection Officer is: Dr A S Iqbal

The practice Data Controller is: Carol Ratcliffe

NHS health records may be processed electronically, on paper or a mixture of both and through established working procedures and best practice coupled with technology we ensure your personal data is kept confidential and secure. Records held by us may include the following:

  • Your personal data, such as address and next of kin;

  • Your history with us, such as appointments, vaccinations, clinic visits, emergency appointments, etc;

  • Notes and reports about your health;

  • Details about your treatment and care;

  • Results of investigations and referrals such as blood tests, x-rays, etc; and

  • Relevant information from other health professionals, relatives or those who care for you.

We obtain and hold data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. We can disclose your personal information
if:

  1. It is required by law;
  2.  You consent – either implicitly or for the sake of your own care or explicitly for other purposes; and
  3. It is justified in the public interest

Some of this information is held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the Practice will always endeavour to gain your consent before releasing the information.

Risk Stratification
Risk Stratification is a process that helps your family doctor (GP) to help you manage your health. By using selected information from your health records, a secure NHS computer system will look at any recent treatments you have had in hospital or in the surgery and any existing health conditions that you have. This will alert your doctor to the likelihood of a possible deterioration in your health.

The clinical team at the surgery will use the information to help you get early care and treatment where it is needed. Midlands and Lancashire Commissioning Support Unit (MLCSU) DSCRO (the regional processing centre) supports GP Practices with this work. NHS security systems will protect your health information and patient confidentiality at all times.

Please note that you have the right to opt out of Risk Stratification.

Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the Practice, please contact the practice, or your healthcare professional to discuss how the disclosure of your personal information can be limited.

Patients have the right to change their minds and reverse a previous decision. Please contact the practice, if you change your mind regarding any previous choice.

Invoice validation
We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised CSU staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England. Where possible we will strive to use the NHS number as a quasi-identifier to preserve your confidentiality.

Our partner organisations
We may need to share your information, subject to agreement on how it will be used, with the following organisations:

  • NHS Trusts

  • Health & Social Care Information Centre (HSCIC)

  • Specialist Trusts

  • Independent Contractors such as dentists, opticians, pharmacists

  • Private Sector Providers

  • Voluntary Sector Providers

  • Ambulance Trusts

  • Clinical Commissioning Groups

  • Commissioning Support Units

  • Social Care Services

  • Local Authorities

  • Education Services

  • Fire and Rescue Services

  • Police

  • Other ‘data processors’

Under GDPR, you have a right to access/view information we hold about you, and to have it amended or removed should it be inaccurate. If we do hold information about you we will:

  • give you a description of it;

  • tell you why we are holding it;

  • tell you who it could be disclosed to; and

  • let you have a copy of the information in an intelligible form.

  • If you would like to make a ‘subject access request’, please contact the Practice Manager in writing.

There may be a charge for this service.

Any changes to this notice will be published on our website and in a prominent area at the Practice.

We are registered as a data controller under the GDPR and Data Protection Act 1998. The registration can be viewed online in the public register at:
Register of data controllers | ICO

How we keep your personal information confidential
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the GDPR (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

“How the NHS and care services use your information
Ightenhill Medical Centre is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided

  • research into the development of new treatments

  • preventing illness and diseases

  • monitoring safety

  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information

  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

  • Find out more about the benefits of sharing data

  • Understand more about who uses the data

  • Find out how your data is protected

  • Be able to access the system to view, set or change your opt-out setting

  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until March 31st 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Skip to content