Privacy notice
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.
Birkmyre Medical Practice – Privacy Notice
Background
The General Data Protection Regulation (GDPR) came in to force on 25 May 2018, superseding the current Data Protection Act (1998).
Under the terms of the new GDPR, a privacy notice is required to explain to patients what personal data is held about them and how it is collected and processed.
How we obtain your personal data
Information provided by you
You provide us with personal data on your registration form when you register with the practice, via online registration for prescription services and over the telephone. This includes name, address, date of birth, landline phone number, mobile phone number and email address.
We may also keep information contained in any correspondence or conversations you may have with us.
Information collected from other sources
By registering with the practice, you consent to your medical history from your previous practice(s) being sent to the practice. The provision of this information is essential in order that we can deliver personal care and medical treatment.
We often obtain information from hospitals, pharmacies and other medical practitioners to whom you will already have submitted your personal data.
How we use your personal data
The admin team use your information to make appointments for you, to generate prescriptions, to electronically file hospital and clinic records, and to provide test results as requested by you. The admin team will only access your medical information on a “need to know” basis in order to perform their duties.
Your mobile phone number is used to send you reminders of your appointments, and to send texts regarding administrative matters, eg surgery closures. We may share your mobile phone number with other healthcare professionals involved in your care.
If you have provided your email address, we may communicate with you in this way or send referrals by email to other services involved in your medical treatment who may then communicate with you by email.
The clinical team use your information to provide you with care and medical treatment.
We undertake at all times to protect your personal data in a manner which is consistent with the practice team’s duty of confidentiality and the requirements of the General Data Protection Regulation. We will also take all reasonable measures to protect your personal data stored in paper files and on our electronic system.
Sharing information
We will keep information about you confidential and will only disclose any information with third parties if it is in your interests to do so and when we are sure that the party with whom we are sharing information is a medical practitioner with whom you have already shared personal information. For example, we might give your mobile phone number to a hospital which wishes to contact you about an appointment which has been made for you.
With your written or verbal consent, we will share information about you with a carer.
Information shared with solicitors and insurance companies is only done so when we are sure you have given your express consent.
Information will be shared with legal agencies and the police on production of a court order or if by not doing so the practice would be breaking the law.
We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided. Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re) admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by our CCG and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to op out of your data being used in this way.
How long do we keep this information about you?
We will keep your paper and electronic (hospital/clinic) records as long as you are a patient at the practice. If you leave the practice, these will be returned to the Health Board for forwarding to your new practice. The practice will retain information held on its clinical system relating to consultations, immunisations, medical history and prescribing, but this information will be archived.
Patient (Data Subject) Rights
Right to be informed
This privacy notice informs you of your rights.
Right of access
The General Data Protection Regulation (GDPR) grants you the right to access particular personal data which we hold about you. This is referred to as a subject access request. We will respond promptly and at least within one calendar month from the date of receiving the request and all necessary information in writing from you.
Right to rectification
If considered appropriate, a retrospective entry can be made by a clinician if you have concerns regarding the accuracy of your clinical record. You will also have the right to have incomplete personal data completed, if necessary by providing a signed and dated supplementary statement. We will respond to the request for rectification at least within one calendar month.
Right to erasure
You have the right to request erasure of personal information concerning you if this is no longer relevant.
Right to restrict processing
Subject to exemptions, you will have the right to obtain from us restriction of processing if:
- The accuracy of the personal information is contested by you.
- We no longer need the personal information for the purpose of delivering personal care and medical treatment
Right to object
You have the right to object to processing of your data for direct marketing or for the purposes of scientific/historical research and statistics.
Right of data portability
We can respond to a request from you for the supply of your personal information in an electronic format, which you then have the right to transmit elsewhere.
Rights in relation to automated decision
Patients have the right not to be subject to a decision based on automated processing. Patients have the right to (a) obtain human intervention, (b) express their point of view, and (c) obtain an explanation of the decision and challenge it.
Invoking your rights
If you would like to invoke any of the above data subject rights with the practice, please write to the Practice Manager, The Health Centre, 2 Bay Street, Port Glasgow PA14 5EW
Important Information
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is:
Practice Manager, The Health Centre, 2 Bay Street, Port Glasgow PA14 5EW
Questions and queries
If you have any questions or queries which this privacy policy has not addressed, or if you have any concerns about how we use the personal information we hold, please write to the Practice Manager, The Health Centre, 2 Bay Street, Port Glasgow PA14 5EW
Complaints
If you have a complaint regarding the use of your personal information, please write to the Practice Manager, The Health Centre, 2 Bay Street, Port Glasgow PA14 5EW
If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO). www.org.uk, casework@ico.org.uk, telephone: 0303 123 1113 (local rate) or 01625 545 745