Additional privacy notices may be found at www.ourhealthiersel.nhs.uk/privacy-notice.htm
Your Information, What You Need to Know
This privacy notice explains why Vassall Medical Centre collects information about you, and how that information may be used.
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
Summary Care Records
All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives registered and regulated healthcare professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.
Your Summary Care Record contains basic (Core) information about allergies and medications and any reactions that you have had to medication in the past.
Some patients, including many with long term health conditions, previously have agreed to have Additional Information shared as part of their Summary Care Record. This Additional Information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.
In light of the current emergency, the Department of Health and Social Care has removed the requirement for a patient’s prior explicit consent to share Additional Information as part of the Summary Care Record.
This is because the Secretary of State for Health and Social Care has issued a legal notice to healthcare bodies requiring them to share confidential patient information with other healthcare bodies where this is required to diagnose, control and prevent the spread of the virus and manage the pandemic. This includes sharing Additional Information through Summary Care Records, unless a patient objects to this.
If you have already expressed a preference to only have Core information shared in your Summary Care Record, or to opt-out completely of having a Summary Care Record, these preferences will continue to be respected and this change will not apply to you. For everyone else, the Summary Care Record will be updated to include the Additional Information. This change of requirement will be reviewed after the current coronavirus (COVID-19) pandemic.
For more information on this privacy notice on the Summary Care Record and your rights please visit https://digital.nhs.uk/services/summary-care-records-scr/scr-coronavirus-covid-19-supplementary-privacy-notice.
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
How We Keep Your Information Confidential and Safe
Everyone working for the NHS is subject to the Common Law Duty of Confidence.
Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you of how your information will be used, and allow you to decide if and how your information can be shared.
Why We Collect Information about You
In carrying out some of these roles we will collect information about you which helps us provide care for you. We may keep your information in written form and/or in digital form. The records include basic - details about you, such as your name and address. They will also contain more sensitive information about your health and also information such as outcomes of needs assessments.
How We Use the Information that We Collect
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice may hold about you may include the following;
- Details about you, such as address and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits,
emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information for this purpose.
What We Use your Information For
SMS Text Messaging
We will use the mobile number you have provided to send you the following types of messages providing you have consented to this –
- Requests for feedback on our service
- Campaign messages such as eligibility for certain vaccinations/patient group events and health educational events.
This service is provided to us by a company called MJOG who provide text messaging facilities to a variety of health care providers. They do hold any data about you and only have access to the mobile phone number which you would have provided us. For more information on MJOG you can find them at https://www.mjog.com/
We may contact you via the email address you would have provided providing you have consented for communication on Campaign messages such as eligibility for certain vaccinations/patient group events and health educational events.
Analysis – Risk Stratification
Risk stratification tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from Vassall Medical Centre.
A risk score is then arrived at through an analysis of your de-identified information using software managed by United Health (also known as Optum) as the data processor and is only provided back to Vassall Medical Centre or member of your care team as data controller in an identifiable form. Risk stratification enables us to focus on the preventing ill health and not just the treatment of sickness. If necessary we may be able to offer you additional services.
Please note that you have the right to opt out, by contacting Vassall Medical Centre.
If you have received treatment within the NHS, NHS Lambeth Clinical Commissioning Group (CCG) may require access to your personal information in order to determine which CCG should pay for the treatment or procedure you have received.
Information such as your name, address and date of treatment may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.
Supporting Medicines Management
CCGs support local GP practices with prescribing queries which generally don’t require identifiable information. Where specialist support is required, e.g., to order a drug that comes in solid form in gas or liquid the CCG medicines management team will order this on behalf of a GP to support your care.
To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
A Quality Alert is a systemic issue, generally affecting a service, or the ability to deliver a high quality service. Lambeth CCG’s Governance and Quality Team triage quality alerts (QA’s) reverse quality alerts and incidents reported by GPs/Provider organisations. The CCG has a statutory duty to support NHSE with the continuous quality improvement of primary medical services as set out in the HSCA 2012 and the Primary Medical Services assurance framework.
New systems to improve information sharing in Lambeth
The local NHS in Lambeth is developing new systems, such as the Local Care Record system so that you can receive more joined up services. The services will have access to your whole medical record. Where appropriate, healthcare professionals will inform you that they are accessing your shared Local Care Record. In an emergency situation where you may not be conscious or able to give consent they will open your information in order to give you the best care. You can ask your GP to hide information in your medical record that you would not want another service to be able to see. This will not be visible to other organisations when they open your record.
Lambeth DataNet is a group of general practices in Lambeth working together to improve local health care by researching information from patient records. This gives us a better idea of what services are needed for the Lambeth population. If we take part in an audit or research study we pass on information to the researchers coordinating the study. Sometimes this research involves linking patient information held by Vassall Medical Centre with NHS information held by the hospital or A&E, for example. This information is anonymous and cannot be traced back to you in any way. Please contact the CCG Datanet team on LAMCCG.firstname.lastname@example.org if you would like further details.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
- Independent Contractors such as dentists, opticians, pharmacists
- Voluntary Sector Providers
- Clinical Commissioning Groups
We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function. Within the health partner organisations (NHS and Specialist Trusts) and in relation to the above mentioned themes – Risk Stratification, Invoice Validation, Supporting Medicines Management, Safeguarding, Quality Alerts, Local Care Record, Lambeth DataNet – we will assume ‘implied consent’ unless you choose to opt out (see below).
This means you will need to express an explicit wish not to have your information shared with the other NHS organisations; otherwise they will be automatically shared.
We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.
Our guiding principle is that we are holding your records in strictest confidence.
Your Right to Withdraw Consent for Us to Share Your Personal Information (Opt-Out)
You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.
You can opt out at any time by contacting:
Vassall Medical Centre
89 Vassall Road
For any queries regarding these matters you may contact our IT Manager - Grant Griffiths or Data Protection Officer at NEL CSU on 03000 428 438 or email@example.com
If you would like to find out about what national initiatives may affect you, visit:
Your Data Matters: http://www.nhs.uk/your-data-matters/
NHS Digital: https://digital.nhs.uk/services/national-data-opt-out-programme
Coordinate My Care (CMC): http://www.coordinatemycare.co.uk/
Summary Care Record: https://digital.nhs.uk/services/summary-care-records-scr
Accessing Your Information Held by Vassall Medical Centre
Under the Data Protection Act 2018 you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to Vassall Medical Centre.
Your request will be reviewed and your records looked over by a GP for any references to a third party and or any information which the GP feels may unduly upset you so we may omit these items.
Fees may be charged for repetitive requests.
Freedom of Information Requests (FOI)
The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this act.
Please note that a Freedom of Information Request is not a Subject Access Request.
Please send your requests to the practice managers:
Vassall Medical Centre
89 Vassall Road
Your request for information must be made in writing and you are entitled to a response within 20 working days.
Decommissioning of Services
We will retain legal responsibility for the information held about you until it is formally dissolved or until agreements are put in place to transfer responsibility.
If you have a complaint about Vassall Medical Centre or a service we provide, we will use your information to communicate with you and investigate any complaint if it’s the responsibility of the Practice.
Please send all complaints to:
Vassall Medical Centre
89 Vassall Road
If you are not happy with our responses and have exhausted all the avenues in our complaints process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address:
You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Or email: firstname.lastname@example.org
For a translation of this document, an interpreter or a version in large print or braille, please contact:
Vassall Medical Centre
89 Vassall Road