Privacy notice
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.
Please find below details of our practice privacy policy, along with our updated policy relating to COVID-19:
The Lakes Medical Practice – General Privacy Notice
This practice keeps medical records confidential and complies with the General Data Protection Regulation. We hold your medical record so that we can provide you with safe care and treatment. We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
The Lakes Medical Practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by, a national organisation called NHS Digital which has legal responsibilities to collect NHS data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries; If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Healthcare staff working in A&E and out of hours care, such as, but not limited to: The Cumberland Infirmary, Carlisle, Penrith Minor Injuries, Cumbria Health On Call (CHoC) will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record and or Individual Health Record. For more information see: https://digital.nhs.uk/summary-care-records
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by law.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please speak to the practice if you wish to object. You also have the right to request that any mistakes or errors corrected.
Registering for NHS care
- All patients who receive NHS care are registered on a national database.
- This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive.
- The database is held by NHS Digital a national organisation which has legal responsibilities to collect NHS data.
- More information can be found at: https://digital.nhs.uk/ Email: enquiries@nhsdigital.nhs.uk
- Identifying patients who might be at risk of certain diseases
- Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
- This means we can offer patients additional care or support as early as possible.
- This process will involve linking information from your GP record with information from other health or social care services you have used.
- Information which identifies you will only be seen by this practice.
- For more information please speak to the practice.
Safeguarding
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
- These circumstances are rare.
- We do not need your consent or agreement to do this.
- Please see our separate guide Privacy Notice – Safeguarding
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections:
Data Controller contact details
The Lakes Medical Practice, Bridge Lane, Penrith, Cumbria, CA11 8HW
- Tel: 01768 214345
- Email: gp-a82036@nhs.net
- Data Protection Lead – Practice contact details: Samantha Gargett, Practice Manager who can be contacted at: gp-a82036@nhs.net
- Data Protection Officer – Is Yvonne Salkeld, and she can be contacted directly: information.governance@ncic.nhs.uk
- Purpose of the processing – Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, or local out of hours service necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as, but not limited to specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
- Lawful basis for processing – The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” ** Recipient or categories of recipients of the processed data The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
The Practice will share data with relevant organisations and individuals as listed below but only with a lawful process condition to do so:
- Healthcare professionals and staff in this surgery;
- Local hospitals;
- Out of hours services such as, but not limited to Cumbria Health on Call (CHoC), 111 and Eden PCN practices
- Diagnostic and treatment centres; or other organisations involved in the provision of direct care to individual patients.
- Our patients
- Family, associates and representatives of the person whose personal data we are processing
- Staff
- Current, past or potential employers, with consent
- Healthcare social and welfare organisations
- Suppliers, service providers, legal representatives
- Auditors and audit bodies
- Educators and examining bodies
- Insurers
- Research organisations
- People making an enquiry or complaint
- Financial organisations
- Professional advisors and consultants
- Business associates
- Police forces
- Security organisations
- Central and local government
- Voluntary and charitable organisations
The practice currently holds all paper based records (known as Lloyd George) offsite, securely with iGPR Notespace (Box It North). The team at Box-it North will have access to the records in terms of notes storage, retrieval and collection and any scans that are requested. Pracrice staff use Notepsace software in order to request, track and receive paper based notes. The contract is with iGPR (noteSpace). The Lakes Medical Practice remain the data controller. iGPR is a data processor and Box-it are a data sub-processor. No record(s) will be accessed or moved outside of the UK.
- iGPR Privacy Notice can be found here: https://www.igpr.co.uk/privacy-policy/
- General information governance information can be found here: https://www.igpr.co.uk/information-governance/
Right to Automated Decision Making – As an organisation we currently do not undertake any automated decision making, including profile activities
Rights to object – If you wish to discuss or exercise any of your rights, please contact the practice in the first instance: Practice Manager: Samantha Gargett E-mail: gp-a82036@nhs.net
Right to access and correct – You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy.
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period – The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
Data we get from other organisations We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital / out of hours services, for treatment or an operation. The hospital or out of hours service will send us a letter or write directly into your medical records to let us know what happens. This information will be recorded on your medical records. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
Right to Complain – You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
** “Common Law Duty of Confidentiality”
Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies. Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Update COVID 19
The Lakes Medical Practice is committed to protecting your personal information. In the fight against this global pandemic we are currently working with all of our partners in Health and Social Care to ensure information is shared with the right people at the right time to ensure you receive the best possible care.
Data Protection rules will not hinder the sharing of personal information during these unprecedented times and we will continue to process information in accordance with national law and GDPR.
The processing of personal information relating to this is necessary for reasons of planning and providing health and social care to both individual data subjects and is in the substantial public interest in the area of public health and specifically to support the control of an epidemic. For more detailed information regarding the lawful basis to undertake these activities please see the links below:
- Public Task Art 6 (1e)
- Provision of Health and Social Care/Management of Health Care Systems Art 9(2h)
- Public Interest/Public Health Art 9(2i)
- Vital Interests of a Data Subject Art 9(2c)
- Monitoring Epidemics Recital 46