Related Links External
SystmOnline Repeat Prescriptions
HealthSpace
NHS Care Record Service
NHS Direct
British Medical Association
General Medical Council
Further Information
Lloyds Pharmacy
We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.
Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.
Contents
This document is to explain to you the types of personal data we hold about you and how we may use this information for the benefit of your health and wellbeing. The document advises you on how we allow [or do not allow] your electronic health record to be made available to other organisations, across a variety of healthcare settings. This is subject to your permission, being made on the computer system SystmOne. It informs you of your options should you wish to take further control of your SystmOne record. The information should be carefully considered and any concerns you have about the data we hold, and how we use it, should be raised with us.
As your registered GP practice we hold your electronic health record. This contains sensitive information about you, your health and your wellbeing. The following list provides an example of the type of information (both past and present) that can be held within your record:
This information means we can provide you with high quality direct care in a safe and effective manner. Being able to see your detailed record allows for an overall picture of your health and wellbeing to be assessed. This then helps us to diagnose and prescribe appropriate courses of treatment to you. This means that the most safe and efficient care is provided to you. We do not want you to have to repeat your medical history and remember every detail, which may or may not be relevant, to every health professional involved in your care. Lack of access to your information may lead to misdiagnosis, inappropriate prescribing of medication or tests and/or ineffective treatment.
We recognise that you will benefit from other health providers that care for you (either currently or in the future) having access to your electronic health record. This is because they can then make fully informed decisions about the care you require. The reasons for access to the detailed record, mentioned above, apply across the health profession. A shared record ensures that care providers always have the most accurate, up to date information.
In a case where patient data is required for research purposes, we do not provide patient identifiable information. Any data we provide is anonymised or pseudonymised, unless you have given explicit consent.
Anonymised data, is data about you but from which you cannot be personally identified. Anonymised data is any personal data which has been processed so that all identifiers (such as name or NHS number) are removed, minimising the likelihood that the data will identify individuals.
Pseudonymised data is any personal data which has been processed so that all identifiers such as name, address, date of birth and NHS number is removed and replaced with a code which makes it anonymous to those who should not see your identifiable data, but would allow others such as those responsible for providing care to identify an individual.
Personal identifiable data, is data which relates to a living individual who:
The term ‘Direct Care’ means a clinical health activity concerned with the prevention and investigation and treatment of illness. It includes supporting your ability to function and improve your participation in life and society. It also includes the assurance of safe and high quality care and treatment undertaken by one or more registered and regulated health professionals and their team with whom you have a legitimate relationship for your care purposes.
It does not include access to information for purposes such as insurance, advertising or marketing.
As your GP practice we have set the following practice settings for all our registered patients whose detailed electronic health record is in our possession and within the clinical computer system, SystmOne. However, we recognise that each of our patients have differing health care needs and you may wish to control yourself how your personal data is shared. This can be done via ‘Your Choice’ stated below.
We assume that you are happy to share your detailed electronic health record to those that care for you. We therefore, make your record available to all NHS commissioned services using the clinical record computer system, SystmOne. This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.
AND/OR
We will obtain your explicit consent (permission) to share your detailed electronic health record to those that care for you. By providing your permission, we make your record available to all NHS commissioned services using the clinical record computer system, SystmOne. This allows for anyone at these organisations who have the appropriate controls to retrieve your electronic record, once you are registered for care. However, these individuals should only legitimately access your record to provide you with care services. They must also record your permission to view your record.
Your individual sharing preference will overwrite our organisation’s default sharing setting.
The types of organisation who could be involved in your direct care and therefore need access to your electronic record are:
The full list of organisations can be seen and updated in your patient online record.
To find out more about these types of organisations please go to the following webpage: http://www.tpp-uk.com/products/systmone/modules or talk to a member of your GP practice.
If at any point in the future you are not happy to share your electronic record in this way, please let us know as soon as possible.
You may not agree with the health and social care organisations we have chosen to have access to your detailed electronic health record (the practice default). You can therefore control this yourself. Your choice will override our settings. You have the following options:
You can make changes to the above* at any time by contacting us or by logging onto your SystmOnline account. (*you cannot add an organisation to the prohibited list yourself, you must speak with your GP first if you wish to do this.)
Audits are useful for your understanding about the types of organisation and individual(s) who are viewing your record. They allow you to raise any concerns about potential illegitimate or unnecessary access of your personal data with the relevant person or organisation. The ability to audit record access is a significant benefit of electronic records over paper records as it allows for a visible trail to be available to you in the following ways:
The Data Protection Act 1998 (DPA) requires that we retain personal data no longer than is necessary for the purpose we obtained it for. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant. The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
It means that we will need to:
Personal data will need to be retained for longer in some cases than in others. How long we retain different categories of personal data should be based on individual business needs. A judgement must be made about:
The appropriate retention period is also surrounding circumstances, any legal or regulatory requirements or agreed industry practice. At the end of the retention period, or the life of a particular record, it should be reviewed and deleted, unless there is some special reason for keeping it.
You (the patient) are the data subject in this context.
This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Some organisations in the UK already offer data portability through the ‘midata’ and similar initiatives which allow individuals to view access and use their personal consumption and transaction data in a way that is portable and safe. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. GP practices and other healthcare providers are EXEMPT form this.
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Under the General Data Protection Regulation (GDPR), individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information. These are similar to existing subject access rights under the DPA. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
Website Designed & Developed by DMD Design & Marketing Ltd