Privacy

Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

[Insert practice Privacy Notice here, including a named Data Protection Officer.]

Dr A Abdullah, Dr K Nasim, Dr Z Syed & Dr G Ali

Northwood Medical Centre
10-12 Middleton Hall Road
Kings Norton
Birmingham
B30 1BY

Tel 0121 458 1342

Email: nhsbsolccg.northwood@nhs.net

Alvechurch Medical Centre
5 The Square
Alvechurch
Birmingham
B48 7LA

Tel 0121 445 1084

Email: reception.alvechurchmc@nhs.net

Version 1 – Review date 18/03/2025

Northwood & Alvechurch Medical Centre

Privacy Policy

NHS Digital collects information with the purpose of improving health and care for everyone. The information collected is used to:

• Run the health service
• Manage epidemics
• Plan for the future
• Research health conditions, diseases and treatments

Principles

NHS Digital is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using patient data and what data is being used. Similarly, has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.

Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have with regard to the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.

Training and support

The organisation will provide guidance and support to help those to whom it applies to understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

Scope

Who it applies to

This document applies to all employees of the organisation and other individuals performing functions in relation to the organisation such as agency workers, locums and contractors.

Furthermore, it applies to clinicians who may or may not be employed by the organisation but who are working under the Additional Roles Reimbursement Scheme (ARRS).

Why and how it applies to them

Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the organisation will share that information.    

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the UK General Data Protection Regulation.

Definition of terms

Privacy notice

A statement that discloses some or all of the ways in which the organisation gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.

Data Protection Act 2018 (DPA18)

The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

Information Commissioner’s Office (ICO)

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

General Data Protection Regulation (GDPR)

The GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.

The GPDR came into effect in May 2018.

Post-Brexit, in January 2021, the GDPR became formally known as UK GDPR and was incorporated within the Data Protection Act 2018 (DPA 18) at Chapter 2.

Throughout the remainder of this notice, GDPR is known as UK GDPR.

Data controller

The entity that determines the purposes, conditions and means of the processing of personal data

Data subject

A natural person whose personal data is processed by a controller or processor

Compliance with regulations

UK GDPR

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

• Concise, transparent, intelligible and easily accessible
• Written in clear and plain language, particularly if addressed to a child
• Free of charge

Article 5 compliance

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject

• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay 

• Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed

• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.

Communicating privacy information

At Northwoood & Alvechurch Medical Centre, the organisation’s privacy notice is displayed on our website, through signage in the waiting room and in writing during patient registration. We will:

• Inform patients how their data will be used and for what purpose
• Allow patients to opt out of sharing their data, should they so wish

What data will be collected?

At Northwood & Alvechurch Medical Centre, the following data will be collected:

• Patient details (name, date of birth, NHS number)
• Address and NOK information
• Medical notes (paper and electronic)
• Details of treatment and care, including medications
• Results of tests (pathology, X-ray, etc.)
• Any other pertinent information

National data opt-out programme

The national data opt-out programme introduced in May 2018 affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used just for their individual care and treatment or also used for research and planning purposes.

Whilst several start dates have been discussed, following consultation with the BMA and RCGP, DHSC have confirmed in a letter dated 19^th July 2021 that there is now no specific start date for this programme for health and care organisations to comply with the national data opt and will now commit to uploading any data only when the following has been established:

• The ability to delete data if patients choose to opt-out of sharing their GP data with NHS Digital, even if this is after their data has been uploaded

• The backlog of opt-outs has been fully cleared

• A Trusted Research Environment has been developed and implemented in NHS Digital

• Patients have been made more aware of the scheme through a campaign of engagement and communication.

Patients who wish to opt out of data collection can register a national data opt out and no longer need to register a Type 1 opt-out by 1^st September as previously decreed.

Opting out

DHSC advise that the opting out system will be simplified to allow the patient to change their opt out status at any time. They have additionally advised that:

• Patients do not need to register a Type 1 opt-out by 1st September to ensure

their GP data will not be uploaded

• NHS Digital will create the technical means to allow GP data that has previously been uploaded to the system via the GPDPR collection to be deleted when someone registers a Type 1 opt-out

• The plan to retire Type 1 opt-outs will be deferred for at least 12 months while DHSC establish the new arrangements. Type 1 opt-outs will not be implemented without further consultation with the RCGP, the BMA and the National Data Guardian

Given these changes, there is no longer any urgency to process Type 1 opt-outs specifically for GPDPR in order for patients to opt-out.

What remains is that patients still cannot register for the national data opt out programme via their own GP but will continue to choose to opt out by using one of the following:

• Online service – Patients registering need to know their NHS number or their postcode as registered at their GP practice

• Telephone service 0300 303 5678 which is open Monday to  Friday between 0900 and 1700

• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

• “Print and post” registration form

• Coupled with the application form, photocopies of proof of the applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent to:

NHS

PO Box 884

LEEDS

LS1 9TZ

Note: It can take up to 14 days to process the form upon receipt

Patients in secure settings

Patients in the detained and secure estate who want to register a national data opt-out need a healthcare professional to fill in a proxy form on their behalf. The following information and guidance on proxy forms details who can complete it and how it should be filled in.

The national data opt-out information is held centrally on the NHS Spine and will not be updated in the SystmOne prison module so you will not see the national data opt-out in the patient’s record.

Further reading can be sought from NHS Digital.

General practice data for planning and research data collection

About

The new General Practice Data for Planning and Research Data Collection (GPDPR)  is a data collection to help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this.

The GPGPR is designed to assist the NHS to:

• Monitor the long-term safety and effectiveness of care

• Plan how to deliver better health and care services

• Prevent the spread of infectious diseases

• Identify new treatments and medicines through health research

Data sharing

Data may be shared from GP medical records for:

• Any living patient registered at a GP practice in England when the collection started – this includes children and adults

• Any patient who died after this data sharing started and was previously registered at a GP practice in England when the data collection started

NHS Digital will not share the patient’s name or demographic details. Any other data that could directly identify the patient will be replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital. This includes:

• NHS number
• General Practice Local Patient Number
• Full postcode
• Date of birth

This process is called pseudonymisation and means that no one will be able to directly identify the patient in the data.

It should be noted that NHS Digital will be able to use the same software to convert the unique codes back to data that could directly identify the patient in certain circumstances and where there is a valid legal reason.

NHS Digital has the ability to do this.

What information can and cannot be shared

NHS Digital will collect structured and coded data from patient medical records including:

• Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments including information about physical, mental and sexual health

• Data on sex, ethnicity and sexual orientation

• Data about staff who have treated patients

NHS Digital will not collect:

• Name and address (except for postcode, protected in a unique coded form)

• Written notes (free text) such as the details of conversations with doctors and nurses

• Images, letters and documents  

• Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old

• Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

Opting out

Patients who do not want their identifiable patient data to be shared for purposes except their own care can opt-out by registering a Type 1 Opt-out or a national data opt-out (NDO-O) or both. NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy.

1. Type 1 Opt-out

A Type 1 Opt-out is used to opt out of NHS Digital collecting a patient’s data.

If patients do not want their patient data shared with NHS Digital for the purposes of planning or research, they can register a Type 1 Opt-out with the GP practice. Patients can register a Type 1 Opt-out at any time and additionally may reverse their decision at any time by withdrawing their Type 1 Opt-out.

If a patient registers a Type 1 Opt-out after the collection has started, no more of the patient’s data will be shared with NHS Digital. They will however still hold the patient data that was shared before the Type 1 Opt-out was registered.

If patients have previously registered a Type 1 Opt-out and they would like to withdraw this, they can also use the form to do this. The form can be sent by post or email to the GP organisation or the patient can call 0300 303 5678 for a form to be sent out to them.

1. National data opt-out (NDO-O)

NDO-O is opting out of NHS Digital sharing your data.

Once established, the NDO-O will also apply to any confidential patient information shared by the GP practice with other organisations for purposes other than a patient’s individual care. It will not apply to this data being shared by GP practices with NHS Digital as it is a legal requirement for this organisation to share this data with NHS Digital and the NDO-O does not apply where there is a legal requirement to share data.

Available resources

The following resources are available for staff at Northwood & Alvechurch Medical Centre:

• National Data Guardian for Health and Care – review of data security, consent and opt outs
• National data opt out – data protection impact assessment
• National data opt out training
• Compliance with the national data opt out
• Guidance for health and care staff
• Supporting your patients – information and resources
• Information for GP practices*
• Understanding the national data opt out

Further information is available within the National data opt out guidance

Further information

Privacy notice checklists

The ICO has provided a privacy notice checklist that can be used to support the writing of the organisation’s privacy notice. The checklist can be found by following this link.

Summary

It is the responsibility of all staff at Northwood & Alvechurch Medical Centre to ensure that patients understand what information is held about them and how this information may be used.

Furthermore, the organisation must adhere to the DPA18 and the UK GDPR to ensure compliance with extant legal rules and legislative acts.