1.1 Policy statement

The purpose of this document is to ensure appropriate procedures are in place at this organisation to enable individuals to apply for access to health records, and to enable authorised individuals to apply for access to information held about other people by making a subject access request (SAR).

Failure to comply with the policy and any associated breaches of patient data or confidentiality could lead to prosecution or the imposition of penalties by the Information Commissioner’s Office (ICO).

Access to medical records can be provided via:

• An online portal linked to the organisation’s webpage
• A variety of NHS approved apps
• A verbal SAR
• A written SAR including email and/or through social media

This policy is written in conjunction with the following government legislation:

• Access to Health Records Act 1990
• Access to Medical Reports Act 1988
• Data Protection Act 2018 (incorporating the UK GDPR)
• Data Protection (Subject Access Modification) (Health) Order 2000
• Mental Capacity Act 2005

Throughout this document, references have been taken directly from the ICO.

1.2 Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the organisation.

2 Right to access

This organisation ensures that all patients are aware of their right to access their data and has privacy notices displayed in the following locations:

• Waiting room
• Organisation website
• Organisation information leaflet

To comply with the UK GDPR, all organisation privacy notices are written in a language that is understandable to all patients and meets the criteria detailed in Articles 12, 13 and 14 of the UK GDPR. The organisation also has privacy notices for the practice and for children.

The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

Detailed information about access for third parties can be found at Chapter 10.

3 Patient access to online medical records

3.1 Registering for online services

At this organisation, staff are to remind patients that GP online services are free and available to all registered patients.  NHS England has published a number of guides and leaflets that provide further detailed information about how patients can access their health record online. Guidance for staff is accessible here.

Patients who wish to register for online services to book or cancel appointments, order repeat prescriptions and view their medical records and clinical correspondence online are to complete the registration form at Annex A.

Additionally, those applicants wishing to apply for access to retrospective information held about other people must complete the appropriate sections on the registration form also at Annex A and the application should be processed in line with the requirements outlined in the proxy access and third-party requests section.

For those patients unable to visit their own GP organisation, NHS Digital provides access to sign up for online services here where there is a requirement to provide appropriate identification using a mobile phone as part of the process.

Prospective access to full records is subject to the same safeguarding information requirements as are applied to detailed coded record access. Requests for access can be refused and further detail is provided in the refusal to comply with a request and coercion sections.

Unlike registration, ID verification is required to ensure that online access is granted only to the patient or their authorised representative(s). All patients will be requested to provide two forms of ID verification in line with NHS England’s Good Practice Guidance on Identity Verification and the organisation accepts appropriate forms of ID outlined in the identity verification section.

Completed documentation will be reviewed by the clinician responsible for processing including the review of online records for third party references and any information that may cause harm or distress to the patient/applicant that may need to be hidden from online access using confidentiality policies (see Third party information and Non-disclosure sections). For all applications, requesters should be advised that it will often take several days to process any online service request.

3.2 Post-registration

Once a patient has registered at the organisation and the request has been processed, they are to be issued with a letter that includes their unique username, password and instructions how to access the online services. Only the completed registration form should be scanned into the individual’s healthcare record.

4 Summary Care Records (SCR)

4.1 Overview

NHS England explains that a Summary Care Record (SCR) is a national database that holds electronic records of patient information including current medication, allergies and reactions to medication, created from GP medical records. Additional information in the SCR, such as details of long-term conditions, significant medical history or specific communications needs, is now included by default for patients with a SCR unless they have previously told the NHS that they do not want this information to be shared. Additionally, COVID-19 related information will also be shared.

Should a patient not wish to have any additional information shared, they can complete the SCR patient consent preference form.

5 Requests for medical information

5.1 About

Most requests for medical information are made via a SAR and are usually from a patient or their representative. Requests may also be received from other sources such as private healthcare providers and this may be in the form of a letter detailing the patient’s consent to release the requested information.

To promote safer data protection working practices, upon receipt of any request and even with a signed consent form, this organisation will contact the subject (patient) to confirm that this request is genuine.

5.2 Subject Access Requests (SAR) to medical records

In accordance with Article 15 of the UK GDPR, individuals have the right to access

their data and any supplementary information held by this organisation. SARs are predominantly used for access to, and the provision of, copies of medical records. This type of request need not always be in writing (e.g., letter, e-mail). However, applicants should be offered the use of a SAR application form which allows for an explicit indication of the required information.

The reason for granting access to data subjects is to enable them to verify the lawfulness of the processing of data held about them. In addition, data subjects can authorise third party access, e.g., for solicitors and insurers, under the UK GDPR.

When a data subject (individual) wishes to access their data, they are to be encouraged to use the SAR form which can be found at Annex B. All staff must note that the ICO states, “An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data”.

To request a SAR, the requester must be:

• The data subject OR
• Have the written permission of the data subject OR
• Have legal responsibility for managing the subject’s affairs to access personal information about that person, such as a lasting power of attorney (LPA)

It is the requester’s responsibility to satisfy this organisation of their legal authority to act on behalf of the data subject. The organisation must be satisfied of the identity of the requester before they can provide any personal information (see Identity verification section).

Requests may be received from the following:

• Competent patients – May apply for access to their own records or authorise third party access to their records
• Children and young people – May also apply in the same manner as other competent patients. This organisation will not automatically presume a child or young person has capacity under the age of 16. However, those aged 13 or over are expected to have the capacity to consent to medical information being disclosed. This reflects the information given in the UK GDPR and also in CQC GP Mythbuster 8: Gillick competency and Fraser guidelines.
• Parents – May apply to access their child’s health record providing this is not in contradiction of the wishes of the competent child. Further guidance on parental access to a child’s healthcare records is detailed within the BMA guidance titled Children and young people ethics toolkit and at Section 10.4.
• Individuals with a responsibility for adults who lack capacity – Are not automatically entitled to access the individual’s health records. This organisation will ensure that the patient’s capacity is judged in relation to the particular decisions being made. Any consideration to nominate an authorised individual to make proxy decisions for an individual who lacks capacity will comply with the Mental Capacity Act 2005 in England and Wales and the Adults with Incapacity Act in Scotland.
• Next of kin – Have no rights of access to health records
• Police – In all cases, the organisation can release confidential information if the patient has given his/her consent (preferably in writing) and understands the consequences of making that decision. There is, however, no legal obligation to disclose information to the police unless there is a court order or this is required under statutes (e.g., Road Traffic Act 2006).

Nevertheless, health professionals have power under the Data Protection Act 2018 and the Crime Disorder Act 1998 to release confidential health records without consent for the purposes of the prevention or detection of crime or the apprehension or prosecution of offenders. The release of the information must be necessary for the administration of justice and is only lawful if this is necessary:

• • To protect the patient or another person’s vital interests, or

• • For the purposes of the prevention or detection of any unlawful act where seeking consent would prejudice those purposes and disclosure is in the substantial public interest (e.g., when the seriousness of the crime means there is a pressing social need for disclosure)

Only information that is strictly relevant to a specific police investigation should be considered for release and only then if the police investigation would be seriously prejudiced or delayed without it. The police should be asked to provide written reasons why this information is relevant and essential for them to conclude their investigations.

• Court representatives – A person appointed by the court to manage the affairs of a patient who is incapable of managing his or her own affairs may make an application. Access may be denied when the responsible clinician is of the opinion that the patient underwent relevant examinations or investigations in the expectation that the information would not be disclosed to the applicant.
• Patient representatives/solicitors – A patient can give written authorisation for a person (for example a solicitor or relative) to make an application on their behalf for copies of their medical records. This organisation may withhold access if it is of the view that the patient authorising the access has not understood the meaning of the authorisation. It is important to stress to the patient that under a SAR, all health records are provided unless a specific time period is stated and patients should be mindful of giving access to this level of health data.

Solicitors who are acting in civil litigation cases for patients should obtain consent from the patient using the form that has been agreed with the BMA and the Law Society. If a consent form from the patient is not received with the application form then no information must be provided until this has been received.

• Requests for insurance medical reports – SARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at this organisation is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report.

In most cases, the requester will provide the patient’s signed consent to release information held in their health record. The BMA have issued guidance on requests for medical information from insurers.

Therefore, this organisation will contact the patient to explain the extent of disclosure sought by the third party. The organisation can then provide the patient with the medical record as opposed to the insurer. The patient is then given the opportunity to review their record and decide whether they are content to share the information with the insurance company.

Insurers are to be advised that the following fees are applicable and as detailed within BMA Guidance Fees:

• GP report for insurance applicants £104.00
• GP supplementary report £27.00

It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. The use of the organisation’s SAR form supports the data controller in verifying the request. In addition, the data controller is permitted to ask for evidence to identify the data subject, usually by using photographic identification, i.e., driving licence or passport.

5.3 Processing a SAR request

Upon receipt of a SAR, a record of this is to be detailed within the health record of the individual to whom it relates, as well as annotating the organisation’s Data Subject Access Request (SAR) Register. Further to this, once processed, another entry onto the health record should be made, including the date of postage or the date the record was collected by the patient or authorised individual in addition to updating the SAR Register.

Under the Data Protection (Subject Access Modification) (Health) Order 2000, an appropriate healthcare professional (responsible clinician) manages all access matters. Whenever possible, the healthcare professional most recently involved in the care of the patient will review and deal with the request. If, for some reason, they are unable to manage the request, an appropriate professional will assume responsibility and manage the access request.

To ensure compliance, the data controller will ensure data is processed in accordance with Article 5 of the UK GDPR. Data processors will ensure that the processing of personal data is lawful and at least one of the following applies:

• The data subject has given consent to the processing of his/her personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the data controller is subject
• Processing is necessary to protect the vital interests of the data subject or another natural person

Individuals will have to verify their identity. It is the responsibility of the data controller to verify all requests from data subjects using reasonable measures. Further information can be sought from the NHS England document titled Good practice guidance on identity verification and the Identity verification section.

The process upon receipt of a SAR form is illustrated at Annex E which is an aide-memoire/flow diagram for staff. A poster explaining how to access health records for use in waiting room areas can be found at Annex F.

5.4 Timeframe for responding to requests

In accordance with the UK GDPR, patients are entitled to receive a response within the maximum given time frame of one calendar month from the date of submission of the SAR. In the case of complex or multiple requests, the data controller may extend the response time by a period of two months. In such instances, the applicant must be informed in the first month and the reasons for the extension given.

Should the request involve a large amount of information, the data controller will ask the data subject to specify what data they require before responding to the request. Data controllers are permitted to ‘stop the clock’ in relation to the response time until clarification is received. For further detailed information, see the BMA’s Access to health records.

5.5 Fees

SARs are generally processed free of charge. Only if the SAR is ‘manifestly unfounded’ or ‘excessive’ can a ‘reasonable’ fee be charged although the circumstances when a fee can be charged are rare and should be decided on a case-by-case basis. For further guidance, see this ICO guidance.

5.6 Method of response to requests

The decision as to what format to provide the requested information in should take into consideration the circumstances of the request and whether the individual can access the data in the format provided. Should an individual submit a SAR electronically, this organisation will reply in the same format unless the data subject states otherwise.

When the patient/applicant requests their information to be emailed to them, it is strongly recommended that the organisation explains to the patient/applicant the risks (for example, unauthorised interception of the data) of receiving the data via unencrypted means to a non-NHS email address. The organisation should document the patient’s agreement (expressed in writing or via email) to receive their data via unencrypted means in the medical record. If the patient/applicant agrees, a USB stick or a CD can be used as alternative electronic formats.

For those requests that are not made electronically, a paper copy can be provided unless the patient has explicitly requested a different format.

5.7 Amendments to medical records

Records should not be amended because of a request for access; it is a criminal offence under the Data Protection Act 2018 to amend or delete records in response to a SAR. If amendments are made between the time that the request for access was received and the time at which the records were supplied, these must only be amendments that would have been made whether or not the request for access was made. When dealing with a SAR, the most up to date information should be provided.

Information that is clinically relevant must not be deleted from medical records. For electronic records, information can be removed from display but the audit trail will always keep the record complete. Amendments to records can be made provided the amendments are made in a way that indicates why the alteration was made so that it is clear that records have not been tampered with for any underhand reason.

Patients may also seek correction of information that they believe is inaccurate. See the Disputes concerning content of records section.

5.8 Additional Privacy Information notice

Once the relevant information has been processed and is ready for issue to the patient, it is a requirement, in accordance with Article 15 of UK GDPR, to provide an Additional Privacy Information notice (APIn), the template for which can be found at Annex G.

5.9 Organisation disclaimer

The template at Annex H is to be used when issuing patients with copies of their medical records. This outlines the fact that the patient is responsible for the security and confidentiality of their records once they leave the organisation and that the organisation will not accept any responsibility for copies of medical records once they leave the premises.

6 Refusal to comply with a request

This organisation will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations, the data controller will inform the individual of:

• The reasons why the SAR was refused
• Their right to submit a complaint to the ICO
• Their ability to seek enforcement of this right through the courts

Each request must be given careful consideration and, should it be refused, this must be recorded and the reasons for refusal justifiable. Being the data controller, the ICO details that an organisation has the right to refuse any online access or SAR although any such refusal will be within the allotted timescale and the reasons for the refusal will be given.

A letter template for refusal can be found at Annex I.

There are occasions when a healthcare professional may firmly believe that it is not appropriate to share all the information contained in the individual’s record, particularly if there is potential for such information to cause harm or distress to individuals or when the record contains information relating to a third party. This information can be redacted from the patient’s view but must not be deleted from the record (see Non-disclosure section). If system functionality to redact information is not available, the record should not be shared with the patient.

Further reading can be sought from the GMC document titled When you can disclose personal information.

7 Coercion

The risk of coercion of patients with online access should always be borne in mind. Patients may be forced into sharing information from their record including log-in details, medical history, repeat prescription orders, appointment booking details and other private, personal information. By gaining access to a person’s record, an abuser may gain further control or escalate harm.

Registering patients for online services requires awareness of the potential impact of coercion and children, adults in an abusive relationship and the elderly or otherwise vulnerable adults can all be victims. Access to a patient’s health record can be particularly attractive to an abusive partner, carer or parent. All staff involved in registering patients for online services are aware of the potential impact of coercion and the signs to look out for to help patients who might be subject to coercion.

Further reading on coercion can be sought within The Safeguarding Handbook and the Home Office webpage titled Domestic abuse: how to get help can provide guidance on actions that can be taken should coercion be suspected.

8 Non-disclosure

The UK GDPR provides for several exemptions in respect of information falling within the scope of a SAR. In summary, information can generally be treated as exempt from disclosure and should not be disclosed, if:

• It is likely to cause serious physical or mental harm to the patient or another person
• It relates to a third party who has not given consent for disclosure (when that third party is not a health professional who has cared for the patient) and after considering the balance between the duty of confidentiality to the third party and the right of access of the applicant, the data controller concludes it is reasonable to withhold third party information
• It is requested by a third party and the patient had asked that the information be kept confidential or the records are subject to legal professional privilege or, in Scotland, the records are subject to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation. In such cases, the information will be exempt if, after considering the third party’s right to access and the patient’s right to confidentiality, the data controller reasonably concludes that confidentiality should prevail or it is restricted by order of the courts
• It relates to the keeping or using of gametes or embryos or pertains to an individual being born because of in vitro fertilisation
• In the case of children’s records, disclosure is prohibited by law, e.g., adoption records

The data controller must redact or block out any exempt information. Depending on the circumstances, it may be that the data controller should take steps to explain to the applicant how the relevant exemption has been applied. However, such steps should not be taken if, and insofar as they would, in effect cut across the protection afforded by the exemptions. Indeed, in some cases even confirming the fact that a particular exemption has been applied may itself be unduly revelatory (e.g., because it reveals the fact that the information sought is held when this revelation is itself is unduly invasive of relevant third-party data privacy rights). There is still an obligation to disclose the remainder of the records.

While the responsibility for the decision as to whether to disclose information rests with the data controller, advice about serious harm must be taken by the data controller from the responsible clinician. If the data controller is not the responsible clinician, then the appropriate responsible clinician needs to be consulted before the records are disclosed. This is usually the healthcare professional currently or most recently responsible for the clinical care of the patient in respect of the matters that are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another healthcare professional who has suitable qualifications and experience.

Circumstances in which information may be withheld on the grounds of serious harm are extremely rare and this exemption does not justify withholding comments in the records because patients may find them upsetting. When there is any doubt as to whether disclosure would cause serious harm, the BMA recommends that the responsible clinician discusses the matter anonymously with an experienced colleague, their Data Protection Officer (DPO), the Caldicott Guardian or a defence body.

9 Proxy access

9.1 Proxy access to medical records

Some patients find it helpful for a second person to have access to their online GP record.  This is often a family member, medical next of kin, a close friend or a carer whom they trust to act on their behalf. The patient can, however, limit which online services they want the nominated individual to access.

This is called proxy access and arises in both adults and children and is dealt with differently according to whether the patient has capacity or not.

Proxy access should not be granted where:

• The organisation suspects coercive behaviour (See Coercion chapter)
• There is a risk to the security of the patient’s record by the person being considered for proxy access
• The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily; this should be recorded in the patient’s record
• The responsible clinician assesses that it is not in the best interests of the patient and/or that there are reasons as detailed in denial or limitation of information

The arrangement for proxy access may be formal or informal and this is detailed in the NHS England document titled Proxy Access. Further reading on this subject can be found in the NHS Digital document titled Linked profiles and proxy access.

A more formal approach can be to delegate a lasting power of attorney (LPA). Further information about LPAs can be sought from Chapter 11.

Detailed patient guidance can be found in the NHS E document titled Accessing GP services for someone else, with proxy access.

9.2 Proxy access in adults with capacity

Under the Data Protection Act 2018, patients over the age of 13 are assumed to have mental capacity to consent to proxy access. When a patient with capacity gives their consent, the application should be dealt with on the same basis as the patient.

Annex C is a consent form to allow nominated persons with capacity access to specific areas of a named person’s medical records.

This form can be used for a named proxy to simply book an appointment or order medication, or for greater access such as to have access to obtaining test results or consultations. The form has tick boxes that specifically allow a named person to have partial or full access to the named person’s healthcare information. This form must be signed by the patient prior to being considered valid. Any concerns with regard to coercion must be discussed with the safeguarding lead.

It should be noted that this form does not permit any third party individual to make healthcare decisions on behalf of the named patient. Furthermore, the patient is responsible for this agreement and any changes or updates that may be required at a later date.

Chapter 12 details the requirement to confirm any third party’s identity.  For children and young people, refer to Section 10.4.

9.3 Proxy access in adults without capacity

Proxy access without the consent of the patient may be granted in the following circumstances:

• The patient has been assessed as lacking capacity to decide on granting proxy access and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian
• The patient has been assessed as lacking capacity to decide on granting proxy access and the applicant is acting as a Court Appointed Deputy on behalf of the patient
• The patient has been assessed as lacking capacity to make a decision on granting proxy access and, in accordance with the Mental Capacity Act 2005 code of practice, the responsible clinician considers it in the patient’s best interests to grant access to the applicant.
• When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, it is the responsibility of the responsible clinician to ensure that the level of access enabled, or information provided is necessary for the performance of the applicant’s duties

Annex D provides a template to support these requests.

9.4 Children and young people’s access

It is difficult to say at what age the child will become competent to make autonomous decisions regarding their healthcare as between the ages of 11 and 16 this varies from person to person. In accordance with Article 8 of the UK GDPR, from the age of 13 young people can provide their own consent and will be able to register for online services.

For detailed guidance for children, the RCGP has raised a document titled Children and Young People which explores proxy access and how the child’s 11^th and 16^th birthdays act as specific milestones.

9.5 Proxy access in children without consent

The organisation may authorise proxy access without the patient’s consent when:

• The patient does not have capacity to make a decision on giving proxy access
• The applicant has a lasting power of attorney (health and welfare) and the patient is without capacity
• The applicant is acting as a Court Appointed Deputy on behalf of the patient
• The GP considers it to be in the patient’s best interests

The person authorising access has responsibility to ensure that the level of access enabled is appropriate for the performance of the applicant’s duties.

The nominated individual is to complete the online services registration form at Annex A or the SAR application form at Annex B. Should the organisation opt not to grant the person access to an individual’s record, the responsible clinician will contact the patient and advise them of the reasons why this decision has been reached.

The organisation may refuse or withdraw formal proxy access at any time if it is judged that it is in the patient’s best interests to do so.  Formal proxy access may be restricted to less access than the patient has, e.g., appointments and repeat prescriptions only.

Patients who choose to share their account credentials with family, friends and carers (including a care home) must be advised of the risks associated with doing so. Formal proxy access is the recommended alternative in all circumstances.

Further information on competency for children and young people can be sought in the organisation’s Consent Policy. Furthermore, additional reading on proxy access can be sought in the following:

• NHS E document titled Proxy access
• RCGP documents titled GP Online Services Guidance: Children and Young People and Proxy Access

9.6 Parents gaining access to a child’s medical record

This organisation will allow parents access to their child’s medical records if the child or young person consents or lacks capacity and it does not go against the child’s best interests. However, if the records contain information given by the child or young person in confidence then this information should not normally be disclosed without their consent.

It should be noted that divorce or separation does not affect parental responsibility and therefore both parents will continue to have reasonable access to their children’s health records unless legally advised not to do so.

Further reading on this subject can be sought in the GMC document titled Accessing medical records by children, young people and parents and the organisation’s  Safeguarding Handbook.

10 Lasting power of attorney

10.1 About

A lasting power of attorney (LPA) is a legal document that allows individuals to give people they trust the authority to manage their affairs if they lack capacity to make certain decisions for themselves in the future.

To nominate an LPA, the person must be over 18 years old and have the ability to make their own decision (mental capacity). There are two types of LPA, the vast majority of LPAs deal with health and welfare although occasionally there may be a need to be involved with LPAs that property and financial affairs. For further information about this including how to make, register or end an LPA, see here.

10.2 Responding to an access request

When someone is applying for proxy access on the basis of an enduring power of attorney, an LPA or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian here.

Should an LPA have been granted, this will allow the nominee to access healthcare records for the patient that they are acting on behalf of. This may include sharing medical records with other third parties as they deem appropriate. An example could be when a patient without capacity is in a care home. A template for this can be found at Annex D. Should there be any concern about an LPA, then government advice can be found here.

11 Identity verification

11.1 Requirement

Before access to health records is granted, the patient’s identity and the requestor’s identity in cases of proxy access requests must be verified. There are three ways of confirming patient identity:

• Documentation (forms of identification)
• Vouching
• Vouching with confirmation of information held in the applicant’s records

All applications will require formal identification through two forms of ID, one of which must contain a photo. Acceptable documents include passports, photo driving licences and bank statements but not bills. When a patient may not have suitable photographic identification, vouching with confirmation of information held in the medical record can be considered by the data controller or responsible clinician. This should take place discreetly and ideally in the context of a planned appointment.

It is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified.

11.2 Adult proxy access verification

Before the organisation provides proxy access to an individual or individuals on behalf of a patient further checks must be taken:

• There must be either the explicit informed consent of the patient or some other legitimate justification for authorising proxy access without the patient’s consent
• The identity of the individual who is asking for proxy access must be verified as outlined above
• The identity of the person giving consent for proxy access must also be verified as outlined above. This will normally be the patient but may be someone else acting under a power of attorney or as a Court Appointed Deputy

11.3 Child proxy access verification

Before the organisation provides parental proxy access to a child’s medical records the following checks must be made:

• The identity of the individual(s) requesting access via the method outlined above
• That the identified person is named on the birth certificate of the child

In the case of a child judged to have capacity to consent, there must be the explicit informed consent of the child.

11.4 How to set up a proxy access

NHS Digital’s Linked profiles and proxy access details how to add proxy users to the clinical system to allow parents, family members and carers to access health services on behalf of other people.

12 Deceased patients

12.1 Access to deceased persons medical records

The UK GDPR does not apply to data concerning deceased persons.  However, the ethical obligation to respect a patient’s confidentiality extends beyond death. There are several considerations to be considered prior to disclosing the health record of a deceased patient, all of which are detailed in the Access to Health Records Act 1990.

For further detailed information, see the organisation’s Access to Deceased Patients Records Policy.

12.2 Chargeable fees for deceased patients

Legislative changes to the Data Protection Act 2018 have also amended the Access to Health Records Act 1990 which now states access to the records of deceased patients and any copies must be provided free of charge.

However, when health information is to be disclosed for the deceased in the absence of a statutory basis, e.g., when a solicitor or insurance company requests a medical report or information to confirm death or an interpretation of what is in the records, this is classed as private work over and above that which is already available in the record.

Any fees charged should be reasonable and proportionate to cover the cost of satisfying a request. Further reading can be found in the BMA document titled Access to health records.

12.3 Chargeable fees for a SAR

Should a SAR be initiated from a solicitor and they are asking for a report to be written or the request is asking for an interpretation of information within the record, this request goes beyond a SAR and therefore a fee can be charged. The organisation may ask the nature of the request from the solicitor to confirm if this should be charged for or not.

If the solicitor confirms that they are seeking a copy of the medical record, then this should be treated as a SAR and complied with in the usual way. Fees are further detailed at Section 6.5 and within the BMA webpage titled Access to health records.

13 Employee requests

Employees and ex-employees of the organisation have a right to request a copy of their personal data including their employment record, occupational health records, complaints files, significant event files and any other relevant correspondence. Not all personal data that an organisation holds about an individual needs to be provided as certain exemptions exist.

For example, legally privileged documents do not need to be disclosed or when personal data is processed for the purposes of management forecasting or management planning in relation to business planning.

The requestor does not need to provide a reason for making a SAR, however they must state who they are and provide appropriate ID. The requestor should specify a date range, subject matter and the people who they believe have sent or received information about them. An employer cannot refuse to supply information if documents provide third party references. These should simply be redacted on the copy provided to the requestor.

Article 15 (1) of the UK GDPR states that an employer must provide the information requested together with certain additional information including:

• The purpose for which the employer is processing the data
• Categories of the personal data being processed
• Who receives or has received the personal data from the employer
• How long the employer keeps personal data or the criteria used in deciding how long to keep the information
• Information about where the employer obtained the personal information if that information was not collected directly from the employee
• If the employer does cross-border data transfers, information about how data security is safeguarded
• Whether the employer uses automated decision-making and profiling and, if so, details the auto-decision logic used and what this means for the employee

The procedure for employees or ex-employees undertaking a SAR follows the same process as detailed in the section Procedure for Access.

Article 15 (3) of the UK GDPR states that on receipt of a SAR, the employer must give the requestor a copy of their personal information without charge but can charge a reasonable fee for additional requests. If the request is made by e-mail, then the employer must provide the information in a commonly used electronic format unless the requestor requires the information in a different format.

14 Denial or limitation of information

Access will be denied or limited when, in the reasonable opinion of the responsible clinician, access to such information would not be in the person’s best interests because:

• It is likely to cause serious harm to the person’s physical or mental health
• It is likely to cause serious harm to the physical or mental health of any other person
• The information includes a reference to any third party who has not consented to its disclosure

A reason for denial of information must be recorded in the medical records and when possible and appropriate, an appointment will be made with the patient to explain the decision.

15 Third party information

Patient and organisational records may contain confidential information that relates to a third person. This may be information from or about another person. It may be entered in the record intentionally or by accident.

It does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters. All confidential third party information must be removed or redacted. This will be reviewed and highlighted by the appropriate responsible clinician or data controller. If this is not possible then access to the information will be refused.

16 Former NHS patients living outside the UK

Patients no longer resident in the UK have the same rights to access their information as those who still reside here and must make their request for information in the same manner.

Original health records should not be given to an individual to take abroad with them. However, this organisation may be prepared to provide a summary of the treatment given while resident in the UK.

17 Disputes concerning content of records

Once access to records has been granted, patients or their proxy may dispute their accuracy or lack understanding of medical codes.

Patients or their proxy may notice and point out errors in their record, unexpected third party references and entries they object to or want deleted. The right of rectification and erasure is established within the UK GDPR. Any queries will be directed to the data controller who will contact the patient. They will investigate swiftly and thoroughly to identify the source and extent of the problem.

The responsible clinician and Caldicott Guardian/data controller will then decide on the most appropriate action. When the dispute concerns a medical entry, the clinician who made the entry should be consulted and consideration given as to whether it is appropriate to change or delete an entry.

When it is not possible or practical to contact the clinician concerned, the Caldicott Guardian or data controller should be consulted. If it is not possible to amend the records, a meeting with the patient or their proxy should be organised to explain why.

Advice MUST be sought from the DPO should a patient wish to apply their UK GDPR rights of:

• Rectification (Article 16 UK GDPR)
• Erasure (Article 17 UK GDPR)
• Restriction of processing (Article 18 UK GDPR)
• Data portability (Article 20 UK GDPR)
• Right to object (Article 21 UK GDPR)

When it is not appropriate to amend a medical record, an entry may be made declaring that the patient disagrees with the entry. If the patient further disputes the accuracy once a decision has been made, they will be referred to the Complaints Procedure and/or the Health Ombudsman.

18 Complaints

This organisation has procedures in place to enable complaints about access to health records requests to be addressed and as detailed within the organisation’s Complaints Procedure.

Specifically for data complaints, the complainant may wish to take their complaint directly to the ICO. Alternatively, they may also wish to seek independent legal advice. Guidance from the DPO should be sought should any data complaint be received.

19 Care Quality Commission (CQC)

19.1 Access to medical records during an inspection

The CQC has powers under the Health and Social Care Act 2008 to access medical records to exercise its role and the Code of practice on accessing confidential and personal information describes its powers that permit accessing medical records.

Further guidance is given within GP mythbuster 12: Accessing medical records during inspections where it is advised that confidentiality of any patient’s clinical  record will be maintained and that the inspecting team will always follow its code of practice.

Annex A – Application for patient online services template

ONLINE ACCESS TO RETROSPECTIVE HEALTH RECORDS REQUEST

In accordance with the UK General Data Protection Regulation (UK GDPR)

Guidance notes – please read before completing this form:

Patients with online accounts, such as through the NHS App, should be able to read new (prospective) entries in their health record. This form applies to past (retrospective) record entries and historic data.

If a child aged 13 or over has ‘sufficient understanding and intelligence to enable him/her to understand fully what is proposed’ (known as Gillick Competence), then s/he will be competent to give consent for him/herself but may wish a parent to countersign as well.

• Patients requiring access to their own record (Sections 1, 2 and 7)
• Proxy access to health records where patient has capacity (Sections 1, 3, 5, 6 and 7)
• Proxy access to health records where patient does not have capacity (Sections 1, 4, 5, 6 and 7)
• Parents requiring access to their child’s (age 13-17) record (Sections 1, 3, 5, 6 and 7)

Section 1: Patient details

 Section 2: Record requested

I wish to have access to the following retrospective online services (please tick all that apply): 

I wish to access my medical record online and both understand and agree with each of the following statements (tick):

 Section 3: Consent to proxy access to GP Online Services (if patient has capacity)

• I…………………………………… (name of patient), give permission to my GP practice to give the following person/people ………………………………………………… proxy access to the online services as indicated below in Section 5
• I reserve the right to reverse any decision I make in granting proxy access at any time
• I understand the risks of allowing someone else to have access to my health records
• I have read and understand the information leaflet provided by the organisation

I/We wish to have access to the health records on behalf of the above-named patient

(If more than one person is to be given access then please list the above details for each additional person on a separate sheet of paper)

Reason for access:

 Section 4: Consent to proxy access to GP Online Services (if patient does not have capacity)

I/We wish to have access to the health records on behalf of the above-named patient

(If more than one person is to be given access then please list the above details for each additional person on a separate sheet of paper).

Reason for access:

 Section 5: Proxy access online services available

I/We wish to have access to the following online services (please tick all that apply):

Section 6: Proxy declaration

I/We wish to access to the medical record online of the above patient and I/we understand and agree with each statement (tick)

I declare that the information given by me is correct to the best of my knowledge and that I am entitled to apply for access to the health records referred to above under the terms of the Data Protection Act 2018.

You are advised that the making of false or misleading statements in order to obtain

personal information to which you are not entitled is a criminal offence which could lead to prosecution.

Section 7: Proof of identity

Under the Data Protection Act 2018, you do not have to give a reason for applying for access to your own health records. However, all applicants will be asked to provide two forms of identification, one of which must be photographic identification before access can be set up.

Please speak to reception if you are unable to provide this.

ADDITIONAL NOTES:

Before returning this form, please ensure that you have:

• Signed and dated the form
• Are able to provide proof of your identity or alternatively confirmed your identity by a countersignature
• Enclosed documentation to support your request (if applicable)

Incomplete applications will be returned; therefore, please ensure you have the correct documentation before returning the form.

For office use only:

Identification verification must be verified through two forms of ID

• One must contain a photo (e.g., passport or photo driving licence) and bank statement

• When this is not available, vouching by a member of staff or by confirmation of information in the records by one of the management team or a partner may be used

Annex B – Application for access to medical records (SAR)

APPLICATION FOR ACCESS TO MEDICAL RECORDS (SAR)

In accordance with the UK General Data Protection Regulation (UK GDPR)

Section 1: Patient details

If you are applying to view your own records, please go to Section 2.

If you are applying to view another person’s record, please go to Section 3.

Section 2: Record requested

Please tick the relevant boxes below. The more specific you can be, the easier it is for us to quickly provide you with the records requested. Record in respect of treatment for: (e.g., leg injury following a car accident)

Please specify what information you are requesting:

Section 3: Details and Declaration of Applicant

Please complete if you are requesting access on behalf of the above-named patient

(If more than one person is to be given access then please list the above details for each additional person on a separate sheet of paper)

 Please specify what information you are requesting:

Reason for access:

Declaration

I declare that the information given by me is correct to the best of my knowledge and that I am entitled to apply for access to the health records referred to above under the terms of the UK Data Protection Act 2018.

You are advised that the making of false or misleading statements in order to obtain

personal information to which you are not entitled is a criminal offence which could lead to prosecution.

Section 4: Proof of identity

Under the Data Protection Act 2018 you do not have to give a reason for applying for access to your health records.

Patients with capacity and proxy nominees will be asked to provide two forms of identification one of which must be photographic identification. Please speak to reception if you are unable to provide this.

Section 5: Consent for children

If a child aged 13 or over has “sufficient understanding and intelligence to enable him/her to understand fully what is proposed” (known as Gillick Competence), then s/he will be competent to give consent for him/herself.

They may wish a parent to countersign as well.

Young people aged 16 and 17 are legally competent and may therefore sign this consent form for themselves but may wish a parent to countersign as well.

If the child is under 18 and not able to give consent for him/herself, someone with parental responsibility may do so on his/her behalf by signing this form below.

You will be telephoned when the copies are ready for collection or posting.

ADDITIONAL NOTES:

Before returning this form, please ensure that you:

• Have signed and dated the form
• Are able to provide proof of your identity or alternatively confirmed your identity by a countersignature
• Enclosed documentation to support your request (if applicable)

Incomplete applications will be returned; therefore, please ensure you have the correct documentation before returning the form.

For office use only:

Identification verification must be verified through 2 forms of ID

• One must contain a photo, e.g., passport or photo driving licence, and a bank statement

• When this is not available, vouching by a member of staff or by confirmation of information in the records by one of the clinicians may be used

• If this is a proxy request, when the patient has capacity, both the patient and the proxy should provide identification as above in person

Annex C – Third-party access to healthcare information

APPLICATION FOR THIRD-PARTY ACCESS TO HEALTHCARE INFORMATION

To maintain confidence in our patients, at [insert organisation name] we will not divulge any medical information about you unless it is legally appropriate, or we have your consent to do so.

Who should complete this form?

Anyone who is competent to do so.

It is difficult to state at what age any child will become competent to make autonomous decisions regarding their healthcare as between the ages of 11 and 16 this varies from person to person. As most children are content that their parents have access to their healthcare information, this form will ordinarily be used for adults. However it may equally be used for a child whom it is considered has capacity and can understand their actions.

Agreement

Should you wish to consent for a nominated person to be able to discuss any medical information about you with staff at this practice, please indicate this in the form overleaf.

Although by completing this form, the following should be noted:

• The person granting access to a third-party must fully complete and sign the form
• Any incorrectly completed forms will not be processed and will be returned to person making the application
• This form does not permit any third-party individual to make healthcare decisions on behalf of the named patient
• This practice may contact you via email or telephone should there be any concern

Disclaimer:

It is also your responsibility to keep us informed as to who can access and discuss specific areas of your medical record as detailed on the form. Should your circumstances change, it is your responsibility to advise this practice.

[Insert organisation name] relinquishes all responsibility should the above information become incorrect if not updated.

I, [insert patient name] hereby give permission for [insert organisation name] to discuss my medical records with the following:

Agreement as to what can be divulged

I give permission for the following to be permitted or discussed with the above named person should they request (tick all that apply):

Annex D – Nominated person agreement to release information

APPLICATION TO REQUEST INFORMATION IS RELEASED

To maintain confidence, at [insert organisation name] we will not divulge any medical information about any patient unless it is legally appropriate or we have consent to do so.

Who should complete this form?

Anyone who has authority, such as a lasting power of attorney (LPA), may lawfully act on behalf a patient who does not have capacity. Prior to any release of information, the identity of the nominated person will be established and the Office of the Public Guardian will confirm that the nominated person is acting as an LPA for the named patient.

Agreement

It is confirmed that a nominated person has an agreement, such as an LPA, to act on behalf of a patient who no longer has capacity.

There is a need to have the below named patient’s medical information released to another third party, e.g., a care home. The nominated person may act on behalf of a patient and request that their medical information is provided.

By completing this form, the following should be noted:

• The nominated person will be acting in the best interest of the patient
• The form must be fully completed and signed
• Any incorrectly completed forms will not be processed and will be returned to person making the application
• This form does not permit any nominated individual to make healthcare decisions on behalf of the named patient
• This organisation may contact the nominated person via email or telephone should there be any concern
• This form must be completed each time a new request to release information to a third party is required

It is the responsibility of the nominated person to keep the organisation informed as to who can access and discuss specific areas of the named patient’s medical record as detailed on the form. Should any circumstances change, it is the responsibility of the nominated person to advise this practice.

I, [insert nominated person name], hereby give permission for this organisation to discuss clinical information about the medical records of [insert patient name] as follows:

Agreement as to what can be divulged

I give permission for the following to be divulged or discussed with the above named organisation should they request (tick all that apply):

For office use only:

Identification verification must be verified through 2 forms of ID

• One of which must contain a photo, e.g., passport or photo driving licence, and a bank statement

• When this is not available, vouching by a member of staff or by confirmation of information in the records by one of the clinicians may be used
• LPA verification must be conducted through the Office of the Public Guardian

Annex E – DSAR desktop aide-memoire

[Insert organisation name] Data Subject Access Request desktop aide-memoire

Annex F – Access poster

Introduction

In accordance with the UK General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by this organisation. This is commonly known as a subject access request (SAR).

Data subjects have a right to receive:

• Confirmation that their data is being processed
• Access to their personal data
• Access to any other supplementary information held about them

Options for access

As of April 2016, organisations have been obliged to allow patients access to their coded health record online. As of October 2023, this service now enables the patient to view their full medical record. Prior to accessing this information, you will have to visit the organisation and undertake an identity check before being granted access to your records.

In addition, you can make a request to be provided with copies of your health record. To do so, you must submit a SAR form. This can be submitted electronically and the SAR form is available on the organisation website. Alternatively, a paper copy of the SAR is available from reception. You will need to submit the form online or return the completed paper copy of the SAR to the organisation. Patients do not have to pay a fee for copies of their records.

Time frame

Once the SAR form is submitted, this organisation will aim to process the request within 28 days; however, this may not always be possible.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

Data controller

At [insert organisation name], the data controller is [insert name] and should you have any questions relating to accessing your medical records, please ask to discuss this with the named data controller.

[Signed]

[Insert name]                                                        [Insert organisation name]

Data controller

Published: [Insert date]                                       Review: [Insert date]

Annex G – Additional Privacy Information notice

[Insert organisation name]

[Organisation address]

[Contact number]

Dear [insert patient name],

On [insert date], you submitted a Subject Access Request (SAR) in order to receive copies of the information this organisation holds about you. Please find enclosed all relevant information. To comply with Article 15 of the UK General Data Protection Regulation, we are obliged to advise you of the following:

1. The purposes of the processing: Your data is collected for the purpose of providing direct patient care. In addition, the organisation contributes to national clinical audits and will send information such as demographic data, i.e., date of birth and coded information about your health, to NHS Digital.
2. The categories of data concerned: We process your personal and health data in accordance with Article 9 of the UK GDPR.
3. The recipients or categories of recipients: Your data has been shared with [insert organisation(s)] to enable the provision of healthcare.

4. How long your information will be retained: Records are retained in accordance with the NHS retention schedule; GP records are retained for a period of 10 years following the death of a patient.

5. The right to rectification or erasure of personal data: Should you find any inaccuracies within the data we hold, please advise us of the inaccuracies and we will discuss with you how to rectify these.

6. The right to lodge a complaint with the supervisory authority: In the unlikely event that you are unhappy with any element of our data processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select “Raising a concern”.

7. How we obtained any of the data we hold about you: [Insert name] NHS Hospital Trust has provided us with [insert brief explanation of what has been provided] following your [admission/referral/specialist appointment].

8. Any automated processing activities: This is not applicable to your data.

Should you have any questions relating to the information provided in this letter or about the copies of information we have provided, please contact [insert name] at the organisation on [insert number or give email address].

[Insert name]

[Insert role]

Annex H – Practice disclaimer

[Insert organisation name]

[Organisation address]

[Contact number]

Dear [insert patient name],

On [insert date], you submitted a Subject Access Request (SAR) in order to receive copies of the information that this practice holds about you. You have been provided with this information along with an Additional Privacy Information notice in order to comply with the UK General Data Protection Regulation (UK GDPR).

You are responsible for the confidentiality and safeguarding of the copies of your medical records which have been provided to you. This organisation accepts no responsibility for the copies once they leave the premises.

By signing this form, you are accepting full responsibility for the security and confidentiality of the copies of your medical records.

Annex I – Refusal of SAR letter

[Insert organisation name]

[Organisation address]

[Contact number]

Dear [insert third party name],

On [insert date], a Subject Access Request (SAR) was received requesting copies of the information that this practice holds about [insert patient name].

In order to process this request, the Information Commissioner’s Office (ICO) Code of Organisation requires any application for a SAR to meet strict criteria and that the data controller must be satisfied that the request is meeting these. In some circumstances, there are reasons as to why information should not be given.

In this instance, it is felt that this practice cannot process this request for the following reason*:

*[delete as appropriate]

• It is manifestly unfounded (see footnote 7 for ICO explanation)
• It is an excessive request, i.e., the insurer is requesting a full copy of the medical records, when this could be deemed as being unreasonable or excessive for the purpose
• The information required details a further third party therefore a separate SAR would be required
• The information may be detrimental or cause harm to the requesting patient or any other person
• It includes information about a child or non-capacious adult which would not be expected to be disclosed to the person making the request
• It is legally privileged information
• It is information that is subject to a Court Order

Should you have any questions relating to the information provided in this letter, please contact [insert name] at the organisation on [insert number or give email address].

If you disagree with the actions being taken, then you have the right to make a complaint to the Information Commissioners Office (ICO) at:

Address:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
WILMSLOW,
SK9 5AF

Telephone: 0303 123 1113

Website: https://ico.org.uk/global/contact-us/

Alternatively, you may seek to enforce your right through judicial remedy.

Yours sincerely,

[Insert name]

[Insert role]

 Download a printable copy of our Access to Medical Records Policy. 

1 Introduction

1.1 Policy statement

At this organisation, all patients will routinely be offered a chaperone, ideally at the time of booking an appointment. It is a requirement that, when necessary, chaperones are provided to protect and safeguard both patients and clinicians during intimate examinations or procedures. This policy adheres to the guidance detailed in CQC GP mythbuster 15: Chaperones.

To raise awareness, the chaperone policy will be clearly advertised. At this organisation, a chaperone poster is displayed in the waiting area, all clinical areas and annotated in the organisation leaflet as well as on the organisation website.

1.2 Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the organisation.

2 Policy

2.1 Who can act as a chaperone

At this organisation, it is policy that any member of the team can act as a chaperone. However, they must have undertaken chaperone training as detailed in CQC GP mythbuster 15. Additionally, all staff must complete chaperone awareness training which covers the role of the chaperone.

2.2 General guidance

The General Medical Council (GMC) Intimate examinations and chaperones guidance explains that the patient should be given the option of having an impartial observer (a chaperone) present whenever possible.

As per the GMC guidance, relatives or friends of the patient are not considered to be an impartial observer so would not usually be a suitable chaperone but staff at this organisation should comply with a reasonable request to have such a person present in addition to the chaperone.

The GMC guidance also provides detailed guidance on what the clinician should do before and during the examination, including adhering to the GMC Decision making and consent guidance.

When a chaperone is present, the details of the chaperone must be recorded in the patient’s clinical record.

2.3 Role and expectations of a chaperone

Staff at this organisation acting as a chaperone are to adhere to the guidance referenced at 2.2. CQC GP mythbuster 15: Chaperones advises that for most patients and procedures, respect, explanation, consent and privacy are all that are needed. These take precedence over the need for a chaperone. A chaperone does not remove the need for adequate explanation and courtesy. Neither can a chaperone provide full assurance that the procedure or examination is conducted appropriately.

2.4 When a chaperone is unavailable

The GMC further advises that if either the clinician or the patient does not want the examination to go ahead without a chaperone present, or if either is uncomfortable with the choice of chaperone, the clinician may offer to delay the examination until a later date when a suitable chaperone will be available providing the delay would not adversely affect the patient’s health.

2.5 When a patient refuses a chaperone

If the clinician does not want to proceed with the examination without a chaperone but the patient has refused a chaperone, the clinician must clearly explain why they want a chaperone to be present. The GMC states that ultimately the patient’s clinical needs must take precedence. The clinician may wish to consider referring the patient to a colleague who would be willing to examine them without a chaperone providing a delay would not adversely affect the patient’s health.

Any discussion about chaperones and the outcome should be recorded in the patient’s medical record, and in particular:

• Who the chaperone was
• Their title
• That the offer was made and declined

2.6 Disclosure and Barring Service (DBS) check

Clinical staff who undertake a chaperone role at this organisation will already have a DBS check. CQC GP mythbuster 15: Chaperones states that non-clinical staff who carry out chaperone duties may need a DBS check. This is due to the nature of chaperoning duties and the level of patient contact. Should the organisation decide not to carry out a DBS check for any non-clinical staff, then a clear rationale for this decision must be given including an appropriate risk assessment.

2.7 Using chaperones during a video consultation

While it is widely accepted that many intimate examinations will not be suitable for a video consultation, should such a consultation be agreed, staff at this organisation are to adhere to the guidance detailed in CQC GP mythbuster 15.

2.8 Practice procedure (including SNOMED codes)

If a chaperone was not requested at the time of booking the appointment, the clinician will offer the patient a chaperone explaining the requirements:

• Contact reception and request a chaperone
• Record in the individual’s healthcare record that a chaperone is present and identify them
• The chaperone should be introduced to the patient
• The chaperone should assist as required but maintain a position so that they are able to witness the procedure/examination (usually at the head end)
• The chaperone should adhere to their role at all times
• Post procedure or examination, the chaperone should ensure they annotate in the patient’s healthcare record that they were present during the examination and there were no issues observed
• The clinician will annotate in the individual’s healthcare record the full details of the procedure as per current medical records policy

Detail SNOMED CT ID

Requires chaperone 1218711000000108

The patient agrees to a chaperone 1104081000000107

Provision of chaperone refused 763380007

Chaperone not available 428929009

Presence of chaperone 314229006

Nurse chaperone 314380009

2.9 Escorting of visitors and guests (including VIPs)

There may be, on occasion, a need to ensure that appropriate measures are in place to escort visitors and guests including VIPs. On such occasions, this organisation will follow the recommendations outlined in the Lampard Report (2015).

If media interest is likely, the Practice Manager is to inform the local ICB, requesting that the communication team provides guidance and/or support where necessary.

Download a copy of our Chaperone Policy.

1 Introduction

1.1 Policy statement

The purpose of this document is to ensure all staff understand that all patients have a right to have their complaint acknowledged and investigated properly. This organisation takes complaints seriously and ensures that they are investigated in an unbiased, transparent, non-judgemental and timely manner. The organisation will maintain communication with the complainant (or their representative) throughout, ensuring they know their complaint is being taken seriously.

In accordance with the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (Regulation 16), all staff at this organisation must fully understand the complaints process. Supporting information including legislative requirements and additional reading on complaints management can be found at Annex A.

Complaints Management and Duty of Candour eLearning is available in the HUB.

1.2 Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the organisation.

2 Requirements

2.1 Complaints management team

The organisation has a responsible person for complaints who is known as the Complaints Lead. This person is responsible for maintaining both legislative and regulatory requirements. This role is supported by the Complaints Manager who is responsible for the day-to-day management of any complaint that may be received. Both named persons are detailed within the Complaints Leaflet.

As stated in A Guide to Effective Complaints Resolution (England), the responsible person and Complaints Manager can be the same person.

2.2 Definition of a complaint versus a concern

NHS England defines that a concern is something that a service user is worried or nervous about and this can be resolved at the time the concern is raised whereas a complaint is a statement about something that is wrong or that the service user is dissatisfied with which requires a response. Should a service user be concerned and raise this as such, if they believe that it has not been dealt with satisfactorily, then they may make a complaint about that concern. A concern may also be called a criticism.

2.3 Formal or informal?

There is no difference between a ‘formal’ and an ‘informal’ complaint; both are an expression of dissatisfaction. Unless the complainant specifically requests that their issue needs to be raised as a complaint, the Complaints Manager will consider whether it is logged as either a concern or complaint should they believe that it can be resolved quickly. CQC GP mythbuster 103: Complaints management states that a verbal complaint or concern does not need to be logged if resolved within 24 hours.

2.4 Complaints information

This organisation has prominently displayed notices within the practice detailing the complaints process, and this information is also on the organisation’s website. A complaints leaflet is also available at Annex B and at reception.

Any complainant should be provided with a copy of the complaints leaflet as this details the process, who to address the complaint to, advocacy support information and how to escalate their complaint if they not content with the findings or outcome.

A desktop aide-memoire for staff on the complaints management process is detailed at Annex C. Should a patient or their representative wish to complete a complaints form, then templates for both are available at Annex D and Annex E.

2.5 Duty of candour

The duty of candour is a general duty to be open and transparent with people receiving care at this organisation. Both the statutory duty of candour and professional duty of candour have similar aims, to make sure that those providing care are open and transparent with the people using their services whether something has gone wrong or not.

For further detailed information, see the organisation’s Duty of Candour Policy and CQC GP mythbuster 32: Duty of Candour and General Practice (regulation 20).

2.6 Parliamentary and Health Service Ombudsman (PHSO)

The role of the PHSO is to make final decisions on complaints that have not been resolved locally by either the organisation or the Integrated Care Board (ICB). The PHSO will look at complaints when someone believes there has been an injustice or hardship because an NHS provider has not acted properly or has given a poor service and not put things right.

The PHSO can recommend that organisations provide explanations, apologies and financial remedies to service users and that they take action to improve services.

2.7 Complainant options

The complainant, or their representative, can complain about any aspect of care or treatment they have received at this organisation to either:

Stage 1

• The organisation, or,
• Directly to the local ICB

While there is no requirement for a complaint to be sent to NHS E, a complaint may still be received by NHS E directly. In this instance, the BMA provides guidance in its Dealing with complaints made against you as a GP practice document.

Stage 2

Should the complainant be dissatisfied with the response from either the ICB or the organisation then the next steps are to:

• Escalate the complaint to the PHSO. This process is as detailed within the Local Authority Social Services and National Health Service Complaints (England) Regulations (2009) with outlining information being found within the complaints leaflet

Specific details of how to complain to the local ICB can be found on its webpage.

2.8 Timescale for making a complaint

The time constraint for bringing a complaint is 12 months from the occurrence giving rise to the complaint or 12 months from the time that the complainant becomes aware of the matter about which they wish to complain. If, however, there are good reasons for a complaint not being made within the timescale detailed above, consideration may be afforded to investigating the complaint if it is still feasible to investigate the complaint effectively and fairly.

Should any doubt arise, further guidance can be sought from the ICB.

2.9 Responding to a complaint

While each concern or complaint merits its own response, the outcome is always to ensure the best response is provided. The following are the considered communication responses to any complaint:

• Should a patient be complaining in person, then this should be discussed face-to-face with them
• If via telephone, then it is acceptable to call back should the issue not be immediately resolved
• If by email/letter, then any response should be in writing CQC GP mythbuster 103 – Complaints management advises practices cannot insist complainants ‘put their complaints in writing’ and that the tone of a response needs to be professional, measured and sympathetic.

Immediate response

Should a patient, or the patient’s representative, wish to discuss a complaint or a concern, then this can be deemed to be a less formal approach. These are often simply a point to note or a concern and can be dealt with at this time.

Points to be considered should an immediate response be given:

• All facts need to be ascertained prior to any escalation to the Complaints Manager
• Should the person be or become angry, and if there is no risk of escalation, then suggest to the complainant that their concern is dealt with within a quiet space and away from other patients. When doing this, support from a colleague should be requested
• If needing to return the call to an angry patient, then by allowing time to elapse can often be useful as this delay may diffuse their anger. However, this should ordinarily be within the same day as any extended delay could be counterproductive and the situation could then become more inflamed
• Time management always needs to be considered

Consider any potential precedence that may be established, and if any future concern be expected to always be dealt with immediately should any response be given too soon.

Longer term response

This is normally when a more formal approach has been taken, although the concern or complaint could still be via a face-to-face discussion or telephone as it does not require to have been in writing to be considered.

When a concern or complaint cannot be easily resolved, then the complainant has a right to be regularly updated regarding the progress of their complaint. With any complaint, the Complaints Manager will provide an initial response as an acknowledgement within three working days after the complaint is received.

Timescales

The Complaints Manager will provide an initial response to acknowledge any complaint within three working days after the complaint is received. A letter template can be found at Annex F. Following any complaint, a full investigation will be undertaken and while this organisation can suggest a deadline for a response to be given, there is no obligation to do so.

NHS E current guidance states that it will attempt to complete any complaint within 40 working days. This document only supports complaints that have been made directly to NHS E. Guidance for this organisation is The Local Authority Social Services and National Health Complaint (England) Regulations 2009 Regulation 14 and CQC GP mythbuster 103: Complaints management. Further detailed information is available in NHS Resolution’s Responding to complaints.

2.10 Meeting with the complainant

To support the complaints process, BMA guidance suggests a meeting should be arranged between the complainant and the complaints lead. While not a CQC requirement, having a meeting is considered as being best practice due to there often being a more positive outcome.

2.11 Verbal complaints

If a patient wishes to complain verbally and they are content for the person dealing with them to handle the complaint (and if appropriate to do so), then complaints should be managed at this level. After this conversation, the patient may suggest that no further action is needed, then the matter can be deemed to be closed.

If the matter demands immediate attention, the Complaints Manager should be contacted who may offer the patient an appointment or may see the complainant at this stage. Staff are reminded that when internally escalating any complaint to the Complaints Manager, a full explanation of the events leading to the complaint is to be given to allow an appropriate response. Verbal complaints that are not resolved within 24 hours should be added to the Complaints Log.

2.12 Written complaints

When a written complaint is received, a full investigation and response will always be provided. As part of the investigation process, other clinical governance tools will be used to complete this action such as meetings, audit, significant event and training etc. Should the complaint not be upheld, this organisation will scrutinise the event in the desire to improve patient outcomes.

2.13 Who can make a complaint?

A complaint may be made by the person who is affected by the action, or it may be made by a person acting on behalf of a patient in any case where that person:

• Is a child (an individual who has not attained the age of 18)
  • In the case of a child, this organisation must be satisfied that there are reasonable grounds for the complaint being made by a representative of the child and furthermore that the representative is making the complaint in the child’s best interests.
• Has died
  • In the case of a person who has died, the complainant must be the personal representative of the deceased. This organisation will require to be satisfied that the complainant is the personal representative.
  • When appropriate, the organisation may request evidence to substantiate the complainant’s claim to have a right to the information.
• Has physical or mental incapacity
  • In the case of a person who is unable by reason of physical capacity or lacks capacity within the meaning of the Mental Capacity Act 2005 to make the complaint themselves, the organisation needs to be satisfied that the complaint is being made in the best interests of the person on whose behalf the complaint is made.
• Has given consent to a third party acting on their behalf
  • In the case of a third party pursuing a complaint on behalf of the person affected, the organisation will request the following information:
    • Name and address of the person making the complaint
    • Name and either date of birth or address of the affected person
    • Contact details of the affected person so that they can be contacted for confirmation that they consent to the third party acting on their behalf
  • The above information will be documented in the file pertaining to this complaint and confirmation will be issued to both the person making the complaint and the person affected.
• Has delegated authority to act on their behalf, for example in the form of a registered Power of Attorney which must cover health affairs
• Is an MP, acting on behalf of and by instruction from a constituent

Should the Complaints Manager believe a representative does or did not have sufficient interest in the person’s welfare, or is not acting in their best interests, they will discuss the matter with either medico-legal defence or NHS Resolution to confirm prior to notifying the complainant in writing of any decision.

2.14 Complaints advocates

Details of how patients can complain and how to find independent NHS complaints advocates are detailed within the complaints leaflet at Annex B. Additionally, the patient should be advised that the local Healthwatch can help to find an independent complaints advocacy service in the area. The PHSO provides several more advocates within its webpage titled Getting advice and support.

2.15 Investigating complaints

This organisation will ensure that complaints are investigated effectively and in accordance with extant legislation and guidance. Furthermore, it will adhere to the following standards when addressing complaints:

• The complainant has a single point of contact in the organisation and is placed at the centre of the process. The nature of their complaint and the outcome they are seeking are established at the outset
• The complaint undergoes initial assessment, and any necessary immediate action is taken. A lead investigator is identified
• Investigations are thorough, where appropriate obtain independent evidence and opinion, and are carried out in accordance with local procedures, national guidance and within legal frameworks
• The investigator reviews, organises and evaluates the investigative findings
• The judgement reached by the decision maker is transparent, reasonable and based on the evidence available
• The complaint documentation is accurate and complete. The investigation is formally recorded with the level of detail appropriate to the nature and seriousness of the complaint
• Both the complainant and those complained about are responded to adequately
• The investigation of the complaint is complete, impartial and fair
• The complainant should receive a full response or decision within six months following the initial complaint being made. If the complaint is still being investigated, then this would be deemed to be a reasonable explanation for a delay

2.16 Conflicts of interest

During any response, staff should consider and declare if their ability to apply judgement or act as a clinical reviewer could be impaired or influenced by another interest that they may hold. This could include, but is not limited to, having a close association with or having trained or appraised the person(s) being complained about, and/or being in a financial arrangement with them previously or currently.

In such circumstances, the organisation must seek to appoint another member of staff as the responsible person with appropriate complaint management experience.

2.17 Final formal response to a complaint

A final response should only be issued to the complainant once the letter has been agreed by medico-legal defence*. Following this, and upon completion of the investigation, a formal written response will be sent to the complainant and will include the information detailed within NHS Resolution’s Responding to complaints guidance.

The full and final response should be completed within six months and signed by the responsible person. If it is likely that it will go beyond this timescale, the Complaints Manager will write to the complainant to explain the reasons for the delay and outline when they can expect to receive the response. At the same time, the organisation will notify the complainant that they have a right to approach the PHSO without waiting for local resolution to be completed.

For further detailed information, see the MDU’s How to respond to a complaint.

* Note, it is not a mandatory requirement to forward all complaint response letters for medico-legal defence consideration prior to sending to the complainant. This has been added to reduce any potential risk of litigation. Organisations may therefore wish to continue to forward only those most significant complaints. A template example of the final response letter can be found at Annex G.

2.18 Confidentiality in relation to complaints

Any complaint is investigated with the utmost confidentiality and all associated documentation will be held separately from the complainant’s medical records.

Complaint confidentiality will be maintained, ensuring only managers and staff who are involved in the investigation know the particulars of the complaint.

2.19 Persistent and unreasonable complaints

The management of persistent and unreasonable complaints at this organisation will follow the organisation’s Dealing with Unreasonable, Violent or Abusive Patients Policy. Advice will be sought from the ICB prior to acknowledging persistent, unreasonable or vexatious complaints.

2.20 Complaints citing legal action

If a complaint is received that states legal action has been sought, the responsible person will consider contacting the organisation’s defence union for guidance on how best to manage the complaint.

Should any complainant cite legal action that refers to an incident after 1 April 2019, contact NHS Resolution and they will assist under the Clinical Negligence Scheme for General Practice (CNSGP). Refer to the NHS Resolution Guidance for general practice document here.

While detailed records will always be maintained following any complaint, it is of particular importance when a complaint cites legal action. This is to ensure that all information can be forwarded for medico-legal defence support as required.

2.21 Multi-agency complaints

The Local Authority Social Services and NHS Complaints (England) Regulations 2009 state that organisations have a duty to co-operate in multi-agency complaints.

If a complaint is about more than one health or social care organisation, there should be a single co-ordinated response. Complaints Managers from each organisation will need to determine who the lead organisation will be, and they will then be responsible for co-ordinating the complaint, agreeing timescales with the complainant.

If a complaint becomes multi-agency, the organisation should seek the complainant’s consent to ask for a joint response. The final response should include this and, as with all complaints, any complaint can be made to the provider/commissioner but not both.

2.22 Complaints involving external staff

If a complaint is received about a member of another organisation’s staff, then this is to be brought to the attention of their Complaints Manager as soon as possible. The Complaints Manager will then liaise with the other organisation’s manager.

2.23 Complaints involving locum staff

This organisation will ensure all locum staff are aware of the complaints process and that they will be expected to partake in any subsequent investigation, even if they have left the organisation. Locum staff will receive assurance that they will be treated equally, and the process will not differ between locum staff, salaried staff or partners.

2.24 Additional governance requirements

When a complaint is raised, it may prompt other considerations, such as a significant event (SE), audit or identify training requirements. For further detailed information, see the organisation’s Governance Handbook and the Significant Event and Incident Policy.

The complainant, their carers and/or family can be involved in the SE process as this helps to demonstrate that the issue is being taken seriously

To scrutinise any process, refer to the organisation’s Quality Improvement and Clinical Audit Policy.

Any remedial training considerations are supported within the organisation’s Training Handbook and Training Evaluation Form.

2.25 Fitness to practice

If the complaint is of a clinical nature, the Senior Partner will be responsible for discussing this with any clinician cited in the complaint. Should the complaint merit a fitness to practise referral, advice is to be sought from the relevant governing body.

2.26 Staff rights to escalate to the PHSO

It should be noted that any staff who are being complained about can also take the case to the PHSO. An example may be that they are not satisfied with a response given on their behalf by the organisation or the commissioning body.

2.27 Private practices and the PHSO

Independent doctors are unable to use the PHSO as they have no legal requirement to have an appeals mechanism. It is good practice to provide independent adjudication on any complaint by using a service such as Independent Sector Complaints Adjudication Service (ISCAS).

2.28 Logging and retaining complaints

All organisations will need to log their complaints and retain as per the organisation’s Records Retention Schedule. Evidence required includes:

a. Logging, updating and tracking for trends and considerations

b. Details of all dates of acknowledgement, holding and final response letters and the timely completion of all correspondence relating to the complaint

c. Compliance with the complaints in the categories that are required to complete the annual KO14b submission to NHS Digital

This data is submitted to NHS E within the KO14b complaints report annually and then published by NHS Digital. Any reporting period covers the period from 1 April until 31 March. Evidence of complaints can be compiled within the organisation’s KO14b Complaints Log Toolkit.

Alternatively, a complaint can be recorded in Complaints Manager, likewise a concern or criticism can be logged into the Criticism Manager within the Compliance Package in the HUB.

3 Use of complaints as part of the revalidation process

3.1 Outlined processes

As part of the revalidation process, GPs must declare and reflect on any formal complaints about them in tandem with any complaints received outside of formal complaint procedures at their appraisal for revalidation. These complaints may provide useful learning.

The following information is to support the appraisal and revalidation process for various healthcare professionals:

GPs – Royal College of General Practitioners (RCGP)

Nurses – Nursing and Midwifery Council (NMC)

Pharmacists – General Pharmaceutical Council (GPhC)

Other healthcare professionals – Healthcare Professionals Council (HCPC) For Physician Associates, refer to the Royal College of Physicians

Download a copy of our Complaints Procedure.

‘Did Not Attend’ (DNA), is when a patient does not turn up for their appointment and does not contact the surgery in advance to cancel or change the appointment.

Patients who fail to attend their medical appointments continue to have a significant financial impact across the NHS.

At Picton Medical Centre, during any month, an average of 280 patients are recorded as being a DNA. The effects of these missed appointments are:

• An increase in waiting times for patients resulting in the risk of worsening patients’ health.
• A waste of the organisation’s time – not simply the clinicians’ time but also that of the administration team as the appointment invariably needs to be rebooked.
• Cost to the wider NHS in the requirement of additional clinicians.
• Potential of risk to a child who is reliant upon an adult to ensure that they attend their appointment.

Appointments at Picton Medical Centre are at a premium and each missed appointment could be used by another patient.

It is the responsibility of the patient to ensure that they attend their booked appointments.

GENERAL DNA POLICY

Picton Medical Centre operates a three DNA policy, this means that if a patient DNA’s any three appointments in a 12-month period, they may be removed from the practice list.

When a patient fails to attend a pre-booked appointment, they will receive the following text message:

• “You failed to attend your appointment on “/// date”. Cancel unwanted appointments by text via reminders from our text service. 3 failures to attend may result in removal from GP list.”

If a patient fails to attend a 2nd appointment in a 12-month period a further text message will be sent. This message will remind them that any further DNA’s will result in their removal from the practice list.

• “You had an appointment booked on //// at the Surgery, but you failed to attend. This is the second occasion you have failed to attend within a 12-month period if you fail to attend another appointment you may be removed from the practice list and would need to find another GP.”

If the patient fails to attend a 3rd appointment within a 12-month period, the patient will receive a letter detailing the DNA’s they have had in primary, community and secondary care, and the patient will be asked to contact the practice within 7 days of receipt of this letter, to discuss the reasons for the missed appointments.

If the patient fails to contact the practice within the 7-day timeframe, the matter will be reviewed by the management team and a decision will be made as to whether the patient is removed from the practice list. When a patient responds to the letter, the reasons for their missed appointments will be reviewed by the management team and a decision will be made as to whether the patient is removed from the practice list.

All missed appointments and communications regarding these missed appointments will be documented in the patient medical record.

Children who are not brought to appointments

Missed appointments for children will be handled in the same way as above.

However, a child needs to be brought to their clinical appointment by their parent or the person with clinical responsibility. Should there be continued failures to bring a child to their medical appointment, we would consider this as potential neglect towards that child and, as a result, this practice would be obliged to advise the local safeguarding team of any concern that we may have.

Cancelling appointments

Please ensure that if you are not able to attend your appointment that you cancel your appointment with 24 hours’ notice as this allows us to offer this appointment to another patient.

Any appointment cancelled with less than 2 hours’ notice will result in a did not attend (DNA) unless there is a genuine reason for this very late cancellation.

There are a number of ways for you to cancel an appointment if you are unable to attend:

• Respond to the appointment reminder text sent via PATCHs (there will be instructions of how to cancel)
• Cancel via the NHS App or via your SystmOne account.
• Call the surgery and speak to a member of the team. Our phone lines are very busy and you may be held in a queue, we strongly suggest using the above options where possible or you use the option to receive a call back where you do not lose your place in the call queue.

Arriving late to appointments

If you arrive at the Surgery after your appointment time this will result in a DNA. This is still the case if our team are able to re-book you an appointment for the same day.

Download a copy of our Did Not Attend Policy.

For Patients Aged 13 and Over

A ‘data privacy notice’ is a statement created by an organisation, which explains how personal and confidential information about patients is collected, processed, used and shared. This may also be called a privacy statement, fair processing statement/notice or privacy policy. This data privacy notice is issued by Picton Medical Centre (referred to as ‘the Practice’ and ‘we’/’us’/’our’ from this point onwards).

Why we need your information and how it will be used by health staff for your healthcare

The health professionals who work with you to provide your care will keep records about the treatment and support you receive. Having this information available will help these professionals to work together and share vital information about your health and wellbeing needs.

Health and social care professionals will be able to use the information to assess your needs and work in partnership with you to decide the most suitable treatment or support. We also use your information to inform you of services, for example reminding you of an appointment. We do not use your information for marketing purposes.

Who will be controlling your information?

The Practice (we) will be controlling your data and healthcare information.

All of our partners are required to maintain the same standard as the Practice when processing your information.

Each of our partners has a legal duty to protect your personal information and act as data controller. We take your confidentiality very seriously. We are committed to make sure all personal and identifiable information is managed in accordance with the relevant legalisation to ensure your information is safe, secure and confidential.

The data we are sharing

It is important that the Practice has up to date and accurate information about you to make sure you receive the best quality care possible.

Your care record with the Practice contains key information such as:

• Personal details – for example your name, address, date of birth and next of kin (such as your parents or guardian(s))
• Names of the health and care professionals looking after you
• Any medications you are taking
• Any allergies you have
• Any health concerns about you
• Your previous referrals to various services
• Dates and reasons for any occasions where you have been admitted to hospital
• Appointments and emergency department attendances
• Assessments
• Care plans and care packages
• Emergency contact details
• Personal data from other sources associated with your care

Please be aware that our records may contain information about your parent(s) or guardian(s), if they are named as your next of kin.

What is the lawful basis for sharing your information?

In order for the Practice to process your information, we need what we call a ‘lawful basis’ to do so. There are a number of lawful bases that the Practice uses to process your data, depending on the information we need to collect.

In the majority of cases, the lawful basis will be for your care. Other bases may be a legal requirement, public task, or a mandatory obligation on the practice for the protection of individuals. We may also use consent.

How will your information be used and accessed?

Personal information contained in your health records will only be used with a lawful basis.

Only authorised individuals are allowed to access personal information.

The information within your health record is used to provide you with the most suitable care and support that you need. The information in your health record helps professionals make better decisions about your care in conjunction with you and ensure it is safe and effective.

Primary Care Network

We are a member of a Primary Care Network PCN4. This means we will be working closely with a number of other Practices and health and care organisations to provide healthcare services to you. During the course of our work we may share your information with these Practices and health care organisations/professionals. We will only share this information where it relates to your direct healthcare needs. When we do this, we will always ensure that appropriate agreements are in place to protect your information and keep it safe and secure. This is also what the Law requires us to do.

If you would like to see the information the PCN holds about you please contact the Data Protection Officer Contact: Daljeet.Sharry-Khan@bradford.nhs.uk

How long do we keep your information?

Records are retained according to NHS guidance and any statutory or legal requirements for prescribed time spans.

Who will see and share your information?

The Practice releases your information to other authorised parties that it has a legal duty to share it with, those who you may have given consent to, those who need to know to continue your care and those who have a lawful basis.

Your information will only be shared with authorised parties who are providing you with direct care, or third parties authorised by the Practice (who do not have a lawful basis), only if you have first given your consent.

• Where disclosure is necessary to safeguard you, or others, or is in the public interest
• Where there is a legal duty to do so, for example a court order or prevention of crime.
• Your data might be shared in exceptional circumstances with countries other than the UK, where it is required for continuation of care.

Your rights as a ‘Data Subject’

Under the General Data Protection Regulation, you have certain rights:

These rights are:

1. Right to be informed – the Trust will inform you about the information we hold
2. Access to the information the Trust holds about you
3. Access to have the information corrected if it is incorrect (rectification)
4. Right to be forgotten (erasure) – to have all your information removed
5. Right to restrict processing
6. Data portability
7. Right to object to processing or remove consent
8. Rights in relation to automated processing

Some of these rights are dependent on the circumstances around which the information is held.

If at any point you believe the information we hold or process is incorrect, please contact the Data Protection Officer by emailing the details below.

If you wish to raise a concern or a complaint you can do so by contacting the care professional providing your care or treatment, or the organisation’s Data Protection Officer.

If you are not satisfied with the response you receive or believe we are processing your personal data not in accordance with the law, you can make a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk/

If you have a question regarding you or your data, please contact: Dal Sharry-Khan – Data Protection Officer at Daljeet.Sharry-Khan@bradford.nhs.uk or 07395796639.

1 Introduction

1.1 Policy statement

The purpose of this document is to ensure that staff and patients at Picton Medical Centre are aware of the ways in which the organisation adheres to the Freedom of Information Act 2000 (referred to as the Act herein). The Act enables the public to access information held by public authorities in two ways:

• Public authorities are obliged to publish certain information about their activities
• Members of the public are entitled to request information from public authorities who, in turn, are required to provide the requested information within 20 working days, unless it is exempted

The policy will provide a framework within which this organisation will ensure compliance with the requirements of the Act and will underpin any operational procedures and activities connected with the implementation of the Act.

It is important to note that the Act does not give individuals access to their own personal data, i.e., healthcare records. This is processed by means of a subject access request.

To help staff to understand this subject, a range of Information Commissioners Office (ICO) videos are available on YouTube.

1.2 Status

The organisation will aim to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the organisation such as agency workers, locums and contractors.

2 The Freedom of Information Act 2000 (FOIA)

2.1 Principles

The ICO advises that the main principle behind the Act is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to. This means:

• Everybody has a right to access official information
• Applicants do not need to give a reason for wanting the information. On the contrary, organisations must justify refusing to provide the information
• All requests for information must be treated equally except under some circumstances relating to vexatious requests and personal data. Furthermore, all requesters are to be treated equally, whether they are journalists, local residents, public authority employees or foreign researchers
• As all requesters are treated equally, information under the Act should only be disclosed if it would be disclosed to anyone else who asked

Information can be shared voluntarily outside the provisions of the Act.

2.2 Roles and responsibilities

Caldicott Guardian

The Caldicott Guardian has ultimate responsibility for the organisation’s compliance with the Act and is responsible for providing advice and support to all staff.

Organisation Manager

The Organisation Manager, in their role as Senior Information Risk Owner (SIRO), is responsible for providing advice and guidance to all staff and they are also the nominated person to carry out an internal review of a response to a freedom of information (FOI) enquiry.

Data Protection Officer

The Data Protection Officer will provide expert advice with regard to the information request, the response and appeal process, if appropriate.

All staff

All staff, including contractors, are responsible for ensuring that any requests for information that cannot be considered to be ‘business as usual’ and therefore fall under the Act are forwarded to the Organisation Manager immediately.

Furthermore, all staff, including contractors, are responsible for responding to requests for information received from the Organisation Manager in order to comply with the Act in a timely manner.

2.3 Defining a valid request for information

Any individual has the right to request information from a public authority and this organisation has two separate duties when responding to such requests:

• Inform the applicant whether the organisation holds any information falling within the scope of their request · To provide that information, Section 8 of the Act states that for the request to be valid, it must:
  • Be in writing (but requesters do not have to mention the Act or direct their request to a designated member of staff)
  • Detail the name and address of the applicant (email address is valid)
  • Describe the information requested
  • Be legible
  • Be capable of being used for a subsequent reference

A request also becomes valid when the Act is detailed in correspondence.

A FOI request form template is provided in Annex A.

2.4 Duty to provide advice and assistance

Under Section 16 of the Act, this organisation has a duty to provide advice and assistance to individuals making requests. This organisation will strive to take all reasonable steps to meet this duty.

2.5 Time limits for compliance with requests

As detailed in Section 10 of the Act, the organisation has a duty to respond to requests within 20 working days of receipt of the request. Annex D details the process to be followed on receipt of an FOI request.

Once a FOI request has been received and processed by the Organisation Manager, the request will be forwarded to the Caldicott Guardian, SIRO and the designated Information Governance (IG) lead who will be given a time scale to respond within 10 working days.

Should a request be unclear, the Organisation Manager will contact the applicant to request clarification. The 20-working day ‘clock’ does not start until a valid request is received and clarification (if necessary) has been received.

If clarification is requested but not received within 20 working days, the request will be considered to have been withdrawn. Should the applicant re-submit their request after this point, it will be treated as a new FOI request.

2.6 Exemptions and Public Interest Test

This organisation will not release information held to which any absolute or qualified exemptions detailed in Part II of the Act apply. There are 25 exemptions detailed at Annex B.

The ICO advises that that the Public Interest Test (PIT) applies if an exemption is qualified and the organisation must weigh the public interest in maintaining the exemption against the public interest in disclosure.

As a result, the PIT may delay the response to the request for information. A template is available at Annex G which informs applicants of the reason for the potential delay.

2.7 Charges and fees

In general, this organisation will not charge a fee for processing a FOI request. However, should there be a request for large volumes of hard copy materials, a fee may be levied. This will be in line with Section 3 of The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004.

2.8 Acknowledgement and logging of requests

All valid requests for information under the Act should be acknowledged within two working days. Annex E provides an appropriate FOI acknowledgement letter template meeting these requirements. Annex I provides an appropriate FOI request log template while Annex H provides an appropriate PIT meeting template.

2.9 Vexatious or repeated requests

This organisation is not obliged to comply with a request for information if the request is vexatious. When this organisation has previously complied with a request for information that was made by any person, it is not obliged to comply with a subsequent identical or subsequent similar request from that person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

This organisation will log all requests for information for monitoring purposes and will be able to identify repeated or vexatious requests.

2.10 Refusal of a request

Should this organisation refuse a request, the applicant will be advised of the reasons why within 20 working days. They will also be provided with information on how to make a complaint about the refusal.

When it is not possible to confirm that an exemption applies, this organisation will inform the applicant that the issue remains under consideration and will estimate the date at which a firm judgement will be made. This will be notified to the applicant by issue of an exemption pending notice (see Annex G).

The Organisation Manager will keep a record of all notices issued to refuse requests for information and any information regarding the PIT process.

2.11 Means by which information will be conveyed

This organisation will provide information to applicants in the format requested wherever possible.

2.12 Disclosure log

The disclosure log (see Annex J) provides information that has been released via requests made to this organisation for information under the Act. The disclosure log forms part of the

publication scheme and can link to documents available on the scheme which in turn is published on the organisation’s website.

The Organisation Manager must ensure that information from multiple requests regarding the same subject is available via the disclosure log. If there has been a request made for information which is currently part of a public debate, for example the subject is within the media, this information must be published within the disclosure log.

The requests within the disclosure log must remain anonymous and therefore the requester’s details must not be made available. The only information provided on the disclosure log are the questions asked and the answers to these questions. The reference numbers will also be provided to provide a reference if a member of the public contacts this organisation regarding the information contained within the disclosure log.

3 Appeals process

3.1 Internal review

Should an applicant be dissatisfied with a response that the organisation has provided, they are able to request an internal review. Any complaint about or challenge to the information given in a response to an FOI request should be treated as a request for an internal review.

Any request for an internal appeal should be made within 40 working days of an FOI response being sent. Any requests for an internal review made after this date are out of time and will not receive an internal review. All requests for an internal review will be responded to within 20 working days.

To ensure that all reviews are carried out independently, support in compiling the review responses will be provided by the organisation’s Data Protection Officer.

3.2 External review

Should an enquirer be dissatisfied with a response that they have received, under Section 50 of the Act they are entitled to request an external review by the ICO.

Should an appeal be accepted by the ICO, the organisation is obliged to supply the complete audit trail of its response to the Information Commissioner including un-redacted copies of information that has been redacted.

4 Transferring requests for information

4.1 Process

This organisation is permitted to transfer a FOI request when it does not hold the requested information. This organisation recognises that ‘holding’ information includes holding a copy of a record produced or supplied by another person or body (but does not extend to holding a record on behalf of another person).

If the organisation does not hold the requested information, the applicant will be advised accordingly. If, however, the organisation believes that the requested information is held by another organisation, it may:

• Contact the organisation and transfer the request on behalf of the applicant
• Contact the application, advising where the information is held and who to contact to request the information

Prior to transferring the request, this organisation will consult with the other organisation involved to determine if it holds the requested information and a transfer is appropriate.

Transfers of requests will take place as soon as is practicable.

5 Public sector contracts

5.1 Overview

When entering into contracts, this organisation must refuse to include contractual terms that attempt to restrict the disclosure of information held by the organisation and relating to the contract beyond the restrictions permitted by the Act. With the inclusion of existing contracts, unless an exemption provided for under the Act is applicable in relation to any information, the organisation may be obliged to disclose that information in response to a request, regardless of the terms of any contract. As recommended by the Lord Chancellor’s Department, this organisation will reject non-disclosure clauses.

6 Third parties

6.1 Consultation from third parties

This organisation recognises that in some cases the disclosure of information may affect the legal rights of a third party, for example when information is subject to the common law duty of confidentiality. Unless an exemption provided for in the Act applies in relation to any information, this organisation will be obliged to disclose that information in response to a request.

When a disclosure of information cannot be made without the consent of a third party and would constitute an actionable breach of confidence such that an exemption would apply, this organisation must consult the third party with a view to seeking its consent to the disclosure, unless such a consultation is not practicable.

The organisation will undertake consultation where:

• The views of the third party may assist the authority to determine whether an exemption under the Act applies to the information requested; or
• The views of the third party may assist this organisation to determine where the public interest lies.

This organisation may consider that consultation is not appropriate when the cost of consulting with third parties would be disproportionate. In such cases, the organisation will consider what is the most reasonable course of action for it to take in light of the requirements of the Act and the individual circumstances of the request. Consultation will be unnecessary where:

• The organisation does not intend to disclose the information relying on some other legitimate ground under the terms of the Act
• The views of the third party can have no effect on the decision of the authority, for example, when there is other legislation preventing or requiring the disclosure of this information
• No exemption applies and therefore, under the Act’s provisions, the information must be provided

When the interests of a number of third parties may be affected by a disclosure, and those parties have a representative organisation that can express views on behalf of those parties, the organisation will, if it considers consultation appropriate, consider that it would be sufficient to consult that representative organisation. If there is no representative organisation, this organisation may consider that it would be sufficient to consult a representative sample of the third parties in question.

The fact that the third party has not responded to a consultation does not relieve this organisation of its duty to disclose information under the Act, or its duty to reply within the time specified in the Act. In all cases, it is for this organisation, not the third party (or a representative of the third party) to determine whether information should be disclosed under the Act. If a request for the disclosure of information to which the third party has previously objected is received, under the Act the organisation must review the decision to accept the objection and must provide the information unless it is satisfied that the objection was in fact a valid one.

7 Model publication scheme

7.1 Information publication

The ICO expects this organisation to adopt its model publication scheme and commit to proactively publishing information, explaining what information will be published, the format it will be published in and whether a charge will be made for the information.

8 Training

8.1 eLearning

Information Governance and Data Security eLearning is available in the HUB.

Download a copy of our Freedom of Information Policy.

The average pay for GPs working at Picton Medical Centre in the last financial year 2024/25 was £117,723 before tax and National insurance. This is for 2 Full-time doctors who worked at the practice for more than 6 months.

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

Our contact details as data controller:

Name: Picton Medical Centre

Address: Westbourne Green,
50 Heaton Road,
Bradford,
BD8 8RA

Phone number: 01274 019605

Email: b83614.pictonmp@nhs.net

We are the data controller for your information. A controller decides on why and how information is used and shared.

The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is Z9954875 and you can view our registration here https://ico.org.uk/ESDWebPages/Search.

Data Protection Officer contact details

Our Data Protection Officer is Daljeet Sharry-Khan and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at Daljeet.sharry-khan@bradford.nhs.uk

Why we collect your information?

As a GP practice we are responsible for your day-to-day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.

It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).

We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.

These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

• Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
• Contact we have had with you such as appointments or clinic visits.
• Notes and reports about your health, treatment and care
• Details of diagnosis and treatment given
• Information about any allergies or health conditions.
• Results of x-rays, scans and laboratory tests.
• Relevant information from people who care for you and know you well such as health care professionals and relatives.
• For visitors to the practice basic information such as name and vehicle registration number.

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

What information do we collect?

Personal information

We currently collect and use the following personal information:

• personal identifiers and contacts (for example, name and contact details)

More sensitive information

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• data revealing religious or philosophical beliefs
• data relating to criminal or suspected criminal offences

How do we use your information and how do we get it?

As health professionals, we maintain records about you to direct, manage, and deliver the care you receive. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.

We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. In the practice, individual staff will only look at what they need in order to carry out tasks such as booking appointments, making referrals, supporting your care, or to support the management of the services we provide.

The personal information we collect is provided directly from you for one of the following reasons:

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care.
• if you have signed up to our newsletter / patient participation group, we will engage with you to seek you comments and views on the practice.
• if you have made a complaint we will need to collect information about the complaint which will include your personal information. We may also need to gain additional information from, or share information we have with, other healthcare providers and NHS organisations in order to process and investigate your complaint.

We also receive personal information about you from others, in the following scenarios:

• from other health and care organisations involved in your care so that we can provide you with care
• from family members or carers to support your care
• if you register with us from another practice, your historic GP notes are transferred to us from your old practice. This can happen electronically and your paper notes are transferred via an organisation called Primary Care Support England

The NHS care record guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from: https://webarchive.nationalarchives.gov.uk/ukgwa/20130513181549/http:/www.nigb.nhs.uk/guarantee

Primary Care Networks

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of PCN 4 along with [Kensington Partnership, City Medical Practice and Bilton Medical Centre of other practices in PCN

This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

For commissioning and healthcare planning purposes

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally. · Bradford Council: Public Health, Adult or Child Social Care Services · West Yorkshire Integrated Care Board (or their approved data processors) · NHS Digital (Formerly known as (HSCIC) · The “Clinical Practice Research Datalink” (EMISWeb practices) or ResearchOne Database (SystmOne practices).

• Other data processors which you will be informed of as appropriate.

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Population Health Management

Population Health Management (PHM) is about improving the physical and mental health of people. It involves analysing data, in a format which does not identify individuals, and using the results to help making decisions on ways to prevent ill-health, improve care, reduce hospital admissions and help ensure that the most effective services are available for our patients.

The benefits of PHM are:

• to help frontline teams understand current health and care needs and predict what will be needed in the future.
• to identify specific groups of patients that are high risk and would benefit from direct interventions to improve their health and wellbeing.
• to improving the standard and quality of care.
• to prevent people needing hospital care unless necessary
• to support Working across different organisations in the health and care sector, to a positive difference to people’s lives. This can be supported by joining the data dots to tackle health inequalities we know exist across West Yorkshire.
• to identify gaps in services, as well as inform service redesigns.

We, and other healthcare providers like the hospital and community service providers, send information that relates to you to our data processor the North of England Commissioning Support Unit (NECS). NECS then pseudonymise this data, which means the information that could identify you is removed and is replaced with a pseudonym. Information about the different health and care interventions you have had is then linked together so that it can be analysed without identifying you.

This pseudonymised data is then shared with West Yorkshire Integrated Care Board who will analyse the data to carry out commissioning and planning services and Population Health Management. Sometimes this analysis identifies individuals who might benefit from direct interventions to prevent illness. The results relating to patients registered at our practice are sent back to us so that we can assess who would benefit or require a particular healthcare intervention.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not want your data to be used in this way, you can opt-out of all planning and research initiatives through the national data opt-out service. Access this service online at www.nhs.uk/your-nhs-data-matters or by calling: 0300 303 5678.

Summary Care Record

Your Summary Care Record (SCR) is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

All patients registered with a GP have a SCR, unless they have chosen not to have one. Your SCR contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, have previously agreed to have Additional Information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR patient consent preferences form and return it to your GP practice.

For research purposes

Research data is usually shared in a way that individual patients are non-identifiable. Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects. The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority

Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.

For safeguarding purposes, life or death situations or other circumstances when we are required to share information

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

• When we have a duty to others e.g. in child protection cases
• Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.

Who do we share information with?

We share information about you with other health professionals to support your care, and in more limited ways for indirect care purposes:

• NHS Trusts and hospitals that are involved in your care.
• NHS Digital and other NHS bodies.
• Community Care Teams
• Care homes
• Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
• Ambulance Services.
• Social Care Services.
• Education Services.
• Local Authorities.
• Private sector providers working with or for the NHS, such as dentists, pharmacies, opticians and care homes
• Voluntary sector providers working with or for the NHS, providing services such as social prescribing, local support groups, health education, advice services, etc.

From time to time, we may offer you referrals to other providers, specific to your own health needs not included in the list above. In these cases, we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

We may also share information with the following types of organisations:

• third party data processors
  • IT system supplier (West Yorkshire ICB / Bradford City Council
  • Software suppliers (SystmOne)
  • Communication suppliers (telephony services, email, text messages)

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services
• when registering births and deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information
• Medical examiners

We will also share information if the public good outweighs your right to confidentiality. This could include:

• to detect, prevent or investigate crime
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.

Is information transferred outside the UK?

As a GP surgery, we do not routinely send patient data outside of the UK / EU where the laws do not protect your privacy to the same extent as the law in the UK.

Our data is hosted in UK and is only available to our staff and technical support staff in the UK.

What is our lawful basis for using information?

Under UK GDPR the Practice are mandated to identify a legal basis to process your personal information.

For personal data

• 6(1)(a) – Consent: this must be freely given, specific, informed and unambiguous.
• 6(1)(b) – Contract: between a person and a service, such as a service user and privately funded care home.
• 6(1)(c) – Legal obligation: the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
• 6(1)(d) – Vital interests: Life & Death
• 6(1)(e) – Public task: a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

Special Category data (Sensitive Data including Health Records)

• 9(2)(a) – Explicit consent
• 9(2)(b) – Employment, social security and social protection (if authorised by law)
• 9(2)(c) – Vital interests – Life and Death
• 9(2)(e) – Made public by the data subject
• 9(2)(f) – Legal claims or judicial acts
• 9(2)(g) – Reasons of substantial public interest (with a basis in law)
• 9(2)(h) – Health or social care (with a basis in law)
• 9(2)(i) – Public health (with a basis in law)

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

How do we protect your personal information?

As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.

Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.

All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.

As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

Your information is securely stored for the time periods specified in the Records Management Code of Practice.

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

What are your data protection rights?

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing.

For reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

• Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
• Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access You have the right of access You have the right to ask us for copies of your personal information, this is often referred to as a ‘Subject Access Request’. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

You can make a subject access request by emailing b83614.pictonmp@nhs.net.

The right to rectification You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

The right to erasure You have the right to ask us to erase your personal information in certain circumstances – This will not generally apply in the matter of health care data.

The right to restrict processing You have the right to ask us to restrict the processing of your information in certain circumstances- You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling. Your rights in relation to automated processing- Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability Your right to data portability you have the right to ask that we transfer the information you gave us from one organisation to another. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances

National data opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation has reviewed the disclosures we make and is compliant with the national data opt-out policy.

OpenSAFELY COVID-19 Service

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.

Other ways we use your information

Call recording

All Telephone calls are routinely recorded for the following purposes:

• To make sure that staff act in compliance with XXXXXXXXX procedures.
• To ensure quality control.
• Training, monitoring and service improvement
• To prevent crime, misuse and to protect staff and patients
• We will only retain data for a reasonable period or as long as is required by law
• You are entitled to request your data under the DPA

SMS Text messaging

When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

CCTV

We employ surveillance cameras (CCTV) on and around our practice in order to:

• protect staff, patients, visitors and Practice property
• apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
• provide a deterrent effect and reduce unlawful activity
• help provide a safer environment for our staff
• monitor operational and safety related incidents
• help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance

We will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal matters.

Employee Notice

When you apply for a position within the Practice you will provide us with relevant information about you including:

A. Your contact details (such as your name and email address, including place of work and work contact details).

B. Employment history

C. Qualifications

D. Referee Details

During the recruitment and selection processes we will begin to add further information including:

• Copies of qualifications and certificates
• Pre-employment checks, including references, identity documents and right to work check information
• Publicly available information such as social media presence
• Selection information including correspondence, interview notes, results of any selection tests that you may be undertake

Following your appointment, we may add any other information you supply to us or is required as part of your employment such as revalidation information.

Information about you from others

Information may be provided about you from a number of sources during your recruitment and on-going employment with the Practice including:

• Disclosure and Barring Service disclosures, where applicable, which will tell the organisation about any criminal convictions you may have
• Referees providing confidential information about your suitability to the role
• Inter Authority Transfer (IAT) – Information held by your previous NHS employer
• Information from HM Revenue and Customs (HMRC) relating to your pay and employment
• Information about your right to work and visa applications
• Pension Information when transferring within the NHS
• Information from your manager and HR team relating to your performance, sickness absence and other work related matters
• Confirmation of your registration with a professional body

When do we share information about you

The Practice may disclose personal and sensitive information with a variety of recipients including:

• Our employees, agents and contractors where there is a legitimate reason for them receiving the information
• Current, past or potential employers of our staff to provide or obtain references
• Professional and regulatory bodies (e.g. Nursing and Midwifery Council (NMC), Health and Care Professions Council (HCPC), General Medical Council (GMC) in relation to the confirmation of conduct including complaints, job description and information provided as part of the recruitment process.
• Government departments and agencies where we have a statutory obligation to provide information (e.g. HMCR, NHS Digital, Department of Health and the Home Office)
• The Disclosure and Barring Service (DBS) and DBS Update Service where we require a DBS check for certain roles
• Third parties who work with us to provide staff support services (e.g. counselling)
• Crime prevention or detection agencies (e.g. the police, security organisations, department for works and pensions and local authorities)
• Internal and external auditors
• Debt collection and tracing agencies
• Courts and tribunals
• Trade union and staff associations
• Survey organisations for example for the annual staff survey

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know” or where you have consented to the disclosure of your personal data to such persons.

Legal Basis for processing your data

The Practice will only ever process your personal information where it is able to do so by law and using one of a number of legal basis available under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).

The legal bases we use are as follows:

• Special Category data (Sensitive Data including Health Records)
• Explicit consent
• Employment, social security and social protection (if authorised by law)
• Vital interests – Life and Death
• Made public by the data subject
• Legal claims or judicial acts
• Reasons of substantial public interest (with a basis in law)
• Health or social care (with a basis in law)
• Public health (with a basis in law)

For personal data

• Consent: the individual has given clear consent to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Vital interests: Life & Death
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Your Individual rights as an employee

You have certain rights with respect to the data held about you by the Practice.

These are:

• To be informed why, where and how we use your information
• To ask for access to your information
• To ask for your information to be corrected if it is inaccurate or incomplete
• To ask for your information to be deleted or removed where there is no need for us to continue processing it
• To ask us to restrict the use of your information
• To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
• To object to how your information is used
• To challenge any decisions made without human intervention (automated decision making)

How we use the personal data about you

The Practice uses staff data for all purposes associated with the administration of the employer/employee relationship and to meet our legal obligations. The purposes for which we may use staff data (including sensitive personal information) include:

• Process your recruitment application and correspond with you in relation to Practice vacancies
• Maintaining staff records
• Recruitment and selection
• Managing Human Resource employment matters (e.g. promotion, training and development, conduct, attendance, appraisals, management progress, grievances, misconduct investigations, disciplinary actions and complaints)
• Administering finance (e.g. salary, pension and staff benefits)
• Complying with visa requirements
• Providing facilities such as IT/system access, library services and car parking
• Monitoring equal opportunities
• Preventing and detecting crime, such as using CCTV and using photo’s on ID badges
• Providing communication about the Practice, news and events
• Maintaining contact with past employees
• Provision of wellbeing and support services
• Compliance with legal obligations such as making external/statutory returns to NHS England, sharing information with HMRC
• Carrying out research, surveys and statistical analysis (including using third party data processors to carry out the national staff survey)
• Carrying out audits

The Practice processes sensitive personal data for a number of administrative purposes:

• Equal opportunities monitoring
• Managing Human Resources processes such as administering sick pay and sick leave, managing absence, administrating Maternity Leave and associated pay schemes
• Managing a safe environment and ensuring fitness to work
• Managing obligations under Equal Opportunities Legislation
• Provision of Occupational Health and Wellbeing service to individuals
• Payment of trade union membership fees

How long are records retained

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

Freedom of Information

The Freedom of information Act 2000 provides any person with the right to obtain certain information held by the Practice, subject to a number of exemptions. If you would like to request some information from us, please contact us

Please note: if your request is for information we hold about you (for example, your health record), please instead see above, under “How You Can Access Your Records”.

We may amend this privacy notice at any time so please review it frequently.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at b83614.pictonmp@nhs.net.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

This privacy notice was reviewed and updated in September 2025.

Download a copy of our Privacy Notice.

This policy provides guidance to Practice staff on the disclosure of patient information to third parties.

GENERAL PRINCIPLES

Whilst it is vital for the proper care of individuals, that those concerned with that care have ready access to the information that they need, it is also important that patients and their carers can trust that personal information will be kept confidential and that their privacy is respected.

All staff members have an obligation to safeguard the confidentiality of personal information. This is governed by law, their contracts of employment and in many cases, professional codes of conduct. All staff should be aware that breach of confidentiality could be a matter for disciplinary action and provides grounds for a complaint against them.

Where a decision is to be made whether to release information to a third party in circumstances other than those laid down below, administrative and reception staff should refer the matter to a GP for an assessment of the situation before information is divulged. Reception and administration staff should not ordinarily make confidentiality decisions where the authority is in doubt.

Although it is neither practicable nor necessary to seek an individual’s consent each time that information needs to be shared or passed on for a particular purpose which is defined within this policy this is contingent on individuals having been fully informed of the uses to which information about them may be put.

Clarity about the purpose to which personal information is to be put is essential and only the minimum identifiable information necessary to satisfy that purpose should be made available. Access to personal information should be on a need to know basis.

If an individual wants information about themselves to be withheld from someone or some agency which might otherwise have received it, the individual’s wishes should be respected unless there are exceptional circumstances. Every effort should be made to explain to the individual the consequences for care and planning but the final decision should rest with the individual.

The exceptional circumstances which may override the above clause arises when information is required by statute or court order or where there is a serious public health risk or harm to other individuals or for the prevention, detection or prosecution of serious crime. The decision to release information in these circumstances, where judgment is required should be made by the senior partner and it may be necessary to seek legal advice.

There are also some statutory restrictions on the disclosure of information relating to AIDS, HIV and other sexually transmitted diseases, assisted conception and abortion.

Where information on individuals has been aggregated or anonymised, it should still only be used for justified purposes but is not governed by this policy. Care should be taken to ensure that individuals cannot be identified from this type of information as it is frequently possible to identify individuals from limited data e.g. age and post code may be sufficient.

SHARING PATIENT AND CARER INFORMATION

• Verbal permission must be obtained from patient and / or carer before divulging information. In certain cases, written consent should be obtained.
• Clarify to patient/carer, the persons to whom information will be given, and why.
• Get positive permission to share information.
• Verbal permission must be documented in the patient’s medical record.
• Written permission must be filed or scanned into the patient’s notes
• Medical information is accessed on “need to know” basis in order to perform duties and no other. – see Defining Purpose
• Staff confidentiality form signed as part of induction programme and is contained in employee’s contract of employment.

Mechanisms for sharing information

• Clinical Meetings
• Face to face discussion
• Message slips
• Memos
• Computer data
• Team meetings

DEFINING PURPOSE

There will be a range of justifiable purposes to be locally agreed. The following list is not exhaustive, and covers internal Practice purposes only.

• delivering personal care and treatment
• assuring and improving the quality of care and treatment
• monitoring and protecting public health
• managing and planning services
• risk management
• investigating complaints
• teaching
• statistical analysis
• research (medical or health services)

INFORMATION SECURITY

1. The Practice will ensure they address the issues of security of information.
2. The Practice will take all reasonable care to protect both the physical security of information technology and the data contained within it
3. All information systems will be password protected
4. All personal files must be kept secure

OWNERSHIP OF INFORMATION AND THE RIGHTS OF INDIVIDUALS

Whilst written and computerised records will be regarded as shared between the agencies, an individual’s right of access to the information contained in the records differs when it has been provided by a health professional from when it has been provided by social service staff.

Any health professional’s contribution to records maintained by Social Services staff, whether a letter, a case record or report, must be clearly marked as such and, where practicable, kept in a closed part of the file. Social Services staff should not grant access to this information without written authorization.

The reverse also applies. NHS and Practice staff cannot grant access to Social Services information without written authorisation.

1 Introduction

1.1 Policy statement

This organisation must be able to demonstrate compliance at all times with the UK General Data Protection Regulation (UK GDPR herein), which is incorporated in the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2. All staff must understand their responsibilities when accessing and processing personal data, ensuring they adhere to the data protection principles. A UK GDPR a checklist is available at Annex A.

1.2 Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the practice.

2 Data protection

2.1 Data protection by design and default

The Information Commissioner’s Office (ICO) advises that the UK GDPR requires this organisation to put in place appropriate technical and organisational measures to implement the data principles effectively; this is data protection by design and default.

Data protection by design is about considering data protection and privacy issues upfront in everything that the organisation does. Data protection by default requires this organisation to only process the data that is necessary to achieve a specific purpose.

This organisation will demonstrate data protection by design and default by:

• Conducting a Data Protection Impact Assessment (DPIA)
• Ensuring there are privacy notices on the website and in the waiting rooms that are written in simple, easy-to-understand language
• Adhering to Articles 25(1) and 25(2) of the UK GDPR
• Processing data only for the purpose(s) intended
• Ensuring consent is obtained from the data subject prior to data being processed
• Providing patients with access to their data on request (subject access requests)
• Ensuring patients consent to access to their data by third parties
• Processing data in a manner that prevents data subjects being identified unless additional information is provided (using a reference number as opposed to names – pseudonymisation)

3 Roles of data controllers and processors

3.1 Data controller

The ICO defines a data controller as a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers are responsible for the compliance of their processor(s).

This organisation is the data controller for the data it holds about its patients. The organisation must ensure and be able to demonstrate compliance with Article 5 of the UK GDPR which relates to the seven key principles of processing personal data:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

3.2 Data processor

The ICO defines a data processor as a person, public authority, agency or other body which processes personal data on behalf of the controller. Processors must ensure that processing conforms to Article 6 of the UK GDPR:

• The data subject has given consent to the processing of his/her personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the data controller is subject
• Processing is necessary in order to protect the vital interests of the data subject or another natural person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
• Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular when the data subject is a child

At this organisation, all staff are classed as data processors as their individual roles will require them to access and process personal data.

4 Data subjects’ rights

4.1 Right to be informed

The ICO explains that Articles 13 and 14 of the UK GDPR specify what individuals have the right to be informed about; this is referred to as ‘privacy information’.

4.2 Right of access

This organisation ensures that all patients are aware of their right to access their data and has privacy notices displayed in the following locations:

• Waiting room
• Organisation website
• Organisation information leaflet

To comply with the UK GDPR, all privacy notices are written in a language that is understandable to all patients and meet the criteria detailed in Articles 12, 13 and 14 of the UK GDPR.

The ICO advises that the right of access is commonly referred to as subject access and gives individuals the right to obtain a copy of their personal data, as well as other supplementary information this organisation holds about them.

4.3 Right to rectification

As stated by the ICO, under Article 16 of the UK GDPR, data subjects have the right to have inaccurate personal data rectified and/or incomplete personal data completed. At this organisation, should a clinician enter a diagnosis that is later proved to be incorrect, the medical record should retain both the initial diagnosis and the subsequent accurate diagnosis with text to make it clear that the diagnosis has been updated.

Patients can exercise their right to challenge the accuracy of their data and request that this is corrected. Should a request be received, the request should state the following:

• What is believed to be inaccurate or incomplete
• How this organisation should correct it
• If able to, provide evidence of the inaccuracies

4.4 Right to erasure

The ICO explains that under Article 17 of the UK GDPR, data subjects have the right to have personal data erased. This is also known as the right to be forgotten. This right permits a data subject to request that personal data is deleted in situations when there is no compelling reason to retain the data. The right is not absolute and only applies in certain circumstances.

Additional information can be found at section 4.11 of the BMA Access to health records guidance.

When this organisation has shared information with a third party, there is an obligation to inform the third party about the data subject’s request to erase their data providing it is achievable and reasonably practical to do so.

4.5 Right to restrict processing

The ICO states that Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data. This is not an absolute right, and only applies in certain circumstances, with the aim being to enable the individual to limit the way this organisation processes (uses) their data. This right can be used as an alternative to the right to erasure.

4.6 Right to data portability

The ICO explains the right to data portability permits data subjects to receive and reuse their personal data for their own purposes and across different services.

4.7 Right to object

The ICO advises that, in accordance with Article 21 of the UK GDPR, individuals have the right to object to the processing of their personal data at any time. At this organisation, individuals are requested to provide specific reasons why they object to the processing of their data. If the reasons are not an absolute right, this organisation can refuse to comply.

4.8 Rights in relation to automated decision making and profiling

The ICO explains that Article 22 of the UK GDPR prevents this organisation from using solely automated decision making. This includes profiling.

5 Subject access requests

5.1 Recognising subject access requests (SAR)

The ICO states an individual can make a SAR verbally or in writing, including by social media. A request does not need to include the phrases ‘subject access request’, ‘right of access’, or ‘Article 15 of the UK GDPR’, it just needs to be clear that the individual is asking for their own personal data.

Staff at this organisation are to encourage the use of the SAR form (included in the organisation’s Access to Medical Records Policy). However, they must accept that any requests that do not use the SAR form are to be processed.

5.2 Responding to a subject access request

The ICO advises that this organisation must respond to a SAR without delay and within one month of receipt of the request. This time limit may be extended by a further two months if the request is complex, or multiple requests are received from the individual. Should the request involve a large amount of information, this organisation will ask the individual to specify what data they require before responding to the request. The time limit for responding to the request is paused until clarification is received.

5.3 Fees

As stated by the ICO, this organisation is not permitted to charge a fee to comply with a SAR. However, a reasonable fee may be charged if the request is deemed to be manifestly unfounded or excessive, or if an individual requests further copies of their data.

5.4 Verifying the subject access request

The ICO explains that this organisation must satisfy itself that the identity of the requestor is known or the identity of the person the request is made on behalf of. It is acceptable to request information to verify an individual’s identity. Note, the timescale for responding to a SAR does not begin until the requested information has been received. The organisation’s SAR form supports the data controller in verifying the request.

5.5 Supplying the requested information

ICO guidance explains that the decision on what format to provide the requested information in should take into consideration the circumstances of the request and whether the individual can access the data in the format provided. It is considered good practice to establish the individual’s preferred method before fulfilling their request.

5.6 Third party requests

This organisation, as a data controller, must be able to satisfy itself that the person requesting the data has the authority of the data subject. The responsibility for providing the required authority rests with the third party. This organisation will request that third parties use the BMA and Law Society consent form.

5.7 Requests from solicitors

This organisation will receive SARs from third parties, such as solicitors, who have been authorised by a patient to make a SAR on their behalf. It is the responsibility of the third party to provide evidence that they are permitted to make a SAR on behalf of their client. If concern or doubt arises, this organisation will contact the patient to explain the extent of disclosure sought by the third party.

This organisation can then provide the patient with the data as opposed to directly disclosing it to the third party. The patient is then given the opportunity to review their data and decide whether they are content to share the information with the third party.

5.8 Requests from insurers

SARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at this organisation is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report.

The BMA suggests the following fees are applicable:

• GP report for insurance applicants £104.00
• GP supplementary report £27.00

5.9 Refusing to comply with a SAR

As detailed by the ICO, this organisation will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations, the organisation will inform the individual of:

• The reasons why the SAR was refused
• Their right to submit a complaint to the ICO
• Their ability to seek enforcement of this right through the courts

Each request must be given careful consideration and, should this organisation refuse to comply, this must be recorded and the reasons for refusal justifiable.

6 Data breaches

6.1 Data breach definition

The ICO defines a data breach as a security incident that has affected the confidentiality, integrity or availability of personal data, including whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it without proper authorisation; or if the data is made unavailable and this has a negative effect on individuals. Examples of data breaches include:

• Access by an unauthorised third party
• Deliberate or accidental action (or inaction) by a data controller or processor
• Sending personal data to an incorrect recipient
• Loss or theft of computer devices containing personal data
• Alteration of personal data without permission
• Loss of availability of personal data

6.2 Reporting a data breach

The ICO explains that the UK GDPR introduced a duty on all organisations to report certain types of data breach to the relevant supervisory authority (the ICO) within 72 hours of becoming aware of the breach. If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR states that those individuals must also be informed directly and without undue delay.

The above must be assessed on a case-by-case basis by the organisation’s Data Protection Officer (DPO) and Senior Information Risk Officer (SIRO)/Caldicott Guardian. Therefore, a breach MUST be reported to the Information Governance Lead, DPO and SIRO/Caldicott Guardian within 24 hours of the organisation becoming aware of it so that an appropriate assessment can take place.

This organisation will report the breach using the Data Security and Protection Incident Reporting Tool. Article 33 of the UK GDPR outlines the information required when reporting a breach. The ICO explains this information must contain:

• A description of the nature of the breach, including, where possible:
  • The categories and approximate number of individuals concerned
  • The categories and approximate number of personal data records concerned
• The name and contact details for the DPO
• A description of the likely consequences of the data breach
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects

6.3 Notifying a data subject of a breach

The ICO explains that if a breach is likely to result in a high risk to the rights and freedoms of individuals, this organisation must inform those concerned directly and without undue delay and before notifying the ICO. One of the main reasons for doing so is to permit those affected to take the necessary steps to protect themselves from the effects of a breach.

When the decision has been made to notify a data subject of a breach, this organisation is to provide those affected with the following information in a clear, comprehensible manner:

• The circumstances surrounding the breach
• The details of the person who will be managing the breach
• Any actions taken to contain and manage the breach
• Any other pertinent information to support the data subject

7 Consent

7.1 Obtaining consent

The ICO states that consent must be specific, informed, given by a clear affirmative action (an opt-in) and properly documented. Consent is one of the lawful bases of processing and, if appropriate, this organisation is to offer people real choice and control over how their data is used. If it is deemed appropriate to obtain consent, the following must be explained to the data subject:

• Why the organisation wants the data
• How the data will be used by the organisation
• The names of any third-party data controllers with whom the data will be shared
• Their right to withdraw consent at any time

All requests for consent are to be recorded, with the record showing:

• The details of the data subject consenting
• When they consented
• How they consented
• What information the data subject was told

Consent is to be clearly identifiable and separate from other comments entered into the healthcare record. Furthermore, this organisation must ensure that data subjects (patients) are fully aware of their right to withdraw consent at any time and must facilitate withdrawal as and when it is requested.

7.2 Parental consent

The DPA 2018 states that parental consent (in relation to personal data) is required for a child under the age of 13. Additionally, the principle of Gillick competence remains unaffected and parental consent is not necessary when a child is receiving counselling or preventative care.

For further information, refer to the organisation’s Consent Guidance.

8 Data mapping and Data Protection Impact Assessments

8.1 Data mapping

Data mapping is a means of determining the information flow throughout an organisation. Understanding the why, who, what, when and where of the information pathway will enable this organisation to undertake a thorough assessment of the risks associated with current data processes.

Effective data mapping will identify what data is being processed, the format of the data, how it is being transferred, if the data is being shared and where it is stored (including off-site storage if applicable). The organisation’s Register of Processing Activities (ROPA) details the process of data mapping at this organisation.

8.2 Data mapping and the Data Protection Impact Assessment

Data mapping is linked to the Data Protection Impact Assessment (DPIA) and, when the risk analysis element of the DPIA process is undertaken, the information ascertained during the mapping process can be used.

The ICO explains that conducting a DPIA is a legal requirement for any type of processing, and a DPIA is the most efficient way for this organisation to meet its data protection obligations and the expectations of its data subjects. DPIAs are also commonly referred to as Privacy Impact Assessments or PIAs. In accordance with Article 35 of the UK GDPR, a DPIA should be undertaken when:

• A type of processing, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks
• Extensive processing activities are undertaken, including large scale processing of personal and/or special data

DPIAs are to include the following:

• A description of the processing operations, including the purpose of processing
• An evaluation of the need for the processing in relation to the purpose
• An assessment of the associated risks to the data subjects
• Existing measures to mitigate and control the risk(s)
• Evidence of compliance in relation to risk control

It is considered best practice to undertake DPIAs for existing processing procedures to ensure that this organisation meets its data protection obligations. DPIAs are classed as “live documents” and processes should be reviewed continually. As a minimum, a DPIA should be reviewed every three years or whenever there is a change in a process that involves personal data.

8.4 Data Protection Impact Assessment process

The ICO explain that a DPIA process is formed of seven key elements:

1. Identify the need for a DPIA

2. Describe the processing

3. Consider consultation

4. Assess necessity and proportionality

5. Identify and assess risks

6. Identify measures to mitigate the risks

7. Sign off and record outcomes.

After sign-off, this organisation will integrate the outcomes of the DPIA into the project plan while keeping the DPIA under review.

8.5 Data Protection Impact Assessment template

This organisation will use NHS England’s universal information governance template to conduct a DPIA.

9 Information asset register

The ICO advises that an information asset register (IAR) records assets, systems and applications that are used for processing or storing personal data across this organisation. The IAR is to be kept up to date, detailing all information assets (software and hardware), including:

• Asset owners
• Asset location
• Retention periods
• Existing security measures

The register is to be reviewed regularly to ensure it remains extant, and best practice is to risk-assess assets within the register, conducting physical checks to make certain the hardware asset inventory remains accurate.

The organisation’s Information Asset Register will be used to maintain a record of all assets.

Download a copy of our GDPR Policy.

The Practice takes it very seriously if a member of our team is treated in an abusive or violent way.

The Practice supports the government’s ‘Zero Tolerance’ campaign for Health Service Staff. This states that GPs and their staff have a right to care for others without fear of being attacked or abused.

To successfully provide these services a mutual respect between all the staff and patients has to be in place. All our staff aim to be polite, helpful, and sensitive to all patients’ individual needs and circumstances. They would respectfully remind patients that very often staff could be confronted with a multitude of varying and sometimes difficult tasks and situations, all at the same time.

The staff understand that ill patients do not always act in a reasonable manner and will take this into consideration when trying to deal with a misunderstanding or complaint. However, aggressive behaviour, be it violent or abusive, will not be tolerated and will result in you being removed from the Practice list and, in some cases, the Police being contacted.

In order for the practice to maintain good relations with their patients the practice would like to ask all its patients to read and take note of the occasional types of behaviour that would be found unacceptable:

• Using bad language or swearing at practice staff
• Any physical violence towards any member of the Primary Health Care Team or other patients, such as pushing or shoving
• Verbal abuse towards the staff in any form including verbally insulting the staff
• Racial abuse and sexual harassment will not be tolerated within this practice
• Persistent or unrealistic demands that cause stress to staff will not be accepted. Requests will be met wherever possible and explanations given when they cannot
• Causing damage/stealing from the Practice’s premises, staff or patients
• Obtaining drugs and/or medical services fraudulently

We ask you to treat your GPs and their staff courteously at all times.

Removal from the practice list

A good patient-doctor relationship, based on mutual respect and trust, is the cornerstone of good patient care. The removal of patients from our list is an exceptional and rare event and is a last resort in an impaired patient-practice relationship.

When trust has irretrievably broken down, it is in the patient’s interest, just as much as that of the practice, that they should find a new practice. An exception to this is on immediate removal on the grounds of violence e.g. when the Police are involved.

Removing other members of the family

In rare cases, however, because of the possible need to visit patients at home it may be necessary to terminate responsibility for other members of the family or the entire household. In addition we will not accept the removed person to enter or telephone our premises on behalf of family members.

The prospect of visiting or dealing with patients where or through a relative who is no longer a patient of the practice by virtue of their unacceptable behaviour resides, or being regularly confronted by the removed patient, may make it too difficult for the practice to continue to look after the whole family.

Download a copy of our Zero Tolerance Policy.