Privacy Policy

Data protection

The General Data Protection Regulation (GDPR) is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon.  The Tweed and Neidpath Practices hold personal information about our patients and the following explains how we use that information and how ensure we work within the framework for data protection.

 

The information we hold

We hold personal information about you so that we can provide you with the appropriate care and treatment. The information we hold includes:

  • your past and current medical information
  • personal details such as your age, national insurance number/NHS number, address, telephone number
  • radiographs, clinical photographs and other medical records
  • medical history
  • information about the treatment that we have provided or propose to provide
  • notes of conversations/incidents that might occur for which a record needs to be kept   
  • records of consent
  • any correspondence with other health care professionals relating to you, for example with the hospital or other community services
  • record of appointments past, today and future
  • your unique identifying number, called a CHI number, which help us identify your records more quickly
  • we may also hold information you have provided about your race, ethnic background, political opinions and religious views where these are considered relevant.

 

The legal basis for using personal information

We need to keep comprehensive and accurate information to help us to provide safe and appropriate care and treatment.  This includes the collection, validation, processing and storage of health and demographic data relating to patients who access our services

When using personal information our legal basis under the GDPR is that its use is necessary for:

  • the performance of a task carried out in the public interest, or in the exercise of official authority vested in us;
  • the provision of health or social care or treatment or the management of health or social care systems and service

On some occasions we may rely on another basis, which will usually be that the use is necessary:

  • for reasons of public interest in the area of public health; or
  • for reasons of substantial interest for aims that are proportionate and respect people’s rights, for example research; or
  • in order to protect the vital interests of an individual.

The main Regulations under which we operate in the primary care environment in NHS Scotland are:

 

Disclosure of information

In order to provide proper and safe care, we may need to disclose personal information about you to:

  • hospital or other community medical services
  • other health and social care professionals caring for you
  • NHS health boards
  • NHS payment authorities
  • NHS information services

Disclosure will take place on a ‘need-to-know’ basis, so that only those individuals/organisations who need to know in order to provide care to you and for the proper administration of Government (whose personnel are covered by strict confidentiality rules) will be given the information.  Only that information that the recipient needs to know will be disclosed.

In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent.  

Where possible you will be informed of these requests for disclosure.

 

Retaining information

We will retain access to your medical records for as long as you are a patient with us, and, after you cease to be a patient, arrange for them to forwarded on to your next medical practice or for storage. This is process is normally done through NHS Practitioner Services. 

All information is retained according to the Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.1 January 2012.

 

The Data Controller

Each Practice has a data controller who is responsible for ensuring the Practices policies and working practices are fair and lawful.

 

The Data Controllers are supported in the day to day management by the Practice Manager who is the Data Protection Officer for both Practices

 

Sharing Information

When joining the Practice, patients sign a form which in part is a data protection notice explaining how their data may be lawfully shared. Further information about how we share data is provided in the table below.

 

What is shared

Who is it shared with

Why

When

All data on GP practice registration form (electronic)

NHS National Services Scotland

Community Health Index and Accurate payment

When a patient registers with the Practice

All data on prescription (electronic)

NHS National Services Scotland

To support accurate dispensing of the prescription

All prescriptions

All data on GP practice registration form (electronic)

NHS National Services Scotland

Prevention, Detection and investigation of Crime.  NSS host NHS Scotland Counter Fraud Services

Only when a patient, GP or other worker in the GP practice has been identified as potentially committing fraud

All data on GP practice registration form (electronic) as held on CHI

NHS National Services Scotland

Accurate payment

Clinical Governance

Public Health

Screening Services

All data relating to all patients registered with the GP Practices

GP medical records for patients moving to another practice or leaving the UK or have died.

NHS National Services Scotland

To transfer to the next registered GP practice or to retain in secure storage

Whenever a patient leaves a GP practice or dies

GP temporary medical records for patients who have been seen by someone other than their registered GP practice

NHS National Services Scotland

To transfer to the registered GP practice or to retain in secure storage

Whenever a patient is seen by a GP practice other than the one they are registered with

Patient demographic data and choice of organ donation

NHS National Services Scotland

Maintenance of the UK organ donor register

Whenever a patient decides to provide organ donation information via the GP registration form

Personal details; family details; lifestyle and social circumstances; visual images, personal appearance and behaviour; details held in the patients record; racial and ethnic origin; offences and alleged offences; criminal proceedings, outcomes and sentences; physical or mental health details; religious or similar beliefs and sexual life

Data subjects themselves

Associates and representatives of the person whose personal data we are processing

Staff, including of other organisations healthcare, social and welfare organisations

Suppliers, such as pharmacies

Service providers

Legal representatives, police forces; other law enforcement agencies; central and local government; Crown Office and Procurators Fiscal Service

Prevention, detection and investigation of fraud or other irregularities in relation to the Health Service or Scottish public sector

When gathering intelligence, pursuing reasonable lines of enquiry in an investigation, following receipt of an allegation, intelligence report or product or commencement of a proactive investigation or exercise

Where necessary, we have documented Information Sharing Agreements which are subject to scrutiny and approval of the Practice Partners and partner organisations.

 

How information is used

Personal information may be anonymised or pseudo-anonymised for research purposes. These processes mean that the individual named patient cannot be identified by the third party using the data.

Personal information may be released to tribunals, hearings or other disciplinary or investigative processes in respect of professional bodies regulating primary care contractors.

Personal information may be released to Police Scotland, other police organisations or other organisations who have statutory powers in the prevention or detection of crime.

Third parties are involved in the processing of personal information for the Practices. These are:

  • Nationally and locally appointed couriers, NHS Board transport services and the Royal Mail are used for processing paper records
  • NHS Borders IM&T staff are responsible for the maintenance of our IT systems and the security of external links to the systems.

We do not share information outwith the UK.

 

Information Systems

The Practices IT systems are owned and managed by NHS Borders. Within the Practices, the main systems are:

  • EMIS - patient record system
  • Docman - document management system
  • Bluebay – contract management system
  • Docmail – mailing service

 

Security of information

Personal data about you is held in the practice’s NHS provided computer system and in a manual filing system. Only authorised members of staff have access to it. The information is not accessible to the public. 

Physical access controls are operated at the Practice premises, such as access control systems, locked cupboards and rooms.

Our computer system has secure audit trails of user access and we back up information routinely via NHS Systems. IT systems are secured by firewalls, secure networks, usernames/passwords and encryption of data.

User access to different levels of personal information is authorised by key personnel and revoked when staff leave the organisation or change role.

Where IT systems are used to share data, it is only transmitted over secure networks.

Transfer of paper copies of information is through secure, contracted couriers, the Royal Mail or through local NHS Board provided transport systems.

 

Codes of conduct and privacy policies

Our staff have a legal and contractual duty to keep personal health information secure and confidential. In addition, some professionally registered staff/workers are required to comply with standards set by their professional bodies.

Each member of staff is required to read and sign the confidentiality statement on an annual basis. All staff/workers must undergo information governance training.

 

The right to be informed

Patients have a right to be informed about how we use personal information. We use a number of ways to do this, including: 

  • Data Protection Privacy Notices contained in forms (or their electronic equivalent) which patients are required to sign when registering with or receiving treatment from the Practice
  • Patient Information leaflet
  • Discussions with staff providing your care

 

The right of access

You have a right to see, or have a copy of, the information we hold about you. This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally. You have the right to obtain:

  • Confirmation that your personal information is being held or used by us
  • Access to your personal information
  • Additional information about how we use your personal information

Access may be obtained by making a request in writing to the Practice Manager.  Whilst no charge is made for access to the information, any additional costs such as postage, courier or digital medium needed to complete your request would have to be covered by the requestor. 

We will provide a copy of the record within one calendar month (28-31 days) or sooner if possible. This can be extended to two months in extremely complex cases.

If collecting data in person we will take reasonable means to identify the data subject by asking for photo identification including proof of residence.

A fee may be charged for repeat requests for access. The Practice has a right to refuse repeated requests for access to the same information.

If you would like to access your personal information, you can do this by contacting the Practice Manager.

 

Access to data by Solicitors and Insurance Companies

Solicitor Requests

A Solicitor can make a request on your behalf for a copy of medical records or a part of your records pertaining to an event/incident.  The request must include a consent form signed by the patient which makes it clear that a copy of the full record or part of it has been requested.  Should they request a full record and you object to this we will not release the information but would discuss which element of your records you do wish to be provided.  It is considered best practice to provide the information to you to hand to your solicitor.  Should you wish this to be sent to the solicitor by post, we can do that but cannot be responsible for the data’s security once it leaves the Health Centre. 

 

Insurance Company Requests

An insurance company can also request medical information by means of an Access to Medical Report.  A fee will be charged to cover administrative costs.

 

Access to a child’s information

Where a request is made for information about a child who is aged 12 years or more, the child will be informed of the request (this may be assessed as inappropriate based upon the minor’s maturity and ability to understand) even where the request is made by a parent or guardian.

Should a request be made by an ‘estranged parent’ we may require confirmation that they have a right to request the information.

 

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you to explain our reasons for this.

If you are unhappy about how we have responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

 

The right to object

You have the right to object to our use of personal information about you, and also seek that further processing of personal information about you is restricted. 

Patients do not have a right of opt-out to the collection and processing of personal data for services provided by NHS Scotland GP Practices. It is a requirement of the various Regulations referred to earlier that data is collected, processed and shared in a lawful manner. It is for that reason that the privacy notices on primary care forms do not seek consent or opt-in/outs since consent is not the basis of the processing.

In most instances, data held by the Practice is held on a statutory basis and the deletion of the data is not possible since to do so would compromise either the patients’ care and treatment or the Practices ability to fulfill one of its statutory functions or the function of another NHS Scotland Board or organisation.

 

The right to complain

If you are unhappy with the way in which we use your personal information please inform the Practice Manager, who is the Data Protection Officer, for the Practices.

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO).  Details about this are on their website at www.ico.org.uk.