Policy Statement
The Health and Social Care Information Centre (HSCIS) collects information with the purpose of improving health and care for everyone.
The information collected may be used for:
- Working out what care services are needed – and where and when.
- Planning for health emergencies such as epidemics
- Helping to improve medicines and treatments.
- Finding better ways to prevent illness and treat conditions.
- Calculating how much GPs and other providers are to be paid.
Principles
NHS Digital is a data controller and has a legal duty, in line with the Data Protection Act 1998, to explain why it is using patient data and what data is being used. Similarly, CORRAN SURGERY has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.
Status
The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.
Training and Support
The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
Scope
Who it applies to
This document applies to all employees, partners, and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums, and contractors, are encouraged to use it.
Why and How it applies to them
Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives, and carers what information is collected, how that information may be used and with whom the practice will share that information.
The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the Data Protection Act 1998.
Definition of Terms
Privacy Notice
A statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.
Data Protection Act (1998)
The Data Protection Act (DPA) controls how your personal information is used by organisations, businesses, or the government.
Information Commissioners Office (ICO)
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
General Data Protection Regulation (GDPR)
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR came into effect on 25 May 2018.
Data Controller
A person who (either alone or jointly with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
Data Subject
An individual who is the subject of personal data
Compliance with Regulations
GDPR
In accordance with the GDPR, this practice will ensure that information provided to subjects about how their data is processed will be:
- Concise, transparent, intelligible, and easily accessible.
• Written in clear and plain language, particularly if addressed to a child; and
• Free of charge
DPA 1998
In accordance with the DPA 1998, this practice will ensure that any personal data is processed fairly and lawfully and:
- The practice will not use the data in ways that have unjustified, adverse effects on the individuals concerned.
• We will be transparent about how we intend to use the data and give individuals appropriate privacy notices when collecting their personal data.
• We will handle people’s personal data only in ways they would reasonably expect
• We will not do anything unlawful with the data.
Communicating Privacy Information
At CORRAN SURGERY, the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration.
We will:
- Inform patients how their data will be used and for what purpose.
• Allow patients to opt out of sharing their data, should they so wish.
What Data will be collected?
At CORRAN SURGERY, the following data will be collected:
- Patient details (name, date of birth, NHS number)
• Address and NoK information
• Medical notes (paper and electronic)
• Details of treatment and care, including medications
• Results of tests (pathology, X-ray, etc.)
• Any other pertinent information
Type 1 and Type 2 Opt Outs
Patients who wish to opt out of data collection should contact reception to register a Type 1 opt-out; this is an objection that prevents an individual’s personal, confidential information from being shared outside this practice, except when it is being used for the purposes of direct care, or in particular circumstances required by law, such as a public health emergency like an outbreak of pandemic disease.
NHS Digital collects information from a range of places where people receive care. If a patient does not want personal, confidential information to be shared beyond NHS Digital, for purposes other than for their direct care, they can register a Type 2 opt-out at this practice.
Privacy Notice Checklist
The ICO has provided a privacy notice checklist which can be used to support the writing of the practice privacy notice.
Summary
It is the responsibility of all staff at CORRAN SURGERY to ensure that patients understand what information is held about them and how this information may be used. Furthermore, the practice must adhere to the DPA 1998 and the GDPR, to ensure compliance with extant legal rules and legislative acts.
Please download the Full Privacy Policy Document for further information
