Privacy Notice

This privacy notice explains why The Manor Practice (henceforth, ”we”, ”us”, or ”our”) collect information about you and how that information may be used. We keep medical records confidential, complying with all Data Protection obligations. The use of data in the UK is mainly governed by:

• UK GDPR 2021
• Data Protection Act 2018,
• Human Rights Act 1998
• Codes of Confidentiality, Information Security, and Records Management

The use of healthcare data specifically is also governed by other laws such as the Access to Health Records Act 1990, the Health and Social Care Act 2012, and more.

The information we hold about you

All patients who receive NHS care are registered on a national database. This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. The database is held by NHS Digital - a national organisation which has legal responsibilities to collect NHS data. More information can be found on the NHS Digital website or the phone number for general enquires at NHS Digital is 0300 303 5678.

Your care records may exist in several formats including electronic, paper or a mixture of both, and we deploy many approaches to ensure that such information is maintained within a confidential and secure environment. The records which we could hold about you may include the following information:

• Personal details relating to you, including your address and contact details, carer, legal representative and parents’ emergency contact details
• Any contact we have had or intend to have with you such as appointments, clinic or surgery visits, home visits, etc.
• Notes and reports about your health which is deemed to be of a sensitive nature
• Details about your referral, diagnostics procedures, treatment and care
• Results of any additional relevant investigations
• Relevant information from other health professionals, relatives or those who care for you

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service. 

There are also a number of Digital Tools that are centrally managed by North East London Integrated Care Board which help support your direct care and improve the way care is delivered in the future. To view the fair processing notice for these tools please visit the North East London ICB website

How we use your information

We will use your information for direct care purposes and to check and review the quality of the service we provide. This helps us to improve our services to you. Anonymised information held about you could, on occasions, be used to help protect the health and well-being of the general public and to help us manage our contracts with commissioners. Information could also be used within our Practice for the purposes of clinical audits which in turn will provide monitoring of the quality of the services we provide.

Some of this information will be used for statistical purposes and we will ensure that individuals cannot be identified. For situations where we may contribute to research projects we will always gain your explicit consent before releasing any relevant information.

We may occasionally run automated searches through our database to identify patients at high risk for certain diseases or medical conditions in order to provide them with additional and early support. This process will involve linking information from your GP record with information from other health or social care services you have used. We may use a third-party provider to help us perform the searches, however they will only be provided with pseudonymised data, so data which can directly identify you will only be viewable to the GP Practice.

Legal Basis for Processing

Our legal basis for processing your personal data relies on GDPR Article 6(1)(e), “...necessary for the performance of a task carried out in the public interest...”;

Our legal basis for processing your special category data relies on Article 9(2)(h), “necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” underpinned by the Data Protection Act 2018 Schedule 1 2(2)(d), “provision of healthcare or treatment”.

On occasion, we may also rely on other Article 9 conditions such as explicit consent, vital interests, legal claims, substantial public interests (with a basis in law), public health (with a basis in law), or archiving, research and statistics purposes (with a basis in law).

Maintaining the Confidentiality of Your Records

We will take all possible care to protect your privacy and will only use information collected with the law. Our staff are briefed on data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed or legal requirement.

We will only share your data without your permission under exceptional circumstances, subject to the exceptions given by the GDPR and UK Data Protection act, which includes:

• prevention and detection of crime
• substantial public interest
• vital interests (life-threatening emergencies)

This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles.

All personal information that we manage is stored in the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.

Who your data is shared with

We will share relevant information from your medical record with other health or social care staff or organizations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.

In general, your data may be shared with:

• healthcare professionals and staff in this surgery;
• local hospitals (e.g., for referrals);
• out-of-hours services (e.g., for staff treating you in an emergency may check if you have allergies. They will use your Summary Care Record. For more information please visit the NHS Digital website)
• diagnostic and treatment centres; or
• other organisations involved in the provision of direct care to individual patients (e.g. NELFT), or organisations which we have contracted to help us process data (see below for more information on our data processors).

In addition, we are legally required to share data with NHS Digital for purpose under section 259(1)(a) of the Health and Social Care Act 2012 to support vital planning and research for COVID-19 purposes.

Your data will never be transferred internationally.

Processors of personal data

In order to deliver the best possible service, the Practice contracts Processors to process personal data, including patient data on our behalf.

When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient-facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.
• Delivery services (for example if we were to arrange for delivery of any medicines to you).
• Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Payment providers (if, for example, you were paying for a prescription or a service such as travel vaccinations).

Your Rights as a Data Subject

You have a right under the Data Protection Act 2018 to request access to view or to obtain a copy of what information the Practice holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and the way it works is outlined below:

• You can submit a request for your information either in person, over the phone, or electronically, by yourself or through your proxy (such as a law firm or a relative). You do not need to mention, “Subject Access Request”, “GDPR” or any other legal terms. Our staff are trained to recognise a SAR upon receipt.
• You will need to provide adequate proof of your identity before we can release the requested details, typically a passport or driving license. If you are using a proxy such as a legal firm or a relative to make a request on your behalf, you must provide them with a signed consent form, specifying exactly which information you wish for us to disclose to them.
• The request will be reviewed and completed within a maximum of one calendar month after verifying any necessary ID and other documents, as required by the GDPR, unless the SAR is complicated, in which case we may extend the deadline.
• The latest regulations state that we cannot charge you to have a copy of your information unless the request is manifestly unfounded or excessive.

In addition to the right of access, under the Data Protection Act 2018, you will also have the following rights:

• Rectification: you have the right to have any errors or mistakes in your records corrected. Please speak to a member of staff if you wish to do this.
• Objection: you have the right to object to information being shared between parties for your own, direct care. Please speak to the Practice if you wish to object, however note that this may affect the care you receive. You are not able to object to:

a) your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.

b) You are not able to object when information is legitimately shared for safeguarding reasons (as described earlier) as it is a legal and professional requirement to share information for safeguarding reasons in appropriate circumstances to protect people from harm.

• Withdrawal of consent: If you have provided us with your consent to process your data for the purpose of providing our services, you have the right to withdraw this at any time. In order to do this should contact us by emailing or writing to the Practice.
• Erasure: We are required to follow strict data retention guidelines (see below) and so are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention of your data

GP medical records will be kept in line with our retention policy, the law and national guidance.
Information on how long records are kept can be found on the NHS Digital website

National Data Opt-Out

The National Data Opt-Out gives you the choice to stop your health and care information from being used for purposes beyond individual care, such as for research or planning, where such processing requires Section 251 approval under the NHS Act 2006. This does not affect:

• Your care or treatment,
• The sharing of your information for direct care or other essential services, and
• Data used anonymously for research or planning

In line with NHS policy, our practice complies with the National Data Opt-Out scheme, and you can choose to opt-out at any time.

If you choose to opt out, your confidential patient information will no longer be used for purposes beyond your individual care. Your choice is respected by all organizations within the health and care system in England.

You can view or change your data-sharing preference at any time by visiting the official NHS website, by calling the NHS helpline on 0300 303 5678, or by contact our Practice.

For further details about the National Data Opt-Out, please visit the NHS Digital website.

Cookies

This website makes use of cookies to optimise user experience. By using our website, you consent to all cookies in accordance with our Cookie Policy.

Website Privacy

We are committed to protecting your privacy. You can access our website without giving us any information about yourself. But sometimes we do need information to provide services that you request, and this statement of privacy explains data collection and use in those situations.

In general, you can visit our website without telling us who you are and without revealing any information about yourself. However, there may be occasions when you choose to give us personal information, for example, when you choose to contact us or request information from us. We will ask you when we need information that personally identifies you or allows us to contact you.

We collect the personal data that you may volunteer while using our services. We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. We do not collect or use personal data for any purpose other than that indicated below:

• To send you confirmation of requests that you have made to us
• To send you information when you request it

We intend to protect the quality and integrity of your personally identifiable information and we have implemented appropriate technical and organisational measures to do so. We ensure that your personal data will not be disclosed to State institutions and authorities except if required by law or other regulation.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we don’t have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.

Notification

The Data Protection Act 2018 requires organisations that control data to register with the Information Commissioners Office (ICO) website

Our Practice is registered with the ICO as a Data Controller under the Data Protection Act 1998.

Complaints

By law, we are required to appoint an independent Data Protection Office (DPO) to advise us on our data protection practices and obligations, in order to make sure we are complying with the law. Our DPO is:

• Name: Radha Muthuswamy. You can email them here

Should you have any concerns about how your information is managed by the Practice, you can raise a complaint according to our complaints procedure.

If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO) website via their website, or in writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact us.