Privacy Notice: Data protection and confidentiality

 

BACK TO MAIN INDEX

 

View Our Policies

 

Our identity – who we are, what we do

The practice is part of the Hurley Group. The group is a traditional GP Partnership but we are rather unique in that we run several GP practices walk in centres, urgent care centres and a health services for unwell doctors (Practitioner Health Services). 

 

The reasons why we collect and use patient data 

We collect data on patients, so we can delivery direct patient care and this means we can process patient data lawfully under the UK General Data Protection Regulations 2021 (UK GDPR 2021). We are therefore known as a Data Controller. 

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare. 

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this service hold about you may include the following information, and they are retained until a person dies: 

  • Details about you, such as your address, email address, telephone number, legal representative, emergency contact details 
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc 
  • Notes and reports about your health  
  • Details about your treatment and care 
  • Results of investigations such as laboratory tests, x-rays etc 
  • Relevant information from other health professionals, relatives or those who care for you  

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our services for clinical audit to monitor the quality of the service provided. 

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to anonymise the data to ensure that individual patients cannot be identified. 

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose – further detail below 

 

How do we maintain the confidentiality of your records?  

We are committed to protecting your privacy and will only use information collected lawfully in accordance with: 

  • UK General Data Protection Regulation 2021 
  • Data Protection Act 2018 
  • Human Rights Act 1998  
  • Common Law Duty of Confidentiality  
  • Health and Social Care Act 2012  
  • Access to Health Records Act 1990 
  • NHS Codes of Confidentiality and Information  
  • Information: To Share or Not to Share Review  

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All our staff undergo yearly training on data protection. 

We will only ever use or pass on health information about you if others involved in your care have a genuine need for it. We will not disclose your health information to any 3rd party without your permission unless: 

  • there are exceptional circumstances (i.e. life or death situations),  
  • where the law requires information to be passed on (e.g. in event of a serious crime) 
  • in accordance with the new information sharing principle following Dame Fiona’s Caldicott information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.  
 

Hurley Group Oversight 

The Hurley Group privacy notice is displayed on our website, through signage in the waiting room and in writing during patient registration (by means of this web page).

We have assigned a Data Protection Officer who has oversight of the handling of information within the Hurley Group. They oversee and makes decisions on information sharing and are accountable for information risk.  

If you wish to contact the Data Protection Officer please use the following link or contact the service.

Contact the Data Protection Officer 

 

Other Data Sharing / Access Projects and special cases 

Direct Patient Care 

Often we have to share information for your medical care, such as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see the records that we hold about you and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail. 

Special cases and the Law 

The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example: 

  • plan and manage services; 
  • check that the care being provided is safe; 
  • prevent infectious diseases from spreading.   

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.  

 

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. 

It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.   

This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012. 

More information about NHS Digital and how it uses information can be found here. 

NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office.

More information on this can be found here.

 

General Practice Data for Planning and Research 

  • This new service replaces existing GP data extraction services on 1st  September 2021 
  • It shares pseudonymised data i.e. it will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, full postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital. 

The service will collect: 

  • data on your sex, ethnicity and sexual orientation  
  • clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health  
  • data about staff who have treated you  

More information is available here. 

You can opt out by completing this form before 25th August 2021 and returning to you GP.

 

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.  
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.  

For more information about the CQC see their website.

 

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.  
  • We will report the relevant information to local health protection team or Public Health England. 

For more information about Public Health England and disease reporting see here.

 

National Screening Programme

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.  
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.  
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.  

More information can be found here.

 

Medical Research

Hurley Group shares information from medical records:  

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;  
  • we will also use your medical records to carry out research within the practice. 

This is important because: 

  • the use of information from GP medical records is very useful in developing new treatments and medicines;  
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive. 
  • We share information with medical research organisations with your explicit consent or when the law allows. 

The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits) 
Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. 
For medical research: there are two possible Article 9 conditions.  
Article 9(2)(a) – ‘the data subject has given explicit consent…’ 
OR 
Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.  
To check the quality of care (clinical audit): 
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’ 

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object

 

uMed

Our practice use  Umedeor Ltd (uMed) as a data processor to support research and care support activity. This includes accessing and secure hosting of health record data for the purpose of identifying patients that are eligible for specific research or care support projects. uMed also contacts those patients on behalf of the practice via SMS, letter, email or telephone to provide more information about the study, and to collect additional information to assess your eligibility for a certain study.  

Your consent will be required before any practice data is shared externally with researchers.

uMed applies the national opt-out to practice data it receives so if you wish your data is not processed for research you can do so by visiting here.

For further information on uMed please visit their website.

or email patientsupport@umed.io  

 

IQVIA Medical Research Database (IMRD) 

We are currently involved in a research programme called the IQVIA Medical Research Extraction Scheme (MRES) for which we provide non-identified information from patients’ electronic medical records. 
The data collected does NOT include any patient identifiable information such as names, NHS numbers, or dates of birth. The data is used by researchers outside our practices for scientifically approved research into such topics as: Epidemiology & Pharmacoepidemiology, Drug Safety & Risk Management, Public Health Research, Drug Utilisation Studies, Outcomes Research and Health Economics Research / Resource Utilisation.  Additionally, the data may be used for treatment analysis to provide insights into patient, disease and prescribing profiles. If you would like to opt out of this scheme, please let your practice know, and no data from your records will be utilised for research.

This will not affect your care in any way.  

For a list of published IQVIA research please go to their website.

 

Osteoporosis Proof of Concept Project - Quantium 

Purpose of the Project: 

The project aims to develop a Proof of Concept using Quantium's Data Science and AI to identify hidden data within unstructured clinical data (e.g scanned letters within medical records). Specifically, it will be looking for patients who may have Osteoporosis or who are on suboptimal treatment. It commenced 9/11/23 and will end 9/1/23 

Lawful Basis for Processing: 

Article 6(1)(f) The lawful basis for processing is 'legitimate interests,' 

Data Security Measures: 

  • All data is processed within the same facility. 
  • All data is kept within the Hurley group infrastructure and backed up within our servers. 
  • Access control is guided by the appropriate agreement contracts. Only named Quantium contractors can access the clinicals systems under the data processing agreement 
  • Role based access controls are set to ensure access only to areas required 
  • Access is revoked as soon as the project is over at 8 weeks, unless an extension is granted to complete processing 
  •  

CCTV

Some of our practices have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice 
Information is only shared in the exceptional circumstances set out above.

Recorded Telephone calls 

All our Patients should be aware that this Practice records telephone calls to and from the practice. 

The primary purpose of call recording at our Practice sites is for training and monitoring purposes.  This includes the provision of a record of incoming and outgoing calls which can: 

  • Identify practice staff training needs 
  • Protect practice staff from nuisance or abusive calls 
  • Establish facts relating to incoming/outgoing calls made (e.g. complaints) 
  • identify any issues in practice processes with a view to improving them (e.g. to aid workforce planning) 

Our Practices will make every reasonable effort to advise callers that their call may be recorded and for what purpose the recording may be used. This will normally be via a pre-recorded message within the telephone system and via signage at the practice. 

We lawfully do not require your consent under articles 6(1)(e) and 9(2)(b)(c)(h) of the Data Protection Act 2018; however you do have the right to terminate the call if you do not wish for the call to be recorded 

The recording will be securely stored within the telephone recording system software to which strict rules of confidentiality will apply. The recording data will be retained for 36 months on the Telephony System before deletion.  

The telephone service supplier operates under an approved code of practice for the storage of recorded calls.  Calls are stored for a limited period of time.  

The practice sites’ data protection registration also covers voice files similarly to other data. 

If you need to request a copy of a recording, please do the following: 

Make a request, in writing to the Practice Manager.  The request the written request must state the following: 

  1. The reason for the request 
  2. Date and time of the call if known 
  3. Telephone extension used to make/receive the call 
  4. External number involved  
  5. Where possible, the names of all parties to the telephone call 
  6. Any other information on the nature of the call
 

Video Consultations

If either you or one of our clinicians have requested a video consultation using the Hurley Group’s Video Consultation solution, it will be treated as any other consultation you have with your GP.  However, you will need to be aware of the following: 

  • The Hurley Group takes your privacy and the security of your personal information very seriously will ensure that it is kept secure and protected. To ensure the safety of your personal information all communication between the GP and patient devices is encrypted to NHS standards.  However, you should be aware that no communication over the internet is 100% secure.  If you have any concerns about this, you may request a face to face or telephone appointment. Video consultations are entirely voluntary and are offered to extend the access and provide the patient choice. 
  • The Video Consultation application itself cannot protect users from spyware so you should always ensure that you have adequate ant-virus/malware protection on any device you use for the video consultation. If you choose to use the Video Consultation solution on your mobile device you should make adequate provision to ensure the security of the device you choose to use. 
  • We will always conduct a video consultation in a quiet, private space, free of interruptions where others cannot overhear. You are responsible for ensuring that you are in an appropriate environment and recommend that you find a quiet, private place to speak to us.  

You will be provided with instructions for joining the video consultation as per the process set out for the video solution in use.   You will be required to provide your consent to the terms and conditions of the service and the invitation in order for you to proceed with the scheduled consultation. If you share an account with other people, such as your family members, they may have access to some information about the consultation.  If you are using a public or shared device then you should be aware that some of your personal information may be stored locally on the computer you are using. 
Should we seek to record the video consultation we will obtain and document your consent to do so.  We will also explain why a recording will help in providing clinical care, who can access the recording, where and how it will be stored securely, how long it will be stored for and how it will be used (i.e. that the recording will not be used for any other purpose except for direct care without the patient’s express permission). 

 

Transcription Services

Hurley Group clinicians utilise a transcription service call Nabla Copilot. 

In a move to always improve the care services we deliver to you / our patients, our clinicians may use this new tool to generate consultation notes. This tool is powered by AI and processes the audio flow of the tele or in-person consultation without storing it. 

Only pseudonymized data are processed by this tool and the patient health data are only stored in Hurley's secured electronic health records. 
This new tool reduces the administrative burden on doctors and allows them to dedicate more time to what is their core mission: delivering care to you. 

If you want to know more about this tool, please refer to this white paper. 

 

Risk Stratification  

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.  

 

Online Consultations (eConsults) 

Hurley Group utilises online consultations. Information entered in an online consultation is stored in your clinical record just as it would be if you had seen the Doctor face-to-face. It is subject to the same information rules as anything else in your clinical record.  

 

Hurley eHub  

As part of our commitment to improving quality of care, many of our online consultations are now done remotely, on behalf of all of the surgeries in the Hurley Group (the ‘eHub’). Our Doctors who work in the eHub work for a range of surgeries across the Hurley Group.  This means that you may be contacted by a doctor who works at a different surgery to the one you go to. However, they are fully employed by the Hurley Group and subject to the same confidentiality and information governance rules as described in this Notice.  

 

SmartSurvey 

Our Practitioner Health Services use a survey tool called SmartSurvey to process registrations forms and user feedback. We do not store data on SmartSurvey and any personal data collected via the SmartSurvey tool is deleted once it has been added to your clinical record.

We do not ask for any personal identifiable information in user surveys and these are usually anonymised returns. 

Smart Survey 

 

IGPR Technologies 

We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care. 

 

Access to personal information

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following: 

  • Your request must be made in writing to the service - for information from the hospital you should write direct to them 
  • There is no charge for this 
  • We are required to respond to you within one calendar month 
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located  
 

Objections / Complaints

Should you have any concerns about how your information is managed, please contact the service or the Data Protection Officer using the below link.

Contact the Data Protection Officer

If you are still unhappy following a review by the service, you can then complain to the Information Commissioners Office (ICO) via their website.  

 

Opting out of Data Sharing 

If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice then you do not need to do anything. 

If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible. 

We will then enter clinical codes into your records that will prevent data leaving the practice and / or leaving the central information system at NHS Digital. 

From the 25th of May you will be able to do this online. 

 

Other Useful Sources of Information 

A highly recommended source of information for patients that helps explain how your data is used in the health service.