Practice Privacy Notice

This privacy notice describes the data the practice holds about you, why we hold it, where and how we store it, how long for and how we protect it. It also tells you about your rights under the Data Protection Legislation and how the law protects you.

Who we are and what do we do?

Moretonhampstead Health Centre, Embleford Crescent, Moretonhampstead, Newton Abbot Devon. TQ13 8LW  01647 440591 moretonhampsteadhealthcentre@nhs.net

Moretonhampstead Health Centre is a Data Controller for the data we hold about you. We hold your data in order to provide you with health and care.

What is personal data and what data do we use?

Your personal data is any information that can be connected to you personally.  If you can be identified from the data, it is personal data. The types of personal data we use and hold about you are:

• Details about you: your name, address, contact numbers, email address, date of birth, gender and NHS number. We may also hold information about your emergency contact, next of kin and carer.
• Details about your medical care: medical diagnosis, record of treatment received, referrals, history of prescribed medication, results of investigations such as X-rays etc.
• Information provided by you: this includes correspondence relating to feedback, concerns and complaints about the service you have received.
• Relevant information from other healthcare professionals, relatives or those who care for you.

We may also hold the following information about you:

• Religion or other beliefs of a similar nature,
• Family, lifestyle and/or social circumstances,
• Employment details,
• Financial details.

Your Contact Details:

When we collect your mobile number, we may use it to help support the care we provide you. This will include calling you and sending you texts to: remind you of appointments; invite you to contact us to book appointments or share information or images; if applicable to share health surveys for you to complete prior to particular types of review appointments with the Nurse or GP; and occasionally to share important practice updates and information.  If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your contact preferences.

When we collect your email address, we use it to contact you to ask you to contact the surgery if this is your preferred method of contact or if we are struggling to get hold of you using your preferred method. We may also use it to confirm appointments and request or share information. If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

Why do we process your data and what legal basis do we have to process your data?

In order to process your personal data or share your personal data outside of the practice, we need a legal basis to do so. If we process or share special category data, such as health data, we will need an additional legal basis to do so.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(h) (health and social care) for most of our processing and sharing, in particular to:

• Provide you with health and care,
• Share data from, or allow access to, your GP record, for healthcare professionals involved in providing you with health and care,
• Receive data from or access your data on other NHS organisation clinician systems,
• Work effectively with other organisations and healthcare professionals who are involved in your care,
• Ensure that your treatment and advice, and the treatment of others is safe and effective,
• Participate in National Screening Programmes,
• Use a computer program to identify patients who might be at risk from certain diseases or unplanned admissions to Hospitals,
• Help NHS England and the practice to conduct clinical audits to ensure you are being provided with safe, high-quality care,
• Support medical research when the law allows us to do so,
• Supply data to help plan and manage services and prevent infectious diseases from spreading.

We rely upon Article 6(1)(d) (vital interest) and Article 9(2)(c) (vital interests) to share information about you with another healthcare professional in a medical emergency.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(g) (substantial public interest) to support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse.

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(h) to share your information for mandatory disclosures of information such as public inquiries. The kind of organisations we may be required to share information with may include NHS England, CQC, UK Health Security Agency and Office for Health Improvement and Disparities).

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims) to help us investigate legal claims and if a court orders us to do so.

We rely upon Article 6(1)(a) (consent) and Article 9(2)(a) (explicit consent), in order to:

• Help the practice investigate any feedback, including patient surveys, complaints or concerns you may have about contact with the practice,
• Help manage how we provide you with services from the practice, for example, when you nominate individuals to contact the practice on your behalf,
• Contact you if you have signed up to our patient participation group,
• Share your information with third parties, for example, insurance companies and medical research organisations.

We also use anonymised data to plan and improve health care services. Specifically, we use it to:

• Review the care being provided to make sure it is of the highest standard,
• Check the quality and efficiency of the services we provide,
• Prepare performance reports on the services we provide.

Common law duty of confidentiality

Healthcare staff will respect and comply with their obligations under the common law duty of confidence. We meet the duty of confidentiality under one of the following:

• You have provided us with your explicit consent,
• For direct care, we rely on implied consent,
• We have approval from the https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/
• We have a legal requirement to collect, share and use the data,
• On a case-by-case basis, we will share information in the public interest.

How do we collect your data?

The practice collects data about you in the following ways:

Provided by yourself:

• Receive treatment or care from the practice,
• Contact the practice by telephone (all telephone calls received and made by the practice are recorded), online, via an online triage system or in person,
• Complete a form electronically or in paper,
• Contact the practice via a Social Network (we use Facebook to share useful and timely information to the community but this is not used as a communication platform although comments are usually allowed),
• Visit the practice’s website through the use of cookies (when visiting the website you will be provided with options regarding the use of cookies and an explanation of what types of cookies are used and why).

Provided by family members or carers:

We may also collect data from family members or carers to support your care.

Provided by third-party providers:

We receive information about you from other providers to ensure that we provide you with effective and comprehensive treatment. These providers may include:

• The GP Practices within the North Dartmoor Primary Care Network (Chagford Health Centre, Okehampton Medical Centre, Cheriton Bishop and Teign Valley Practice and Black Torrington Surgery)
• Other GP Practices
• NHS Trusts/Foundation Trusts
• NHS Commissioning Support Units (CSUs)
• Community Services (District Nurses, Rehabilitation Services and out of hours services)
• Child Health Information Services (CHIS)
• Primary Mental Health Multi Agency Teams (PCN MAT)
• NHS Cervical Screening Management System
• RDUH Medical Examiners Programme
• Ambulance or emergency services
• Independent contractors such as Pharmacies, Dentists and Opticians
• Devon Integrated Care Board (ICB)
• NHS Digital
• NHS England
• Local authorities
• Police and Judicial Services
• Educational Services
• NHS 111
• UK Health Security Agency
• Office for Health Improvement and Disparities
• Non-NHS health care providers
• Research providers

Who do we share your data with?

In order to deliver and coordinate your health and care, we may sometimes share information with other organisations. We will only ever share information about you if other agencies involved in your care have a genuine need for it. Anyone who receives information from the practice is under a legal duty to keep it confidential and secure.

Please be aware that there may be certain circumstances, such as assisting the police with the investigation of a serious crime, where it may be necessary for the practice to share your personal information with external agencies without your knowledge or consent.

We may share information with the following organisations:

• The GP Practices Chagford Health Centre, Okehampton Medical Centre, Cheriton Bishop and Teign Valley Practice and Black Torrington Surgery within the North Dartmoor Primary Care Network
• Other GP Practices
• NHS Trusts/Foundation Trusts
• Devon Integrated Care Board (ICB)
• NHS Commissioning Support Units
• Community Services (District Nurses, Rehabilitation Services and out of hours services)
• Hospiscare
• Child Health Information Services (CHIS)
• Primary Mental Health Multi Agency Teams (PCN MAT)
• NHS Cervical Screening Management System
• The RDUH Medical Examiners Office
• Ambulance or emergency services
• Independent contractors such as Pharmacies, Dentists and Opticians
• Local authorities
• Multi-Agency Safeguarding Hub (MASH)
• Police and Judicial Services
• Educational Services
• Fire and Rescue Services
• NHS 111
• The Care Quality Commission, ICO and other regulators
• UK Health Security Agency
• Office for Health Improvement and Disparities
• NHS England
• Non-NHS health care providers
• Research providers

In addition to sharing data with the above services, the practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third-party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

• Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and services accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.
• Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system).
• Delivery services (for example if we were to arrange for delivery of any medicines to you).
• Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

We include below more details about the third-party providers we may share data with and what these services are used for. For further information of who we share your personal data with and our third-party processors, please contact Moretonhampstead Health Centre Practice Manager on 01647 440591.

Where do we store or process your data?

We use a number of IT systems and tools to store and process your data on behalf of the practice. Examples of tools we use include our core clinical system SystmOne-TPP; AccuRx; Lexacom; LumiraDx-INRStar; Consultant Connect-PhotoSaf;  Microsoft Office 365 including Teams, Outlook, Work, Excel etc.; NHSmail; Ardens; IGPR; Devon and Cornwall Care Record (DCCR) e-TEP Portal; Adastra; Joy App; Heidi Health; SWComms Focus Group Telecoms; My Surgery Website.

For further information on this, please contact the Practice Manager on 01647 440591.

Enhanced Data Sharing Module

We share your record using Enhanced Data Sharing Module from within our clinical system (SystmOne) to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to the practices in the North Dartmoor Primary Care Network and other local providers who are involved in your care. This includes the sharing of personal contact details, diagnosis, medications, allergies, and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service.   

GP Connect-Interoperability

We use GP Connect to make specific appointments available to other organisations for booking, primarily we offer appointments that the 111 service are able to book patients directly into following out of hours care.

GP Connect is a Direct Care API (Application Programming Interface) overseen by NHS Digital that facilitates interoperability between different IT and clinical systems to help approved health and social care organisations to access, share, view and write information into a patient record in the course of providing direct care. It is subject to DPIA’s and oversight of NHS Digital and offers four methods for a third-party care provider to access/generate information in the clinical record of another provider:

• Appointment Management – GP Connect: ACTIVE

This allows us to make specific appointments available to other organisations for booking via GP Connect. This is currently active and occasionally used for the 111 service to book appointments for patients following out of hours care.

• Access Record – Interoperability/Third Party Patient Record Settings: NOT ENABLED

If enabled this allows us to view and share patient records between our organisation and other organisation via GP Connect either as HTML (read-only view) or structured (medications and allergies) view which shares the record in sections.

• Update Record – Interoperability/Incoming Messages: NOT ENABLED

If enabled this allows the practice patient record to be updated by a third-party provider who is treating the patient directly.

• Send Document – Interoperability/Consultation Summary Messaging: NOT ENABLED

If enabled, in the case of treating non-GMS (temporary resident patients) this service allows a summary of a consultation to be electronically sent to a to the patient’s registered GP practice to be manually added to the patient’s record.

The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

• for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
• for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld, and your record will only be accessed by the practice.  Should you wish to opt-out of, please speak to the Practice Manager who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.

You can find more information about GP Connect at: https://digital.nhs.uk/services/gp-connect/gp-connect-in-your-organisation/transparency-notice

You can also search for organisations who use GP Connect here: https://transparency.ndsp.gpconnect.nhs.uk/Name

Summary Care Record (SCR)

NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system

Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS on NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.

As well as this basic record, additional information can be added to include further information. However, any additional data will only be uploaded if you specifically request it and with your consent. You can find out more about the SCR here: https://digital.nhs.uk/services/summary-care-records-scr

Devon and Cornwall Care Record (DCCR) e-TEP Service

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive through a platform called the Devon and Cornwall Care Record. It aims to ensure that anyone treating you has access to your shared record, so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.  It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email and systems do not share all your data – just data that services have agreed is necessary to include. The DCCR uses GP Connect to enable information sharing. We have not activated this sharing area and therefore the full DCCR sharing platform is not active.

However, the DCCR are also host to a new service called the e-TEP (electronic Treatment Escalation Plan), which hosts the e-TEP as an electronic central record of a patient’s end of life wishes, enabling those providing end of life care (GP’s, Out of Hours 111, Hospiscare, Ambulance service) to all see the same electronic live data and update the record centrally, rather than relying on, reviewing and updating a single paper version that is held by the patient which is a more time-constraining process. We use this platform to create e-TEP’s for patients and make amendments as needed. Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job.

For more information about the Devon and Cornwall Care Record, please go to https://devonandcornwallcarerecord.nhs.uk/data-security-and-privacy/

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at early stages. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. More information on the national screening programmes can be found at: https://www.gov.uk/government/collections/population-screening-programmes-document-collection

Locally Commissioned Programmes and Targeted Long-Term Condition Services

In addition to national screening programmes, the local NHS commissioning group also contracts third party providers to offer long term condition pathways and health checks for our patients. These programmes may be run at a national or local level and provide support, screening and advice for our patients with the aim of treating and slowing the progress or certain long-term conditions. These services are offered to the practice on an ad-hoc basis and are subjected to rigorous data protection and security assessments by the local commissioning group and within the practice. Such services include The Devon Targeted Lung Health Check https://peninsulacanceralliance.nhs.uk/lung-cancer-screening/ , Oviva NHS Type 2 Diabetes Path to Remission Programme https://oviva.com/uk/en/programmes/t2dr/ and Inspira Primary Care Heart Failure https://inspirahealth.co.uk/services/primary-care-heart-failure-service.

NHS South, Central and West Commissioning Support Unit – Child Health Information Services (CHIS)

NHS South Central and West Commissioning Support Unit (SCW) is a leading provider of Child Health Information Services (CHIS). SCW CHIS is commissioned by NHS England to support the monitoring of care delivered to children. Personal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions. They play a critical role in immunisation scheduling and monitoring for new-born screening, sending invitation and result letters to parents/carers and recording and monitoring NHS public health childhood immunisation programmes. CHIS is the definitive source of immunisation uptake and coverage data within England and, as such, are essential to limiting the spread of communicable disease. 

The processing of personal data for the delivery of individual care and for the administration of Child Health Information Services to support that care is lawful under the following provisions of the UK GDPR:

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

We provide the CHIS under contract to NHS England, which is responsible for the provision of the overall CHIS as part of the Public Health Section 7a Agreement – service specification 28.

We do not rely on consent as legal basis for sharing. Under GDPR an individual does not have the right to opt out of sharing for direct care purposes but can register their objection with their GP Practice. The GP can choose to continue to share despite any objection. GPs can decide is that it is in the best interests of the child to share the information for direct care, which will mean the child’s health record is up to date and they can receive an invitation to immunisation at the appropriate time. The GP has a duty of care to the child and a duty to share the information under the Health and Social Care (Quality and Safety) Act for the purpose of direct care

For more information: Fair Processing Notice Child Health Information Services - NHS SCW Support and Transformation for Health and Care (scwcsu.nhs.uk)

Risk Stratification

Your medical records will be searched by a computer program so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.

This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice. More information can be found at https://www.england.nhs.uk/ig/risk-stratification/ or speak to the practice.

Research

We are a research practice and work with organisations such as the NIHR - Clinical Research Network South West Peninsula, National Institute for Health Research, Integrated Research Application System, to deliver research studies and trials. This is important because information from medical records can be very helpful in answering important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive. Employees of the practices will access your information in order to determine whether you are suitable to be invited to participate in a study. We will only share your information with the research providers with your explicit consent.  Further information regarding the research providers can be found here: https://www.nihr.ac.uk/nihr-privacy-policy

You have the right to object to your information being used for medical research purposes, this should be done under the National Data Opt-Out, which prevents information that identifies you being used for medical research purposes or quality checking or audit purposes. More information about how to opt-out and your options can be found here https://www.nhs.uk/your-nhs-data-matters/

Clinical Practice Research Datalink (CPRD)

This practice contributes to medical research and may send relevant data to CPRD. CPRD collects de-identified patient data from a network of GP practices across the UK. Primary care data is linked to a range of other health related data to provide a longitudinal, representative UK population health dataset. Further information regarding CPRD can be found here: https://cprd.com/transparency-information

National Clinical Audits

We contribute to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help measure and check the quality of care which is provided to you. The results can show where healthcare organisations are doing well and recommend improvements to patient care. Data is sent to NHS Digital, a national body with legal responsibilities to collect data, and will include details from your record such as your NHS number, date of birth and information about your health in coded form. For more information see the Healthcare Quality Improvements Partnership https://www.hqip.org.uk/

You have the right to object to your identifiable information being used for this purpose via the National Data Opt-Out, which prevents information that identifies you being used for medical research purposes or quality checking or audit purposes. More information about how to opt-out and your options can be found here https://www.nhs.uk/your-nhs-data-matters/

The legal basis that applies for the sharing of patient identifiable information for clinical auditing is:

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and/or
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

National Data Opt-Out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

Moretonhampstead Health Centre is compliant with the National Data Opt-Out.

General Practice Data for Planning and Research Data Collection (GPDfPR)

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. The date for the launching this dataset is as yet not set. NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.  

NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.

At the time of publication (June 2022), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose. The Type 1 Opt-Out expresses dissent from the sharing of any information for purposes other than direct patient care. If you have signed up to the National Data Opt-Out directly with NHS Digital, it will prevent NHS Digital sharing any of your personal confidential information. See below for an explanation of your opt-out options.

Further information about GPDfPR can be found here: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice

Medical Examiners Programme

The Medical Examiners (ME) Programme is a national statutory programme to review all deaths in acute (hospital) and non-acute (Community) settings and is funded and run by NHS England. The ME process seeks to provide greater transparency to the bereaved regarding the care and treatment of their loved one. Under this new scheme, all deaths in England and Wales will be independently reviewed by an ME who will decide whether to refer to the coroner. Medical records are an integral part of mortality reviews under the ME programme and to enable the MEs to accomplish this whilst ensuring the Medical Certification of Cause of Death (MCCD) is issued within the legally required framework of 5 days, ME’s will be given role-based access under the most basic role available to the practice clinical system with permission for Read-Only access.

For the period before the statutory medical examiner system commences, following an application by NHS England and on the advice of the Confidentiality Advisory Group (CAG – an independent body which provides expert advice on the use of confidential patient information), the Secretary of State for Health and Social Care has approved the use of confidential patient information for the purposes of the non-statutory medical examiner system, under section 251 of the National Health Service Act 2006 and Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (‘section 251 support’). This section 251 support is in place until 31 March 2024 and enables healthcare providers, including GP practices, to share the medical records of deceased patients with medical examiners. The approved application can be found on the https://www.hra.nhs.uk/planning-and-improving-research/application-summaries/confidentiality-advisory-group-registers/ (ref: 21/CAG/0032).

Medical records of deceased patients are outside the scope of UK GDPR; however healthcare providers may share (and medical examiner offices may process) contact details of deceased patients’ next of kin in accordance with Article 6.1(e) UK GDPR (processing that is necessary for the exercise of a public task). Medical examiner offices are based in NHS trusts/foundation trusts which process personal data in accordance with all applicable legal and NHS requirements including UK GDPR.

More information is available here https://www.england.nhs.uk/establishing-medical-examiner-system-nhs/non-coronial-deaths-in-the-community/#sharing-records

AccuRx

AccuRx is a communication software provider for healthcare organisations. They act as the data processor for any patient information that is processed either via their online electronic consultation tool Patient Triage or via text message. Patient Triage allows patients to submit requests for medical and administrative support and treatment, request sick notes and results or self-help. By completing a patient Tirage request you are submitting your information to AccuRx for processing, which is then provided to the practice to be reviewed and imported into your medical notes. Likewise, the AccuRx Text Message, Email and Video call service allows the practice to make contact with patients and in some cases, patients are invited to respond. We have a very clear agreement with AccuRx that sets out what they do with our data and how they keep it safe. Further information on AccuRx can be found: https://www.accurx.com/privacy-policy and https://www.accurx.com/security

Further information regarding the role of NHS England and the practice can be found: https://www.nhs.uk/using-the-nhs/nhs-services/the-nhs-app/privacy/online-consultations/

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

Heidi Health

We use an AI transcription service (Heidi) to transcribe your clinical consultations and streamline documentation. Heidi processes your personal data on our behalf under a strict contractual agreement, ensuring compliance with all relevant data protection standards. You can choose to opt out at any time by informing our staff if you prefer traditional note-taking methods. Heidi is used to process your data creating a transcription of your consultation that is set to be deleted within one day of being created. Heidi will not access or retain the transcription or audio recording for any other purpose. We follow recognised guidelines for handling records. For more information, please visit https://www.heidihealth.com/uk/legal/ukgdpr-compliance-policy

Joy App-Pungo

The Joy app is provided by Pungo Ltd. and provides a referral and caseload management service for third party services. The practice uses Joy generate referrals for our Social Prescribing Team and Child Mental Health Service. When a referral is raised it will be as a result of a GP consultation following a discussion about the possibility of accessing these services. The following details will be included in the referral in order to allow the service to get in touch with you and deliver their service: Name, DOB, phone number, postcode and email address.   For further information please see the Joy privacy notice: https://www.thejoyapp.com/privacy

How long do we hold your data?

We only hold your data for as long as necessary and are required to hold your data in line with the NHS Records Management Code of Practice 2023 Retention Schedule. Further information can be found online at: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

What rights do you have?

You have various rights under the UK GDPR and Data Protection Act 2018. This means you have choices about how your data is used which are explained below.

1. Right of access:

You have the right to request access to view or request copies of the personal data, we hold about you; this is known as a Subject Access Request (SAR). To make a Subject Access Request:

This can be made in writing or verbally. We have a SAR form on our website and in the surgery that you can fill in. The form allows us to understand fully the scope of information you require and also for us to ensure all parties are aware of the timelines for completion of the request.

Please note that you are entitled to a copy of your data that we hold free of charge; however, we are entitled to charge in certain circumstances where the law permits us to do so. We are also entitled to refuse a request, where the law permits us to do so. If we require a fee or are unable to comply with your request, we will notify you within 1 calendar month of your request.

2. Right to restrict or object the use of your information:

There are certain circumstances in which you can object from your data being shared. Information regarding your rights to opt-out is detailed below:

Consent:

If the practice is relying on the consent as the basis for processing your data, you have the right to withdraw your consent at any time. Once you have withdrawn your consent, we will stop processing your data for this purpose.

However, this will only apply in circumstances on which we rely on your consent to use your personal data. Please be aware that if you do withdraw your consent, we may not be able to provide certain services to you. If this is the case, we will let you know.

Summary Care Record:

The SCR improves care; however, if you do not want one, you have the right to object to sharing your data or to restrict access to specific elements of your records. This will mean that the information recorded by the practice will not be visible at any other care setting.

If you wish to discuss your options regarding the SCR, please speak to a member of staff at the practice. You can also reinstate your consent at any time by giving your permission to override your previous dissent. For more information please see the NHS website https://digital.nhs.uk/services/summary-care-records-scr/summary-care-records-scr-information-for-patients

National Screening Programmes:

If you do not wish to receive an invitation to the screening programmes, you can opt out at https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes or speak to the practice.

Type 1 Opt-out:

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please contact the surgery directly or visit our website https://www.moretonhampsteadhealthcentre.co.uk/how-your-data-is-used-and-your-options to get a Type 1 opt-out form.

National Data Opt-out:

You have the right to object to your data being shared under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of sharing data that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

To opt-out of your identifiable data being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website: https://digital.nhs.uk/services/national-data-opt-out

National Disease Registration Service

The National Disease Registration Service (NDRS) is run by NHS England and collects patient data on cancer, congenital anomalies and rare diseases, and provides analysis to support clinical teams, academics, charities and policy makers to help plan and improve treatments and healthcare in England.

Further information regarding the registry and your right to opt-out can be found at: https://www.gov.uk/guidance/national-cancer-registration-and-analysis-service-ncras

3. Right to rectification:

You have the right to have any errors or mistakes corrected within your medical records. This applies to matters of fact, not opinion. If the information is of clinical nature, this will need to be reviewed and investigated by the practice. If you wish to have your records amended, please contact the Practice Manager on 01647 440591 if you have a request of this nature.

If your personal information changes, such as your contact address or number, you should notify the practice immediately so that we can update the information on our system. We will also ask you from time to time to confirm the information we hold for you, is correct.

4. Right to erasure:

The practice is not aware of any circumstances in which you will have the right to delete correct data from your medical record, which the practice is legally bound to retain. Although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the data and contact the practice if you hold a different view.

5. Right to complain:

Please let us know if you wish to discuss how we have used your personal data, raise a concern, make a complaint or compliment. Please contact the Practice Manager with any feedback of this kind.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

If you wish to complain follow this link: https://ico.org.uk/global/contact-us/ or call the helpline on 0303 123 1113.

Data outside EEA

We do not send your personal data outside of the EEA. However, if this is required, the practice would only do so, with your explicit consent.

Data Protection Officer

The Data Protection Officer for the practice is Bex Lovewell and can be contacted via email on d-ccg.deltdpo@nhs.net or by post: Delt Shared Services Limited, BUILDING 2 – Delt, Derriford Business Park, Plymouth, PL6 5QZ.

Cookies

The practice’s website uses cookies. A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites. Cookies allow a website to recognise a user’s device. Some cookies help websites to remember choices you make (e.g., which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to our website. The two types of cookies used by the practice are ‘Session’ and ‘Persistent’ cookies.

Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period. We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.

What can I do to manage cookies on my devices?

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org/ If you are concerned about cookies and would like to discuss this, please contact the Practice Manager on 01647 440591

Changes to Privacy Notice

The practice reviews this privacy notice regularly and may amend the notice from time to time. If you wish to discuss any elements of this privacy notice, please contact the Practice Manager or the Deputy Manager on 01647 440591

Additional Documents

In addition to this comprehensive Practice Privacy Notice, the Practice also maintain Privacy Notices relating to the following specific areas:

• Employee Privacy Notice
• Improved Access Privacy Notice
• Privacy Legal Requirements
• National Screening Privacy Notice
• Summary Care Record Privacy Notice
• Research and Audit Privacy Notice
• Direct Care Privacy Notice
• Safeguarding Privacy Notice
• Under 16s Privacy Notice
• Risk Stratification Notice

Other

• National Data Opt-Out Transparency Notice