East Cornwall Primary Care Network (“ECPCN”) recognises how important data protection is and that the data we hold is protected and used in a safe and conscientious manner.
To ensure that your information is kept confidential and that our data is kept safe and secure, all our staff receive training in data protection and information governance before they start work with us. Current staff also must undertake regular refresher training courses tailored to their individual roles.
Who we are and what we do
We are ECPCN – a company owned and operated by the seven GP practices in East Cornwall. ECPCN is the Data Controller.
Our address
East Cornwall Primary Care Network
Tamar House
Forge Road
Saltash
Cornwall
PL12 6LX
Our Data Protection Officer is Umar Sabat
Email
ciosicb.dpo@nhs.net
We provide General Practice services to the NHS which include research and support to General Practice.
Access to your information
Our staff will only have access to information that is necessary for them to complete the activity they are involved in. This is reflected in Caldicott Principles that access to your information should be on a need to know basis only. Staff access of confidential information is monitored to ensure your confidentiality is maintained.
Information we can hold about you
- Your name and date of birth;
- Caller/carer/next of kin and patient contact details, including full home address, telephone numbers and current location;
- Details of each contact we have with you;
- Records of your health and wellbeing, including reports from other organisations providing health and social care;
- Details of your care and treatment, including clinical notes, assessments, examinations, test results and care you have received; and
- Information shared in the public domain e.g. online. For example, social media, this information is used to improve services and inform feedback, learning and training. It will not affect the care you receive in any way. There may be some circumstances where we share this information with others, for example, where it concerns another healthcare provider, to protect an individual or assist the police in the investigation of a serious crime.
As we do not always have access to your full GP, dental or other health records, other health professionals may provide us with important information such as a special note to highlight any specific medical history and/or care plans. This will support our health professionals in their decision making in the event of contact from you.
We will also record and keep further information about you if you contact us for reasons not regarding your direct care (for example, to make a complaint, report a concern via our patient surveys or if you leave us feedback online or post on social media).
In some cases, we may need to obtain or provide information from another service provider (such as our commissioners) for example to fully investigate a complaint, enquiry or to assist with a Freedom of Information Act request.
The purpose of the process
Direct Care is care delivered to the individual alone, most of which is provided in our clinics. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
The lawful basis of processing
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in ECPCN and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
How do we keep your records confidential and secure
Everyone working in the NHS has a legal and professional duty to ensure that all your information is safely and securely protected and kept confidential. The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances, for example, where we are required to by law.
In all cases, where personal information is shared, either with or without your consent, a record will be kept. Information that identifies you will only be used for the purposes it was provided for or where there is a clear legal basis for that information to be used. We adhere to the Caldicott Principles to ensure information is accessed and held securely and appropriately.
Our staff are required to protect your information, inform you of how your information will be used and allow you to decide how it can be shared. Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality.
We only keep hold of any of our records as long as we need to and are required to manage our records in accordance with national guidance such as the NHS Records Management Code of Practice.
How your records are used
Your records are used to guide healthcare professionals in the care you receive. Your records:
- Inform the decisions made about your care;
- Ensure your treatment and advice, and the treatment of others, is safe and effective;
- Help us work effectively with other organisations and healthcare professionals who may also be involved in your care;
- Can be available if you see another doctor, or are referred to a specialist or another part of the NHS or health care system for the purposes of direct care;
- Help us to investigate complaints, legal claims and untoward events;
- Help us prepare statistics on NHS performance and assist with health research and development.
- Help us to teach, train and monitor staff and their work (including providing staff and clinicians with anonymised feedback from patient surveys) to audit and improve our services and ensure they meet your needs;
- Help us conduct clinical audit to ensure we are providing a safe, high-quality service and support the provision of care by other healthcare professionals;
- There are circumstances where we need to share information without your consent. For example, when the health and safety of others, including members of staff, is at risk, to ensure we provide you with the correct care, to protect public health or when the law requires information to be passed on (for example in the prevention of serious crime or under a court order); and
- You may be receiving care from other non-NHS organisations such as Social Services and we may need to share information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.
Information may be withheld if it is believed it may cause serious harm or distress to yourself or another person.
We will not transfer or process your information outside of the European Economic Area.
How can you access your records
The GDPR and Data Protection Act 2018 allows you to find out what information about you is held on computer and in certain paper records. This is known as a ‘right of subject access’. If you would like to see your records, you can make a request to us.
You are entitled to receive a copy of your records and do not have to give a reason for the request however, there may be a charge. Consent will be required when requesting information relating to someone else.
Using information for purposes other than direct healthcare
We will use your personal information for the purposes of providing you with direct care and to locally audit our services to ensure our organisation meets your needs and maintains our high standards.
Direct Care: is when information is used for healthcare and medical purposes. For example, directly contributing to your treatment, diagnosis, referral and care. This also includes any relevant supporting administrative processes and audit/assurance of the quality of the healthcare service provided such as appointment bookings, management of waiting lists, inputting test results or sharing information regarding contacts with the patient’s registered GP practice.
We will also use your personal information when required to by the law (for example following a court order to release documentation) and, in exceptional circumstances, where the use of your personal information is justified in the public interest.
For all other uses of your personal information, we will either directly ask for your consent or use information that does not identify you. For example, it may be that we use anonymised and/or pseudonymised data for:
- Processing information – taking your information and changing it so it does not identify you so it can be used for secondary purposes such as research.
- Audits – including local clinical audit to provide quality assurance of the care received by our service users.
- Service management.
- Local and national benchmarking.
- Commissioning and commissioners reports e.g. service use, performance reports and contract monitoring.
- Reporting, including public health alerts, performance and board reports, capacity and demand planning. We may share anonymised and pseudonymised information with other organisations with a legitimate interest such as universities and research institutions. This data will be provided in a way that respects your right to confidentiality and does not identify individual patients.
- Teaching and training.
- Sharing best practice/serious case reviews/incident management of adverse events.
- Staff and patient surveys.
- Personal development/review (particularly for clinicians).
- Subject access requests.
- Clinical systems (including EMIS, SystmOne, AccuRx, MJOG, CRIS)
Third parties we share information with
Sometimes we need to share your information with other organisations. For example, you may be receiving care from social services, and we may need to share information about you so we can all work together for your benefit.
When assisting the police with the investigation of a serious crime, or if there are concerns regarding child protection/vulnerable adults, it may be necessary for us to share your personal information with external agencies without your consent.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
We may also share information with organisations such as:
- NHS Trusts
- Community/district nurses
- The ambulance or other emergency services
- General Practitioners
- Child and adult safeguarding services e.g. MASH
- Social Services
- Local Authorities
- NHS 111
- The Care Quality Commission, ICO and other regulated auditors
- Public Health England
- HSCIC (http://www.hscic.gov.uk) and the data services for commissioner’s programme
Note: Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request your information that identifies you from GP practices and other providers without seeking your consent.
Information/data sharing agreements
We are bound by data and information sharing agreements with our partner organisations. These sharing agreements ensure that we only share information in a way that complies with the law. Regular information sharing is supported by information sharing agreements with our partner organisations to ensure all parties are clear on how this information may be used and their legal obligations to protect and keep your information safe and secure.
Your rights
You have the right to confidentiality and for your information to be used fairly in a way that is safe and secure under the GDPR and Data Protection Act 2018, common law duty of confidentiality and other relevant legislation. The Equality Act 2010 may also apply in certain circumstances. You have the right to know what information we hold about you, what we use it for and who we share it with.
You have the right to apply for access to you information (a Subject Access Request) and have a copy of that information, for example, via email or on paper. You also have the right to have that information explained to you in a way you can understand, explained where necessary. For example, if there are any codes or abbreviations you do not understand.
You have the right to object to some or all the information being processed under Article 21 of the GDPR and Section 99 of the Data Protection Act 2018. Please contact the Data Controller if you wish to object to your information being processed. You should be aware that this is a right to raise an objection, which is not the same as having an absolute right to have your wishes granted in every circumstance
Data Controller
ECPCN
Email
kernowhealthcic.eastcornwalloperations@nhs.net
At any time, you have the right to refuse or withdraw consent to information sharing/processing and have your objections heard. We will comply with your request where we are able to do so in accordance with the law. The possible consequences of not sharing this data will be fully explained to you.
To provide a safe, professional and efficient service, we need to keep information on record. Your personal details will be handled with sensitivity and confidentiality. You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
You have the right to complain to the Information Commissioner’s Office, you can visit the ICO Website.
or calling their helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)