Data Privacy Notice

The Lodge surgery is a well-established GP Practice. Our General Practitioners and allied healthcare professionals provide primary medical care services to our practice population and are supported by our administrative and managerial team in providing care for patients.

This privacy notice explains how we use any personal information we collect about you as a patient of health care services provided by the Lodge surgery

Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing.

What types of personal information do we collect about you?

We may collect the following types of personal information:

  • Your name, address, email address, telephone number and other contact information
  • Gender, NHS Number and date of birth and sexual orientation
  • Details of family members and next of kin details
  • Health (Medical) information, including information relating to your sex life
  • Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls.
  • Results of investigations such as laboratory tests or x-rays
  • Biometric data
  • Genetic information

How will we use the personal information we collect about you?

We may use your personal information in the following ways:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations
  • To help us monitor and manage our services
  • To support medical research

Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.

Call recording

Recordings of calls made and received by The Lodge surgery may be used to support the learning and development of our staff and to improve the service we provide to our patients.

They may also be used when reviewing incidents, compliments or complaints.

Call recordings will be managed in the same way as all other personal information processed by us and in line with current data protection legislation.

Data processors

We may use the services of a data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply.

How will we share your personal information?

We may share your personal information with other health and social care professionals and members of their care teams to support your ongoing health and or social care and achieve the best possible outcome for you. This may include:

  • Primary Care Network – The Lodge surgery is a member of the Chippenham, Corsham & Box Primary Care Network (PCN) so you may be contacted by or treated by one of the other practices within the PCN. In order to support and provide healthcare services to you, they will require access to your patient record.
  • Patient Referrals – With your agreement, we may refer you to other services and healthcare providers for services not provided by the Lodge surgery
  • Other Providers of Healthcare – We will share your information with other providers of healthcare services to enable them to support us in providing you with direct healthcare. This may include NHS organisations or private companies providing healthcare services for the NHS.
  • Care Homes or Social Care Services – Sometimes the clinicians caring for you may need to share some of your information with others who are also supporting you outside of the practice.
  • Local Authority – The local authority (council) provides health or social care services or assists us in providing direct healthcare services to you. We will share your personal information with them to enable this to take place.
  • Safeguarding – We will share your personal information with the safeguarding teams of other health and social care providers where there is a need to assess and evaluate any safeguarding concerns. Your personal information will only be shared for this reason when it is required for the safety of the individuals concerned.
  • Child Health Information services – South, Central and West child health Information Services (SCW CHIS) is commissioned by NHS England to support the monitoring of care delivered to children. Personal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions.
  • Summary Care Record (SCR) – Your Summary Care Record is an electronic record of important patient information created from the GP medical records. It contains information about medications, allergies and any bad reactions to medications in the past. It can be seen by staff in other areas of the health and care system involved in your direct care.

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information. Further details about the SCR and your choices can be found here:

https://digital.nhs.uk/services/summary-care-records-scr/summary-care-record-supplementary-transparency-notice

  • Integrated Care Records (ICR) – Bath and North East Somerset, Swindon and Wiltshire Integrated Care Record (BSW ICR) is a digital care record system for sharing information in Bath and North East Somerset, Swindon and Wiltshire.  It allows instant, secure access to your health and social care records for the professionals involved in your care.

Relevant information from your digital records is shared with people who look after you.  This gives them up-to-date information making your care safer and more efficient.

The Lodge surgery uses the system in the following way:

  • We can access your data stored within the system

Further details about the BSW ICR and how your information can be found here:

Your care record – Bath and North East Somerset, Swindon and Wiltshire ICB

https://bswicb.nhs.uk/your-health/integrated-care-record

  • GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services) will be able to book appointments for patients at GP practices and other local services. Further details about GP Connect are available here:

GP Connect privacy notice – NHS Digital

Population Health Management

This practice is participating in a local Population Health Management (PHM) initiative aimed at improving physical and mental health outcomes and the wellbeing of our patients. This requires us to share pseudonymised personal data (anything that can identify an individual is replaced with code) with other organisations involved in the initiative.

  • Brave AI – BRAVE AI employs sophisticated computer algorithms to evaluate the complexity of each patient’s health needs within our practice. By assigning a score, it helps identify individuals at risk of deteriorating health, potentially necessitating hospitalisation. This innovative tool enhances your doctors’ ability to recognise patients who may otherwise be overlooked, including those with borderline health indicators or infrequent medical interactions. The primary objective of BRAVE AI is to promote preventive healthcare practices over reactive treatments.

All data processed by BRAVE AI is stored securely and confidential patient information is exclusively disclosed to clinical teams directly involved in patient care.

Should you have any questions or concerns regarding the processing of your data alongside BRAVE AI, we encourage you to contact us at mg.gp-dpo@nhs.net

  • NHS Digital – In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data, which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth and information about your health, which is recorded in coded form. For example, the clinical code for diabetes or high blood pressure.

  • National Services – There are some national services like the national Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cancer screening.
  • Medical Research – With your consent, we will share information from medical records to support medical research when the law allows us to do so. For example, to learn more about why people get ill and what treatment might work best.  This is important because:
    • The use of information from GP medical records is very useful in developing new treatments and medicines.
    • Medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
  • National Fraud Initiative – The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see:

https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative

  • National Registries – National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
  • Supporting Medicines Management – ICB’s operate pharmacist and prescribing advice services to support local GP practices with prescribing queries, which may require identifiable information to be shared. These pharmacists work with your usual GP to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is appropriate for your needs, safe and cost-effective. Where specialist prescribing support is required, the ICB medicines optimisation team may order medications on behalf of your GP Practice to support your care.
  • Supporting Locally Commissioned Services – BSW ICB support GP practices by auditing anonymised data to monitor locally commissioned services, measure prevalence and support data quality.  The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.
  • Medical student placements – Our practice is involved in the training of medical students. As part of this programme medical students will work in the practice and may be involved in your care. If staff would like a student to be present, they will always ask for your permission before the start of the consultation. The treatment or care you receive will not be affected if you refuse to have a student present during your appointment.
  • Cinapsis – This is a smart referral clinical communication platform that gives clinicians access to specialist advice and guidance when they need it.
  • AccuRX SMS & Video consultation – The surgery uses this software to provide an SMS service and clinician\patient video conference calls delivered using the patient and clinician’s smartphone device. This can be used when face-to-face contacts between healthcare staff and their patients are not possible.
  • Arden’s Manager – Ardens Manager is a cloud-based data analytics platform that allows GP Practices, Primary Care Networks (PCNs) and Integrated Care Boards (ICBs) to monitor, aggregate and benchmark Primary Care activity.
  • SystmConnect – SystmConnect is an Online Consultation product that was fully developed in house by TPP. This involved development of a bespoke patient facing website that supports organisation level configuration and the submission of Online Consultation requests to existing SystmOnline web servers, it is built as part of the existing SystmOne platform.
  • Heidi – Heidi is an innovative AI tool which listens to consultations and uses AI to generate clinical documentation in the style of a clinician. It can also write outputs based on the user request, for example, in the style of a clinic letter or referral letter. Some clinicians will use this tool for consultations during day-to-day clinical practice, but only after gaining patient consent. Patient identifiable information undergoes pseudonymisation and de-identification to provide additional safeguards with patient data during transit and processing while ensuring compliance with data protection regulations. Pseudonymising data ensures that any identifiers are removed or masked, which adds an additional layer of protection for patient information and reduces the risk limiting where possible sharing of personally identifiable information with 3rd parties. Data is deleted 7 days after use
  • Care Quality Commission (CQC) – The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. Further information about the CQC can be found here:

http://www.cqc.org.uk/

  • Public Health England – The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here:

https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report

  • Other NHS Organisations – Sometimes the practice will share information with other NHS organisations that do not directly care for you, such as the ICB. However, this information will be anonymous and does not include anything written as notes by the GP and cannot be linked to you.
  • Individual Funding Request – An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that ICB has agreed to commission for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.
  • Improving Diabetes Care – Information that does not identify individual patients is used to enable focussed discussions to take place at practice-led local diabetes review meetings between health care professionals. This enables the professionals to improve the management and support of these patients.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.

NHS National Data Opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out your confidential patient information will still be used to support your individual care.

We do not share your confidential patient information for purposes beyond your individual care without your permission. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

Information being used or shared for purposes beyond individual care does not include your confidential patient information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement.

Health and care organisations that process confidential patient information have to put systems and processes in place so they can be compliant with the national data opt-out. They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care.

The Lodge surgery are compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters   You can change your choice at any time.

Local Enhanced Data Sharing (EDSM)

Your GP electronic patient record is held securely and confidentially on an electronic system called ‘SystmOne’ managed by the Lodge Surgery. If you require attention from a health professional such as an Emergency Department, Minor Injury Unit or Out Of Hours service, the professionals treating you are better able to give you safe and effective care if relevant information from your GP record is available to them.

We have a practice policy to share in and share out all patients’ medical records within SystmOne with care organisations with whom you are registered and receiving care.

Under the GDPR and DPA 2018, all organisations that process personal data must have in place a legal basis to process this data and an additional legal basis to process special category data (including data concerning health).

We have been advised to use the following by our Data Protection Officer:

  • Article 6 (1) (e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official duty…’ as an appropriate legal basis for personal data
  • Article 9 (2) (h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ as an appropriate legal basis for special category data.

We have established a safe no verify list of organisations within Wiltshire with whom we will share your information without requiring a code from the patient. All other healthcare organisations will need to seek permission from the patient to receive an SMS / Email code from the patient before the surgery will allow them access to medical records.

Your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).

Access to patient records through the NHS App

Your health record will also be accessible via the NHS App. Please visit the NHS Digital Access to Patient Records information page for more information: Access to patient records through the NHS App – NHS Transformation Directorate (england.nhs.uk)

You have the right to stop your health record entries being displayed in the NHS App.  Please contact your GP should you wish to do so.

How long do we keep your personal information?

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death. At that point, all personal data we hold on you will be securely deleted.

Legal basis

We have been commissioned by the Bath and North East Summerset, Swindon and Wiltshire ICB to provide a GP surgery service and it is necessary for the performance of this task in the public interest for us to process your personal data.

We will use your special categories of personal data, such as that relating to your race, ethnic origin, and health for the purposes of providing you with health or social care or the management of health or social care systems and services. Such processing will only be carried out by a health or social work professional or by another person who owes a duty of confidentiality under legislation or a rule of law.

In some circumstances, we may process your personal information on the basis that:

  • it is necessary to protect your vital interests;
  • we are required to do so in order to comply with legal obligations to which we are subject;
  • we are required to do so for the establishment, exercise or defence of a legal claim;

or

  • you have given us your explicit consent to do so.

Your rights

You have a right to:

  • ask for a copy of the information we hold about you;
  • correct inaccuracies in the information we hold about you
  • withdraw any consent you have given to the use of your information;
  • complain to the relevant supervisory authority in any jurisdiction about our use of your information
  • in some circumstances:
  • ask us to erase information we hold about you;
  • request a copy of your personal data in an electronic format and require us to provide this information to a third party;
  • ask us to restrict the use of information we hold about you; and
  • object to the use of information we hold about you.

You can exercise these rights by contacting us as detailed below.

Data Protection Officer

Our Data Protection Officer (DPO) is provided by Laura North.

How to contact us

All data protection queries will be initially dealt with by the practice data protection team and escalated to the Data Protection Officer service if required.

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information then please contact our Data Protection Officer at:   mg.gp-dpo@nhs.net

If you have concerns or are unhappy about any of our services, please contact the Practice Manager, Marshall Cooper on enquiries.lodgesurgery@nhs.net

How to make a complaint

You also have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioners Office (ICO):

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF

https://ico.org.uk/concerns  0303 123 1113

Further Information

Further information about the way in which the NHS uses personal information and your rights in that respect can be found here:

The NHS Care Record Guarantee

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation.

http://systems.digital.nhs.uk/infogov/links/nhscrg.pdf

The NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to.  These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.

https://www.gov.uk/government/publications/the-nhs-constitution-for-england

NHS Digital

NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

http://content.digital.nhs.uk/article/4963/What-we-collect

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

  • the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19) Transparency Notice
  • the NHS Digital Coronavirus (COVID-19) Response Transparency Notice
  • the NHS Digital General Transparency Notice
  • how NHS Digital looks after your health and care information

Changes to our privacy notice

We keep our privacy notice under regular review and we will place any updates on this webpage.