Privacy Notice

In line with the new requirements the practice has created privacy notices which take the place of the current data protection policy. The privacy notices provide you with some important information on how we process any personally identifiable information that we hold on you.

Direct Care

This practice keeps data on you relating to:

  • Who you are
  • Where you live
  • What you do
  • Your family
  • Possibly your friends
  • Your employers
  • Your habits
  • Your problems and diagnoses
  • The reasons you seek help
  • Your appointments
  • Where you are seen and when you are seen, who by
  • Referrals to specialists and other healthcare providers
  • Tests carried out here and in other places
  • Investigations and scans
  • Treatments and outcomes of treatments
  • Your treatment history
  • The observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.

We are required by articles in the general data protection regulations to provide you with the information in the following 9 subsections.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers. This includes specialists, therapists, technicians for example. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and/or care.

4) Lawful Basis For Processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

We will also recognise your rights established under UK case law collectively known as the Common Law Duty of Confidentiality.

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. Eg Epsom & St Helier Hospital.

6) Rights To Object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained in line with the law and national guidance.

You can find out more by:

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website www.ico.org.uk.

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies. Three circumstances making disclosure of confidential information lawful are:

  • Where the individual to whom the information relates has consented
  • Where disclosure is in the public interest
  • Where there is a legal duty to do so, for example a court order

Emergencies

There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these cases the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as ‘Advance Directives’. If lodged in your records these will normally be honoured despite the observations in the first paragraph.

Care Quality Commission Policy

The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident. For more information about the CQC you can visit the CQC website at www.cqc.org.uk.

1)Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on identified functions.

4) Lawful Basis For Processing

The legal basis will be:

  • Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
  • Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

6) Rights To Object

You have the right to object to some or all of the information being shared with NHS Digital. Contact the data controller or alternatively you can contact the practice.

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

Complaints Procedure

We always endeavour to provide the best possible service. However, there may be an occasion when you feel dissatisfied and the information below explains what to do if you have a complaint.

This practice procedure does not deal with questions of legal liability or compensation.

We hope complaints can be resolved quickly as they arise and directly with the person concerned. However, if your problem cannot be dealt with as such, we would like you to let a receptionist or a member of the practice management team know the details of your complaint, as soon as possible.

  • Within 12 months of the incident that caused problems
  • Within 12 months of discovering that you have a problem

Procedure

  • Address complaints initially to the practice manager, who will take full details of the complaint and decide how best to proceed.
  • Ensure that the details of the complaint are specific, in order to that we can help you in the best way possible.
  • We will endeavour to acknowledge your complaint within 3 working days.
  • We will endeavour to have investigated your complaint in detail within 10 working days from the date of receipt of the form.
  • We should then be in a position to offer you an explanation and if necessary arrange a meeting with the people involved. A third party can accompany you, if a meeting is required.
  • Occasionally, if a lot of enquiries need to be made, this process may take longer, in which case we will keep you informed.
  • If you are complaining on behalf of someone else, his or her consent will be required before we can act.
  • We will try to resolve your concerns within the practice. However, if you are still dissatisfied, you may approach NHS England at the following address:

With our practice complaints procedure the practice will always do the utmost to achieve the aforementioned turnaround times to respond to any concerns or issues raised by our patients. However, there may be circumstances beyond our control i.e. due to mail service providers, public holidays and other contributory factors that prevent us doing so.

You may also approach PALS for help or advice:

  • The Patient Advice and Liaison Service (PALS) may also be able to help you. They provide advice, support and assistance to patients.

Please contact PALS if you need advice or information about how to raise a concern or make a complaint.

They will listen to what you have to say and will try to resolve any problems quickly and satisfactorily. If they cannot help you themselves, they will point you in the right direction.

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found on the government website at www.gov.uk/topic/population-screening-programmes, or alternatively you can Contact The Practice by completing our form.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

The NHS provides several national health screening programs to detect diseases or conditions earlier such as:

  • Cervical and breast cancer
  • Aortic aneurysm
  • Diabetes

More information can be found at https://www.gov.uk/topic/population-screening-programmes

The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

4) Lawful Basis For Processing

The sharing is to support Direct Care which is covered under:

  • Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with the Jarvis Breast Centre, Royal Surrey County Hospital Bowel Screening, Primary Care Services England, Heath Intelligence and other NHS screening services.

6) Rights To Object

You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. Contact the Data Controller or the practice. For national screening programmes, you can opt so that you no longer receive an invitation to a screening programme.

For more information please contact the practice using our online Contact the Practice form. 

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained in line with the law and national guidance.

You can find out more by:

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies. Three circumstances making disclosure of confidential information lawful are:

  • Where the individual to whom the information relates has consented
  • Where disclosure is in the public interest
  • Where there is a legal duty to do so, for example a court order

Summary Care Records

The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from, any reactions to medicines you have had, details of the management of long-term conditions, medications, immunisations, care plan information and significant medical history, past and present. It is held on a national database by NHS England. SCR may be shared with other healthcare professionals and organisations involved with your care. These professionals and organisations may also be able to update the record in order to ensure you are provided with the best possible care.

You can opt out of having an SCR, or exclude certain information being shared via the SCR by completing the NHS form.

Further information about the SCR can be found on the NHS Digital website.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller Contact Details

Dr Orton & Partner
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

Upload of basic and detailed additional SCR data.

4) Lawful Basis For Processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

We will also recognise your rights established under UK case law collectively known as the Common Law Duty of Confidentiality.

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.

6) Rights To Object

You have the right to object to some or all the information being processed under Article 21. Please contact the data controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained in line with the law and national guidance.

You can find out more by:

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

Common Law Duty of Confidentiality

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • Where the individual to whom the information relates has consented
  • Where disclosure is in the public interest
  • Where there is a legal duty to do so, for example a court order

NHS Digital

NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes. For more information on NHS Digital you can visit their website at: www.digital.nhs.uk/data-and-information.

Examples include:

  • A/E and outpatient waiting times
  • The numbers of staff in the NHS
  • Percentage target achievements
  • Payments to GPs
  • More specific targeted data collections and reports such as the female genital mutilation, general practice appointments data and English National Diabetes Audits

GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at www.digital.nhs.uk/article/8059/NHS-England Directions– and www.nhsdatasharing.info.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on indentified.

4) Lawful Basis For Processing

The legal basis will be:

  • Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
  • Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with NHS Digital according to directions which can be found on the NHS Digital website: www.digital.nhs.uk/article/8059/NHS-EnglandDirections.

6) Rights To Object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained in line with the law and national guidance.

You can find out more by:

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

The BMA has serious concerns regarding the status of NHS Digital as a “safe haven” and is not confident it has acted as a secure repository for patient data.

More more information please visit the BMA website: www.bma.org.uk.

Public Health

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable, the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations. Some of the relevant legislation includes:

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.

4) Lawful Basis For Processing

The legal basis will be:

  • Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
  • Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with Public Health England www.gov.uk/public-health-england and equivalents in the devolved nations.

6) Rights To Object

You have the right to object to some or all of the information being shared with the recipients. Contact the data controller or the practice.

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data.

For more information please visit the Department of Health – Personal Information Charter page.

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

Research

This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement(1). We may also use your medical records to carry out research within the practice.

We share information with the following medical research organisations with your explicit consent or when the law allows eg clinical practice research data link. You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

The purpose of the processing of such information is for medical research

4) Lawful basis For Processing

Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are:

  • Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
  • Article 6(1)(e) may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
  • Article 9(2)(a) – ‘the data subject has given explicit consent…’
  • Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’
  • Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with clinical practice research data and NICE.

6) Rights To Object

You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time. Contact the data controller or contact the practice.

7) Right To Access And Correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention Period

The data will be retained for the period as specified in the specific research protocol(s).

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

(1) Section 251 and the NHS Act, Health Research Authority

For more information please read the Official Section 251 guidance Health Research Authority Document.

Commissioning, Planning and Risk Stratification

The records we keep enable us to plan for your care.

This practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.

This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease.

You have the right to object to the processing of your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”.

These searches are sometimes carried out by data processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful Basis For Processing

The legal basis for this processing is:

  • Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared for processing with Sollis and for subsequent healthcare with CCG.

6) Rights To Object

You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the data controller or the practice.

7) Right To Access And Correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained in line with the law and national guidance.

For more information please visit the Records Management Code of Practice for Health and Social Care 2016 page or you can contact the practice.

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are national offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.

Safeguarding

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989. For more information visit: www.legislation.gov.uk/ukpga/1989/41/section/17.

1) Data Controller Contact Details

Dr Orton & Partners
Spring Street Surgery
Bourne Hall Health Centre
Ewell
Surrey
KT17 1TG

2) Data Protection Officer Contact Details

South, Central and West Commissioning Support Unit

Email: Contact@scwcsu.nhs.uk

3) Purpose Of The Processing

The purpose of the processing is to protect the child or vulnerable adult.

4) Lawful Basis For Processing

The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:

  • For consented processing; 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • For unconsented processing; 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
  • 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

5) Recipient Or Categories Of Recipients Of The Processed Data

The data will be shared with Children Services, MASH, Adult Social Care, Social Services as appropriate.

6) Rights To Object

This sharing is a legal and professional requirement and therefore there is no right to object. There is also GMC guidance on the GMC: Protecting Children and Young People page.

7) Right To Access And Correct

The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention Period

The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.

9) Right To Complain

You have the right to complain to the Information Commissioner’s Office by:

There are National Offices for Scotland, Northern Ireland and Wales. For more information visit the ICO website.