Updated: 15th May 2020
General Practice Privacy Notice
The information we hold on you
Our practice keeps data on you that may be relevant to your healthcare. This includes:
- Your address
- Contact details
- Date of birth
- NHS Number
- Your problems and diagnoses
- Your appointments
- If you have a carer
- Information from other services who have seen you
- Relevant third party information
- Referrals to specialists and other healthcare providers
- Tests carried out here and by other care providers
- Investigations and scans
- Treatment plans, treatment history and outcomes of treatments
- The observations and opinions of other healthcare workers, within and outside of the NHS
- As well as comments and summaries reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
We may also record any other relevant data provided to us about you.
When registering for NHS care, you are registered on a national database, this is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
Identifying patients who might be at risk of certain diseases
- Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
- This means we can offer patients additional care or support as early as possible.
- This process will involve linking information from your GP record with information from other health or social care services you have used.
- Information which identifies you will only be seen by this practice.
If you would like more information, please speak with the Managing Partner.
Who we share information with
As GPs, we cannot handle all your information ourselves, so we need to delegate this responsibility to others within the practice and sometimes with other organisations.
If your care requires treatment outside the practice, we will exchange with those providing such care and treatment whatever information may be necessary to provide safe, high quality care.
Once you have seen the care provider, they will normally send us details of the care they have provided you with, so that we can understand your health better.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law, however we will gladly discuss this with you in more detail if you would like to know more.
The Practice team (clinicians, administration and care navigation staff) only access the information they need to allow them to perform their function and fulfil their roles.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.
For more information
If you wish to discuss these changes or have any concerns, please ask to speak with the Managing Partner or Data Protection Officer.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Balham Park Surgery, 236 Balham High Road, SW17 7AW
Data Protection Officer
Shelby Gibbs – 020 8772 8772
Purpose of Processing your personal information
Direct Care is care delivered to the individual alone, most of which is provided in the surgery.
After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
Lawful Basis for Processing your personal information
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
Recipient or categories of recipients of your personal data
The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
In addition, personal data may be shared which is sent to or may be received from providers such as our 8to8 hubs (who provide some evening and weekend appointments on behalf of the practice), 111, out of hours services, local social services and care services, or other services the Wandsworth clinical commissioning group has commissioned.
In all cases, we ensure the data is supplied is appropriate and within the law.
Your right to object
You have the right to object to some or all the information being processed, which is detailed under Article 21.
Please contact the Data Controller or the practice manager.
You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.
Your right to access and correction
You have the right to access the data that is being shared and have any inaccuracies corrected.
There is no right to have accurate medical records deleted except when ordered by a court of Law.
How long do we hold your personal data for?
We retain your personal data in line with both national guidance and law, which can be found here:
Your right to complain
Use of personal data is overseen by the Information Commissioners Office, often known as the ICO.
You have the right to complain or raise concerns with the ICO and they can be contacted via their website:
Or you can also call their helpline
Tel: 0303 123 1113 (local rate)
01625 545 745 (national rate)
Third party processors
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and services accessible through this); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Further details regarding specific third party processors can be supplied on request.
General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
- the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19) Transparency Notice
- the NHS Digital Coronavirus (COVID-19) Response Transparency Notice
- the NHS Digital General Transparency Notice
- How NHS Digital looks after your health and care information