2 Pier Street, Plymouth, Devon, PL1 3BS
Telephone: 01752 660105
Sorry, we're closed
Last updated 26/08/2021
Covid-19 and your information
Supplementary privacy note on Covid-19 for Patients of West Hoe Surgery
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available at https://westhoesurgery.nhs.uk/.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and
Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt–outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or video- conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
GENERAL DATA PROTECTION REGULATION (GDPR) PRIVACY NOTICE FOR PRIMARY CARE SERVICES
The EU’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will be incorporated into UK data protection laws. It most probably will continue to apply even after the UK leaves the EU, not least because organisations in this country wishing to exchange data with those remaining in the Union will have to comply with its requirements. The GDPR consolidates and strengthens current data protection safeguards as developed under the Data Protection Act 1998 (DPA). The responsible UK authority, the Information Commissioner’s Office (ICO), considers that, if organisations are already compliant with the current data protection laws, they will find it relatively easy to comply with the GDPR.
Primary care providers should have a raft of policies and procedures that already meet the requirements of the DPA. A privacy notice based on this template, which follows ICO guidelines, will then help to show that the primary care service is serious about protecting the personal information it collects and processes from its patients, employees and others, and will show how it succeeds in doing this by providing an overview of its various policies and procedures.
The privacy notice should be a public document, available to patients and their families, staff and any third parties who might provide their personal information for any purpose, and in whatever ways, including on the organisation’s website and intranet if there is one. It should also feature in any training programme which the organisation introduces to deal with the GDPR. The contents should be tailored to meet individual organisations’ requirements; some might be more detailed than others. The privacy notice should be used in association with the policy on Data Protection Policy for Primary Care Services — GDPR.
|1. Business details|
|This is the privacy notice of WEST HOE SURGERY
Our registered practice is at 2 PIER STREET, WEST HOE, PLYMOUTH, DEVON PL1 3BS
West Hoe Surgery operates a number of services for patients including; health promotion, disease prevention, health maintenance, patient education, diagnosis and treatment of acute and chronic illnesses in a variety of health care settings etc.,
|2. Aims of this notice|
|West Hoe Surgery is required by law to tell you about your rights and our obligations regarding our collecting and processing any of your personal information, which you might provide to us. We have a range of policies and procedures to ensure that any personal information you supply is only stored and used with your active consent (or with one of the other legal grounds for processing set out in the GDPR and which include legal obligations and the necessity of fulfilling an employment contract). It will always be held securely and treated confidentially in line with the requirements of the GDPR. We have listed the relevant documents in a later section (6) and can make any available.|
|3. The Data Protection Officer|
|The Data Protection Officer for the surgery is Bex Lovewell. You can contact her if:
Bex can be contacted here:
|4. What personal information we collect about: a) service users b) employees and c) third parties|
|a) Patients. As a primary care provider, we must collect some personal information on our patients, including personal health information, which is essential to our being able to provide effective care and support. The information is contained in individual files (manual and electronic) and other record systems, all of which are subject to strict security and authorised access policies. Personal information that becomes inactive for any reason is kept securely only for as long as it is needed, before being safely disposed of.
b) Employees and volunteers. The service operates a safe recruitment policy to comply with the regulations in which all personal information obtained, including CVs and references, is, as with patients’ information, securely kept, retained and disposed of in line with the GDPR. All employees are aware of their right to access any information about them.
c) Third parties. All personal information obtained about others associated with the delivery of the primary care service, including contractors and suppliers will be protected in the same way as information on patients and employees.
|5. How we collect information|
|The bulk of patients’, employees’ and third parties’ personal information is collected directly from them or through form filling, mainly manually, but also electronically for some purposes, eg when contacting the service through its website.
With patients, we might continue to build on the information provided through consultations and in the process of agreeing treatment.
With employees, personal information is obtained directly and with consent through such means as references, testimonials and criminal records (DBS) checks. When recruiting staff, we seek applicants’ explicit consent to obtain all the information needed for us to decide to employ them.
All personal information obtained to meet our regulatory requirements will always be treated in line with our explicit consent, data protection and confidentiality policies.
Our website and databases are regularly checked by experts to ensure they meet all privacy standards, are protected through strong passwords and encryption and comply with our general data protection security and protection policies.
|6. What we do with personal information|
|All personal information obtained on service users, employees and third parties is consistent with our purpose of providing a primary care service which meets all regulatory standards and requirements. It will not be disclosed or shared for any other purpose.|
|7. How we keep your information safe|
|As already stated, the primary care service has a range of policies that enable us to comply with all data protection requirements, including the Data Protection Policy for Primary Care Services — GDPR.|
|8. With whom we might share information|
|We only share the personal information of patients, employees and others with their consent on a “need to know” basis, observing strict protocols in doing so. Most information sharing of service users’ information is with other professionals and agencies involved with their care and treatment. Such as:
Hospital professionals, such as doctors, consultants, nurses, etc. Other GPs/Doctors. Nurses and other healthcare professionals. Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
Likewise, we would not disclose information about our employees without their clear agreement, eg when providing a reference.
The only exceptions to this general rule would be where we are required by law to provide information, eg to help with a criminal investigation. Under the terms of the GDPR, this is “complying with legal obligations”, an alternative to consent.
Where we provide information for statistical purposes, the information is aggregated and provided anonymously so that there is no privacy risk involved in its use.
|9. Other people who we provide your information to|
If you suffer with social, emotional or have practical needs you can be helped to find solutions which improve your health and wellbeing, often using services provided by the voluntary sector or by people in our own community.
|10. Other NHS and non NHS organisations who we share your data with and why|
|Sometimes the practice shares information with other organisations that do not directly treat you, for example, Clinical Commissioning Groups (CCG). Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you.
Local Data Sharing Agreements-
|11. How personal information held by the primary care provider can be accessed|
|There are procedures in place to enable any staff member, employee or third party whose personal information we possess and might process in some ways to have access to that information on request. The right to access includes both the information and any uses which we might have made of the information. There will only be a charge for providing such information in the event that requests are held to be “manifestly unfounded or excessive” (particularly if they are repetitive). Even then this fee will cover only the amount of administrative work involved.|
|12. How long we keep information|
|There are strict protocols in place that determine how long the organisation will keep the information, which are in line with the relevant legislation and regulations.|
|13. Anonymised Information|
|Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.|
|14. Third parties mentioned on your medical records|
|Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.|
|15. How we keep our privacy policies up to date|
|The staff appointed to control and process personal information in our organisation are delegated to assess all privacy risks continuously and to carry out comprehensive reviews of our data protection policies, procedures and protocols at least annually. The main point of contact with regard to data protection is Jo Lloyd-Davies – Practice Manager.|
|16. Coronavirus Pandemic-Data Protection|
|Coronavirus (COVID-19) pandemic and your information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’
The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
If you are concerned about how your information is being used, please contact our DPO using the contact details
provided in this Privacy Notice.
|17. Your Summary Care Record|
|Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare. You have the choice of what information you would like to share and with whom.
Authorised healthcare staff can only view your SCR with your permission.
Please note that it is not compulsory for you to complete a consent form. If you choose not to complete a consent form, a Summary Care Record containing information about your medication, allergies and adverse reactions and additional further medical information will be created for you as described in point b) above.
You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit:
Please note: if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.
|18. How the NHS use your information – National Date Opt-Out|
|The Practice is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
|19. Legal justification for collecting and using your information|
|The Law says we need a legal basis to handle your personal and healthcare information.
CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.
CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.
Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.
NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.
LAW: Sometimes the Law obliges us to provide your information to an organisation.
|20. SPECIAL CATEGORIES|
|The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:
PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
CONSENT: When you have given us consent.
VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment)
DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party.
PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services.
|21. Under 16s|
|Up until the age of 16 your parents will be able to access your medical information. This means they can discuss your care with staff at the Practice and may request to see copies of your medical information, unless you request us to withhold this information from them.
If you do not want your parents to have access to your medical information please speak to a member of the Practice Team.
|22. If English is not your first language|
|If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.|
|If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, with your data or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.
You also have a right to raise any concern or complaint with the UK information regulator:
Information Commissioner’s Office (ICO): https://ico.org.uk/
|24. Our website|
|The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.|
|We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.|
|27. Text messaging and contacting you|
|Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.
We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.
|28. Where to find our Privacy Notice|
|You may find a copy of this Privacy Notice in the Surgery’s reception, on our website, or a copy may be provided on request.|
|29. Data Storage|
|NHS Digital sub-contract Amazon Web Services (AWS) to store your patient data. We have been informed that the data will remain in the UK at all times and will be fully encrypted both in transit and at rest. We have further been advised that AWS offers the very highest levels of security and support. The Practice do not have any influence over how the data is stored as this is decided centrally by NHS Digital.|
|30. Changes to our Privacy Notice|
|We regularly review and update our Privacy Notice. This Privacy Notice was last updated on 23/06/2021.|