COVID-19 Privacy Notice
(This Privacy Notice is to run alongside our standard Practice Privacy Notice)
Due to the unprecedented challenges that the NHS and we, The Kakoty Practice face due to the worldwide COVID-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health.
In order to look after your healthcare needs in the most efficient way we, The Kakoty Practice may therefore need to share your personal information, including medical records, with staff from other GP Practices including Practices within our Primary Care Network, as well as other health organisations (i.e. Clinical Commissioning Groups, Commissioning Support Units, Local authorities etc.) and bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
The Secretary of State has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.
Purpose of this Notice
The purpose of this Notice is to require organisations such as the Kakoty Practice to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to Covid-19 (Covid-19 Purpose). “Processing” for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI. This Notice is necessary to require organisations such as [PRACTICE NAME] to lawfully and efficiently process confidential patient information as set out in Regulation 3(2) of COPI for purposes defined in regulation 3(1), for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
Requirement to Process Confidential Patient Information
The Secretary of State has served notice to recipients under Regulation 3(4) that requires The Kakoty Practice to process confidential patient information, including disseminating to a person or organisation permitted to process confidential patient information under Regulation 3(3) of COPI.
The Kakoty Practice is only required to process such confidential patient information:
- where the confidential patient information to be processed is required for a Covid-19 Purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI
- from 20th March 2020 until 31 March 2021.
A Covid-19 Purpose includes but is not limited to the following:
- understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks
- identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19
- understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care
- monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services
- research and planning in relation to Covid-19.
Recording of processing
A record will be kept by The Kakoty Practice of all data processed under this Notice.
Sending Public Health Messages
Data protection and electronic communication laws will not stop The Kakoty Practice from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows The Kakoty Practice to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
Research and Pandemic Planning
The Secretary of State has directed NHS Digital to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020, 17 March 2020 (as amended) (COVID-19 Direction) and below. This enables NHS Digital to collect data and analyse and link the data for COVID-19 purposes with other data held by NHS Digital.
The purpose of the data collection is also to respond to the intense demand for General Practice data to be shared in support of vital planning and research for COVID-19 purposes, including under the general legal notice issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI).
NHS Digital has therefore been requested by the joint co-chairs of the Joint GP IT Committee (JGPITC) (the BMA and RCGP) to provide a tactical solution during the period of the COVID-19 pandemic to meet this demand and to relieve the growing burden and responsibility on General Practices. On 15 April 2020 the BMA and RCGP therefore gave their support via JGPITC to NHS Digital’s proposal to use the General Practice Extraction Service (GPES) to deliver a data collection from General Practices, at scale and pace, as a tactical solution to support the COVID-19 response in the pandemic emergency period.
It is a requirement of the JGPITC that all requests by organisations to access and use this data will need to be made via the NHSX SPOC COVID-19 request process, that will triage and prioritise these requests and refer appropriate requests on to the NHS Digital Data Access Request Service (DARS). NHS Digital will consult with representatives of the BMA and the RCGP on all requests for access to the data. An outline of the process for this agreed with the BMA and the RCGP is published here. Requests by organisations to access record level data from this collection will also be subject to Independent Group Advising on the Release of Data (IGARD) consideration. Data applicants will need to demonstrate they have a lawful basis to access the data for COVID-19 purposes.
Benefits of this sharing
Organisations, including the Government, health and social care organisations and researchers need access to this vital data for a range of COVID-19 purposes, to help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives. COVID-19 purposes for which this data may be analysed and used may include:
- understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
- identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID19
- understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
- research and planning in relation to COVID-19. Legal Basis for this collection NHS Digital has been directed by the Secretary of State under section 254 of the 2012 Act under the COVID-19 Direction to establish and operate a system for the collection and analysis of the information specified for this service: GPES Data for Pandemic Planning and Research (COVID-19). A copy of the COVID-19 Direction is published here: https://digital.nhs.uk//about-nhs-digital/corporate-information-and-documents/directions-anddata-provision-notices/secretary-of-state-directions/covid-19-public-health-directions-2020. Details of the information to be collected can be found on the NHS Digital website – Specification of this DPN. Type 1 objections will be upheld in collecting this data from General Practices and therefore the data for those patients who have registered a Type 1 objection with their GP will not be collected. The Type 1 objection prevents an individual’s personal identifiable confidential information from being shared outside of their GP Practice except when it is being used for the purposes of their direct care. The National Data Opt-Out will not apply to the collection of the data, as this is a collection which is required by law. This information is required by NHS Digital under section 259(1)(a) of the 2012 Act to comply with the COVID-19 Direction. In line with section 259(5) of the 2012 Act, all organisations in England that are within the scope of this Notice, as identified below under Health and Social Care Bodies within the scope of the collection, must comply with the requirement and provide information to NHS Digital in the form, manner and for the period specified in this Notice. This Notice is issued in accordance with the procedure published as part of NHS Digital’s duty under section 259(8) of the 2012 Act. https://digital.nhs.uk/coronavirus/shielded-patient-list/distribution.Requests by organisations to access record level data from this collection will be subject to Independent Group Advising on the Release of Data (IGARD) consideration. Data applicants will need to demonstrate they have a lawful basis to access the data for COVID-19 purposes.Benefits of the collectionOrganisations, including Government, health and social care organisations need to access this vital data for a range of COVID-19 purposes, to help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives. COVID-19 purposes for which this data may be analysed and used may include: • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks • identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID19. Data will be analysed and linked to other data held by NHS Digital or held by other organisations to which access to the data is granted for COVID-19 purposes, through the process described above. Data will be collected nationally from all General Practices by NHS Digital every week. All requests to access this data will be through Data Access Request Service (DARS). This will significantly reduce the burden on General Practice at a time when demand on resources is high, enabling General Practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for General Practice associated with sharing data and complying with the terms of the general legal notice issued under the National Health Service (Control of Patient Information Regulations) 2002 (COPI), which applies to General Practices Patients facing the greatest risk if they contract COVID-19 and/or are in the moderate to high risk of complications from flu:• will be identified and known to health organisations• will be able to follow clear advice It will also enable vital planning, commissioning, and research to be carried out for COVID-19 purposes. If patients facing the greatest risk follow advice, it is hoped that this will contribute to the delay and mitigation of the spread of COVID-19 and save lives.Visitors to The PracticeWe have an obligation to protect our staff and employees’ health, so it is reasonable for staff at The Kakoty Practice to ask any visitors to our practice to tell us if they have visited a particular country, or are experiencing COVID-19 symptoms. This must only be in pre-approved circumstances and we would also ask all patients to consider government advice on the NHS 111 website and not attend the practice.Where it is necessary for us to collect information and specific health data about visitors to our practice, we will not collect more information than we need, and we will ensure that any information collected is treated with the appropriate safeguards.
- It will enable the SPL to be updated weekly to identify new patients and changes to patients on the List and will enable support provisions to be more dynamic and responsive to both social and clinical need.
- will be able to ask for help and support, including social care support and essential food supplies, through the Extremely Vulnerable Persons service operated by gov.uk.
- will have a greater awareness of the recommended preventative shielding measures
- •offer a flu vaccination or to contact non-responders who remain unvaccinated (as per NHS England specifications for the service). The SPL will also be used to inform GPs of their individual patients on the SPL, by flagging those patient records on GP patient record systems. The SPL will be shared with a variety of other organisations involved in the care and support of those patients and for planning, commissioning and research purposes associated with COVID-19. Full details of those with whom information has been shared can be found on the NHS Digital SPL website here:
- advise of the measures they can take to reduce their risk of contracting the virus and sign-post them to the Extremely Vulnerable Persons service operated by gov.uk at https://www.gov.uk/coronavirus-extremely-vulnerable
- added to the SPL will be contacted by post, email (and/or SMS message where this is necessary) by the NHS on behalf of the Chief Medical Officer, Chris Whitty, to:
- https://digital.nhs.uk/coronavirus/shielded-patient-list Patients
- The extract may also be used for future direct care purposes relating to the COVID-19 outbreak. The methodology NHS Digital has used to produce the SPL is explained in detail and is published on the NHS Digital SPL website page here:
- Further information on the flu programme can be found here: https://www.england.nhs.uk/wpcontent/uploads/2020/05/Letter_AnnualFlu_2020-21_20200805.pdf
- Service (GPES) data will be extracted weekly and be used to assist in producing a weekly update of the SPL. The objective of this collection is on an ongoing basis to identify patients registered at General Practices who may be: • clinically extremely vulnerable if they contract COVID-19 • at moderate or high risk of complications from flu or COVID-19. The data collected will be analysed and linked with other data NHS Digital or other organisations hold to identify: • a list of clinically extremely vulnerable patients who will be advised to take shielding measures to protect themselves. Advice given to these patients has been published by Public Health England and is available here: https://www.gov.uk/government/publications/guidance-on-shielding-and-protectingextremely-vulnerable-persons-from-covid-19/guidance-on-shielding-and-protectingextremely-vulnerable-persons-from-covid-19#what-do-we-mean-by-extremelyvulnerable • a list of patients at moderate or high risk of complications from flu to inform the flu call/recall vaccination programme.
- The Secretary of State has directed NHS Digital to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020, 17 March 2020 (COVID-19 Direction) (as amended) (COVID-19) Direction) and below. This enables NHS Digital to collect data and analyse and link the data for COVID-19 purposes with other data held by NHS Digital. The rationale for changing the data extraction is that the initial data collection was based on an existing specification for flu vaccination eligibility. This data extraction was then refined in order to more accurately reflect the patients who are clinically extremely vulnerable to COVID-19 and also to minimise the data we are collecting. A further refinement of the data extraction has taken place leading to the inclusion of new data being extracted. This will provide information to inform vaccination programmes. This General Practice Extraction
- In August 2020, the NHS announced that the seasonal national flu immunisation programme criteria for 2020 - 2021 will be expanded to include patients on the SPL. Therefore, to provide information that will support the identification of patients at moderate or high risk of complications from flu, a revision to the weekly extract of data has taken place. This, version three of the extract for the purpose of maintaining and updating the SPL, will continue until the expiry of the COVID-19 Direction. This is currently 31 March 2022 but will be reviewed in September 2020 and every six months thereafter. The frequency of the data collection may change in response to demand.
- Data will be collected nationally from all GP Practices by NHS Digital every fortnight. All requests to access this data will be triaged through the NHSX SPOC COVID-19 request process and assessed and fulfilled by NHS Digital through DARS. This will significantly reduce the burden on General Practice at a time when demand on resources is high, enabling General Practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for General Practice associated with sharing data and complying with the terms of the general legal notice issued under COPI, which applies to General Practices.
- Data may be analysed and linked to other data held by NHS Digital or held by other organisations to which access to the data is granted for COVID-19 purposes, through the process described above.
Review and Expiry of this Notice
This Notice will be reviewed on or before 31 March 2021 and may be extended by The Secretary of State. If no further notice is sent to The Kakoty Practice by The Secretary of State this Notice will expire on 31 March 2021.
The Kakoty Practice Privacy Notice
The Kakoty Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. The Kakoty Practice is the Data Controller of your medical record for the time you are registered at this practice. Staff at this practice maintains records about your health and the treatment you receive in electronic and paper format.
In accordance with Article 5 of the GDPR, this practice will ensure that any personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Information We Collect
You are required to give some information to register at our Practice, such as your name, address, date of birth, gender, nationality, main spoken language, landline and mobile telephone number and email address. We also gather some information about your health at this point for us to start our care as soon as possible. We ask for any long term conditions you may have, allergies, smoking and alcohol data. Over the years we may gather information about people who help care for you and your legal representatives.
Your Medical Record
When we inform the NHS you are registering with us they will request your full and complete medical record from your previous practice. This will either come on paper by NHS Courier or electronically. We check either/both the electronic copy or the paper copy to make sure everything we need to know about your health is on our electronic record. We will then add to your medical record every time you contact or visit the surgery. Our clinicians will enter details of your appointments with them and of any referrals to other services. We receive letters from any other service involved in your care:
- Hospital specialities, Accident and Emergency and Out of Hours or Walk in Centres
- Results of investigations such as laboratory tests, x-rays etc
- Community Care providers e.g. Physiotherapy, Mental Health, District or Community Nurses, Macmillan Nurses,
- Social Care services, Safeguarding for both Adults and Children
- Social Prescribers
Our records relating to your health care are held in a system called SystmOne provided by a company called The Phoenix Partnership (TPP). This system is one of four nationally accredited systems used by GPs for the purpose of holding records. The system has numerous safeguards to ensure your records are held securely and confidentially, for example only appropriately authorised members of the care team are able to access your records, and an audit trail is kept showing who has accessed your record.
Information We Receive From Your Use of On-line Services
We may ask you to sign up for our on line services. This allows you to order your medication on line or book and cancel appointments. We do not keep any details about your device but when you book or cancel appointments then that is logged on your medical record. If you order medication then that is also held on your medical record.
How We Use Information
Direct Personal Care
Under the GDPR we will lawfully use your information in accordance with:-
Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9, h) processing is necessary for the purpose of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems
We use the information we record to provide you with direct health care. We also use it to plan and invite patients to special clinics and reviews for example a long term condition annual review, smoke stop and weight management clinics and flu clinics for those eligible. Information may be used within the practice for clinical audit to monitor the service we provide.
Communicate with You
We use your information when needed to inform you about clinics and appointments and may contact you via post, telephone or SMS message. We will only contact you about your own personal health care and will never discuss anything with anyone other than you unless you have given you written consent for us to do so.
How Information Is Shared
For Your Direct Care
If we need to refer you to another health care provider for example a Hospital Specialist or if you contact another health care provider e.g. iHeart Barnsley, we will share some of your personal data with them to enable them to offer you appropriate direct care. We will share your name and address and telephone numbers, your current problems and medication. Details relating to the health problem you are being referred for and any allergies they should know about.
Recent improvements to the system’s functionality mean that GPs and other health professionals working for other organisations providing care in Barnsley can also view your record as long as they are directly involved in your care. This will ensure you receive the highest standards of care since everyone involved in your care will have access to complete and up to date information. It also means you won’t have to repeat details of your medical history multiple times. All organisations sharing data in this way work to the same high standards of data security and confidentiality. If you do not wish your information to be shared in this way please speak to The Practice Manager.
For the National Screening Programs
Some of your data is provided to Public Health England to make sure you are invited for all relevant national screening programs such as smears, breast and bowel cancer screening.
For National planning of Health and Social Care
Information from your medical record may be used to protect the health of the public and to help us manage the NHS. Some of this information will be held centrally and used for statistical purposes but where we do this we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested for research purposes but the surgery will always gain your consent before releasing this information.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health for example diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
With our Partner Organisations
Where it is in your interest to do so or when we are required to, we may also share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts, other GP’s and Local Authorities (including Social Care and Education Services) and Private Sector Provider
- Ambulance Trusts, Police Services, Fire and Rescue Service
- Clinical Commissioning Groups and Primary Care Network
- Other ‘data processors’ working on behalf of the NHS and Local Authorities e.g. Embed Health Consortium and NEC
- Voluntary Sector Providers working on behalf of or with the NHS and Local Authoritie
- Independent Contractors such as dentists, opticians, pharmacist
- Governmental Regulators.
Your information from health and social care records (but with names, addresses etc. removed) is looked at by your local NHS CCG, alongside that of others patients, to identify groups of patients who would benefit from some extra help from their GP or care team. This is known as ‘Risk Stratification’.
The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.
The CCG, due to strict rules to maintain confidentiality, is typically limited to using NHS Numbers and postcodes for risk stratification work. Only GPs and care teams are allowed to use this information to be able to see which individuals need this extra help.
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice.
For Legal Reasons or To Prevent Harm
We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person. We will only ever pass on information about you to others involved in your care if there is a genuine need for t. We work within the information sharing principles following Dame Fiona Caldicott's information sharing review where "The duty to share can be as important as the duty to protect patient confidentiality".
Your Rights to Access and Check Your Personal Data
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
National data opt-out facility
The national data opt-out programme will give patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used just for their individual care and treatment or also used for research and planning purposes.
Please visit nhs.uk/your-nhs-data-matters
Your GP Practice
We keep your account information, like your name, email address and password, for as long as you are registered at this practice. If you decide to register elsewhere your record will be passed to your new GP practice by a mixture of paper and electronic transfer.
More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-SocialCare-2016)
We are committed to protect your privacy and will only use your information lawfully in accordance with:
- Data Protection Act 1998 and General Data Protection Regulation 201
- Human Rights Act 199
- Common Law Duty of Confidentiality
- Health and Social Care Act 201
- NHS Code of Confidentiality, Information Security and Records Management
Data Protection Officer:
The Practice Data Protection Officer is Paul Couldrey of PCIG Consulting Limited. Any queries regarding Data Protection issues should be addressed to him at: -
Postal: PCIG Consulting Limited 7 Westacre Drive Quarry Bank Dudley West Midlands DY5 2EE