The Kakoty Practice Privacy Notice
In accordance with Articles 5, 6(1)(c) and 9(2)(h) of the UKGDPR, this practice will ensure that any personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject for the purpose of preventative medicine, the provision of Health and Social Care services or treatment or management of health and social care systems and services
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Information We Collect
You are required to give some information to register at our Practice, such as your name, address, date of birth, gender, nationality, main spoken language, landline and mobile telephone number and email address so we or others involved in your health care can contact you. We will allow a relative, friend or work colleague to book an appointment for you either face to face or over the telephone as we understand it can be difficult to do this yourself due to work or college BUT if you want someone to do more than that e.g. order medication, speak to staff about you or your care you must give us written permission. There is a form you can collect from Reception to complete.
Your Medical Record
When we inform the NHS you are registering with us they will request your full and complete medical record from your previous practice. This will either come on paper by NHS Courier or electronically. We check either/both to make sure everything we need to know about your health is on our electronic record. Details are added to this by our clinicians of your appointments with them and of any referrals to other services. We receive letters from any other service involved in your care e.g. hospital, out of hours, laboratory tests, community care providers and the information is recorded on our medical record
Our records relating to your health care are held in a system called SystmOne provided by a company called The Phoenix Partnership (TPP). This system is one of four nationally accredited systems used by GPs for the purpose of holding records and information is held in the UK. Your information will not be sent outside the UK where the laws there do not protect your privacy to the same extent as the law in the UK. We will never sell information about you. The system has numerous safeguards to ensure your records are held securely and confidentially, for example only appropriately authorised members of the care team are able to access your records, and an audit trail is kept showing who has accessed your record.
We may also use external companies to process your paper records for archiving purposes. These companies are bound by contractual agreements (UKGDPR Article 24-28) to ensure information is kept confidential and secure.
Information We Receive From Your Use of On-line Services
We may ask you to sign up for our online services. This allows you to order your medication online or book and cancel appointments. We do not keep any details about your device but when you book or cancel appointments then that is logged on your medical record. If you order medication then that is also held on your medical record.
How We Use Information
Direct Personal Care
Under the GDPR we will lawfully use your information in accordance with:-
Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9, h) processing is necessary for the purpose of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems
We use the information we record to provide you with direct health care. Information may be used within the practice for clinical audit to monitor the service we provide.
Communicate with You
We use your information when needed to inform you about clinics and appointments and may contact you via post, telephone or SMS message. We will only contact you about your own personal health care and will never discuss anything with anyone other than you unless you have given you written consent for us to do so.
How Information Is Shared
For Your Direct Care
If we need to refer you to another health care provider for example a Hospital Specialist or if you contact another health care provider e.g. iHeart Barnsley, we will share some of your personal data with them to enable them to offer you appropriate direct care, some care settings can access your record with your permission. We will share your name and address and telephone numbers, your current problems and medication. Details relating to the health problem you are being referred for and any allergies they should know about.
Recent improvements to the system’s functionality mean that GPs and other health professionals working for other organisations providing care in Barnsley can also view your record as long as they are directly involved in your care. This will ensure you receive the highest standards of care since everyone involved in your care will have access to complete and up to date information. It also means you won’t have to repeat details of your medical history multiple times. All organisations sharing data in this way work to the same high standards of data security and confidentiality.
For the National Screening Programs
Some of your data is provided to Public Health England to make sure you are invited for all relevant national
screening programs such as smears, breast and bowel cancer screening and immunisations.
For National planning of Health and Social Care
Information from your medical record may be used to protect the health of the public and to help us manage the NHS. Some of this information will be held centrally and used for statistical purposes but where we do this we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested for research purposes but the surgery will always gain your consent before releasing this information.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health for example diabetes or high blood pressure.
For Population Health Management
In Barnsley, a population health management programme has been introduced to use linked data from primary, secondary and community care to understand population health more effectively. This only uses pseudonymised data i.e., where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information to offer this service to you.
To carry out this data linkage, your pseudonymised data will be passed to the North of England Commissioning Support Unit, who are part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses. These linked datasets will also be securely shared with Optum and your Clinical Commissioning Group to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.
Only a small number of staff based within these UK based organisations will be able to access this data and as this will be pseudonymised in accordance with the ICO Anonymisation Code of Practice, no one will be able to identify you within these organisations.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
Where information is held centrally and used for statistics we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes but the surgery will always gain your consent before releasing information for this purpose
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
With our Partner Organisations
Where it is in your interest to do so or when we are required to, we may also share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts, other GP’s and Local Authorities (including Social Care and Education Services) and Private Sector Providers
- Ambulance Trusts, Police and Judicial Services, Fire and Rescue Services
- Clinical Commissioning Groups and Primary Care Networks, NHS England and NHS Digital
- Other ‘data processors’ working on behalf of the NHS and Local Authorities e.g. NECS
- Voluntary Sector Providers working on behalf of or with the NHS and Local Authorities
- Independent Contractors such as dentists, opticians, pharmacists
- Governmental Regulators
- Public Health – the law requires us to share information with them regarding infectious diseases or other diseases that will threaten the health of the population
- Care Quality Commission – the organisation who regulates services to ensure safe care is provided. The law states that certain events must be reported the CQC especially if a patients safety has been put at risk
Your information from health and social care records (but with names, addresses etc. removed) is looked at by your local NHS CCG, alongside that of others patients, to identify groups of patients who would benefit from some extra help from their GP or care team. This is known as ‘Risk Stratification’.
The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.
The CCG, due to strict rules to maintain confidentiality, is typically limited to using NHS Numbers and postcodes for risk stratification work. Only GPs and care teams are allowed to use this information to be able to see which individuals need this extra help.
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice.
For Legal Reasons or To Prevent Harm
We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person.
We will only ever pass on information about you to others involved in your care if there is a genuine need for it. We work within the information sharing principles following Dame Fiona Caldicott's information sharing review where "The duty to share can be as important as the duty to protect patient confidentiality".
Requirement to Process Confidential Patient Information – COVID-19
The requirement to process confidential information under under Regulation 3 of COPI – Health Service (Control of Patient Information) Regulations 2002 (COPI) has now come to an end on 1st July 2022.
Your Rights to Access and Check Your Personal Data
You have a right under the Data Protection legislation to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
National data opt-out facility
If we would like to use your data for anything other than the specified purposes and there is no lawful requirement for us to do so (e.g. adult and children safeguarding or the data is anonymized in line with the ICO Code of Practice on anonymisation) we will ensure that you have the ability to consent or opt out prior to any data processing taking place.
The national data opt-out programme will give patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used just for their individual care and treatment or also used for research and planning purposes.
Please visit nhs.uk/your-nhs-data-matters
Your GP Practice
We keep your account information, like your name, email address and password, for as long as you are registered at this practice. If you decide to register elsewhere your record will be passed to your new GP practice by a mixture of paper and electronic transfer.
More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-SocialCare-2016)
We are committed to protect your privacy and will only use your information lawfully in accordance with:
- Data Protection Act 1998 and General Data Protection Regulation 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Code of Confidentiality, Information Security and Records Management
Health Service (Control of Patient Information) Regulations 2002 (COPI)
- We have been given notice to process data set out in Regulation 3(1) of COPI. Please see our COPI privacy notice.
Data Protection Officer:
The Practice Data Protection Officer is Caroline Million. Any queries regarding Data Protection issues should be addressed to her at: -