Practice Policies & Patient Information
Access to Records
In accordance with the Data Protection Act 1998 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager and may be subject to an administration charge. No information will be released without the patient consent unless we are legally obliged to do so.
Complaints
Please ask to speak to the site lead when attending the practice who will escalate to practice manager.
We make every effort to give the best service possible to everyone who attends our practice.
However, we are aware that things can go wrong resulting in a patient feeling that they have a genuine cause for complaint. If this is so, we would wish for the matter to be settled as quickly, and as amicably, as possible.
To pursue a complaint please contact the practice manager who will deal with your concerns appropriately. Further written information is available regarding the complaints procedure from reception.
If you require support or advocacy with your complaint then you are able to contact:
Healthwatch County Durham – Home | Healthwatch Countydurham
Tel: 0800 3047039
Email: [email protected]
NE NHS Independent Advocacy Service – North East ICA – Carers Federation
Tel: 0808 802 3000
Email: [email protected]
Confidentiality & Medical Records
The practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:
- To provide further medical treatment for you e.g. from district nurses and hospital services.
- To help you get other services e.g. from the social work department. This requires your consent.
- When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.
If you do not wish anonymous information about you to be used in such a way, please let us know.
Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.
Data Choices
Your Data Matters to the NHS
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How your data is used
Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital. It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.
Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
You have a choice
You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.
Will choosing this opt-out affect your care and treatment?
No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What do you need to do?
If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters
Fair Processing Notice
How we use your information
Our GP practice holds information about you and this document outlines how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.
The Health Care Professionals (HCP) who provide you with care, maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP surgery, Community clinics or staff etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
What kind of information do we use?
- Details about you, such as address and next of kin and carer information etc
- Any contact the surgery has had with you such as appointments, clinic visits, emergency appointments and so on
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc.
- Relevant information from other HCPs, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided and to plan NHS services.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery or organisation concerned will always endeavour to gain your consent before releasing the information.
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control patients can have over this.
The NHS Constitution https://www.gov.uk/government/publications/the-nhs-constitution-for-england
establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
What do we use your personal and confidential/sensitive information for?
We can only use any information that may identify you (known as personal information) in accordance with the Data Protection Act 1998 and other laws such as the Health and Social Care Act 2012. http://www.legislation.gov.uk/ukpga/1998/29/contents and http://www.legislation.gov.uk/ukpga/2012/7/contents/enacted, however only the minimum necessary identifiers are used in processing personal information for the purpose. We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
Apart from direct health care sensitive personal information may also be used in the following cases:
- To respond to patients, carers or Member of Parliament communication
- We have received consent from individuals to be able to use their information for a specific purpose.
- There is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
- For the health and safety of others, for example to report an infectious disease such as meningitis or measles.
- We have special permission for health and research purposes (granted by the Health Research Authority).
- We have special permission called a ‘section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. An example of where this is used is in risk stratification. Further information can be found on the Health Research Authority’s web site here http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/
Risk Stratification
Risk stratification tools are increasingly being used in the NHS to help determine a person’s risks of suffering from a particular condition, preventing an unplanned or (re)admission and identifying a need for preventative intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymised information using software managed by North of England Commissioning Support Service (NECS), which is based at John Snow House, Durham, DH1 3YG. The data is provided back to the GP Practice or member of your care team in an identifiable form. Risk stratification enables your GP Practice to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP Practice may be able to offer you additional services.
Should you have any concerns about how information is managed at your GP Practice, please write to the Practice Manager so you can discuss how the disclosure of your personal information can be limited.
Invoice validation
If you have received treatment within the NHS, access to your personal information is required in order to determine which Clinical Commissioning Group (CCG) should pay for the treatment or procedure you have received. The validation of invoices is undertaken within a controlled environment for finance within the North of England CSU (NECS) which is based at John Snow House, Durham, DH1 3YG. This is carried out via a section 251 agreement and is undertaken to ensure that the CCG is paying for treatments relating to its patients only. The dedicated NECS team receives patient level information (minimal identifiers are used for this purpose, such as NHS number, post code, date of birth) direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices. Further information about invoice validation can be found on NHS England’s web site here https://www.england.nhs.uk/ourwork/tsd/ig/in-val/
How do we maintain confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection At 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who received information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed.
We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the practice is Dr A Simpson who can be contacted using the contact details at the top of this document. We also have a Senior Information Risk Owner (SIRO) who is responsible for owning the practice’s information risk. The SIRO is Joseph Chandy.
We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our practice name.
Who are our Partner Organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts • Specialist Trusts • Independent contractors such as dentists, opticians, pharmacists • Private sector providers • Voluntary sector providers • Ambulance Trusts • Clinical Commissioning Groups • Social Care and Health • Local Authorities • Education Services • Fire & Rescue Services • Police • Other data processors
What are your rights?
Where information from which you can be identified is held, you have the right to ask to:
- View this or request copies of the records by making a subject access request – also see below.
- request information is corrected
- have the information updated where it is no longer accurate
- ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.
Access to personal information
You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
- Give you a description of it • Tell you why we are holding it • Tell you who it could be disclosed to, and • Let you have a copy of the information in an intelligible form
- If you would like to make a ‘subject access request’, please do so in writing to the Practice Manager.
Summary Care Records (SCR)
The Summary Care Record is a national scheme to share information about the medicines you are prescribed and any allergies or other adverse reactions you have experienced. Health Professionals at other organisations will only be able to access this information with your permission. You can opt-out of the scheme; please ask at the surgery if you need more information or follow the appropriate link on our website.
Summary Care Record with Additional Information
This is a national scheme to share more detailed information including your current medical problems and your care wishes. Health Professionals at other organisations will only be able to access this information with your permission. This information will only be available to other agencies if you have given us your permission to share it.
Great North Care record (GNCR)
A local initiative to share medical information in the North East. The information shared is similar to that in the Summary Care Record with Additional Information. Health Professionals at other organisations will only be able to access this information with your permission. The health organisations with whom we share this information are, 111, ambulance services, out of hours services and NHS hospitals, GP practices and Mental Health Services. This information will be shared unless you tell us in writing that you don’t want us to share it. You can opt-out of this scheme – please ask at the surgery.
Your right to withdraw consent
If you are happy for your data to be extracted and used for the purposes described in this Fair Processing Notice, then you do not need to do anything.
If you do not want your personal data being extracted and used for the purposes described in this Fair Processing Notice, then you need to let us know as soon as possible in writing to the Practice Manager.
Please note that withdrawing your consent from sharing data may, in some circumstances, cause a delay in your receiving care.
How long do you hold information for?
All records held by the practice will be kept for the duration specified by national guidance from the Department of Health, The Records Management Code of Practice for Health and Social Care 2016. Confidential information is securely destroyed in accordance with this code of practice.
Your right to opt out
In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. To support this patients are able to register objections with the GP Practice to either prevent their identifiable data being released outside of the GP Practice (known as a Type 1 objection) or to prevent their identifiable data from any health and social care setting being released by NHS Digital (known as a Type 2 objection) where in either case it is for purposes other than direct patient care. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. There are certain circumstances where a person is unable to opt out but these are only where the law permits this such as in adult or children’s safeguarding situations.
You have a right in law to refuse or withdraw previously granted consent to the use of your personal information. There are possible consequences of not sharing such as the effect this may have on your care and treatment but these will be explained to you to help with making your decision.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact us using the contact details at the top of this document.
What is the right to know?
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
What sort of information can I request?
In theory, you can request any information that the practice holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act. Your request must be in writing and can be either posted or emailed to the practice.
Where can I obtain further advice?
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Email: [email protected]
Visit the ICO website here https://ico.org.uk/
Complaints or questions?
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact us using the contact details at the top of this document should you have any such concerns.
Freedom of Information
Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.
GDPR Privacy Statement
East Durham Medical Group aims to meet the requirements of the Data Protection Act 2018, the General Data Protection Regulation (GDPR], the guidelines on the Information Commissioner’s website as well as our professional guidelines and requirements.
The data controller is East Durham Medical Group and the Information Governance Lead Dr Oliver Barnsley who is also the Data Protection Officer.
Our privacy notice is displayed in reception at all our practices.
You will be asked to provide personal information when joining the practice. The purpose of processing your personal data is to provide you with optimum health care and prevention.
The categories and examples of data we process are:
- Personal data for the provision of your health care
- Personal data for the purposes of providing treatment, care, referrals appointments, reminders, and follow ups
- Personal data such as details of family members for the provision of health care to children or for emergency contact details
- Personal data for the purposes of employed and self-employed team members employment and engagement respectively
- Personal data for the purposes of direct mail/email/text/telephone to inform you of important announcements or about new treatments or services
- Personal data – IP addresses so that we can understand our patients better and inform our marketing approach as well as improve the web site experience
- Special category data including health records for the purposes of the delivery of health care and meeting our legal obligations
- Special category data including health records
- Special category data to meet the requirements of the Equality Act 2010
- Special category data details of criminal record checks for employees and contracted team members
We minimise the data that we keep, and do not keep it for longer than necessary.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential. If we intend to refer a patient to another practitioner or to secondary care such as a hospital, we will gain the individual’s permission before the referral is made and the personal data is shared. Your data will be shared with the NHS in England, Scotland and Wales or the HSC in Northern Ireland if you are having NHS or HSC treatment.
- Personal data is stored in the EU whether in digital or hard copy format
- Personal data is stored in digital format when the data storage company is certified with the EU-US Privacy Shield
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list.
For full details or where your data is stored, please ask to see Information Governance Procedures.
We have established the following lawful bases for processing your data:
Our lawful bases for processing personal data:
- The legitimate interests of East Durham Medical Group
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Consent of the data subject
- To comply with our legal obligations
Our lawful bases for processing special category data:
- Processing is necessary for health care purposes
- Processing necessary for identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with the view to enabling such equality to be promoted or maintained
- We obtain consent of the data subject to process criminal record checks
The reasons we process the data include:
- To maintain your contemporaneous clinical records
- To provide you with medical care, preventative treatments and healthcare advice
- To carry out financial transactions with you if required
- To manage your NHS care and treatment
- To send your personal data to the General Medical Council or other authority as required by law
- To communicate with you as and when required including appointment reminders, treatment follow ups, test results, and other communications about your treatment or the practice
- To communicate with your next of kin in an emergency
- If a parent or carer to communicate with you about the person you parent or care for
- To refer you to other health professionals as required
- To obtain criminal record disclosures for team members
- For debt recovery if necessary
- To continually improve the care and service you receive from us
The personal data we process includes:
Your name, address, gender, date of birth, NHS number, medical history, medical record family medical history, family contact details, marital status financial details for processing payment if this is necessary. We may process more sensitive special category data including ethnicity, race, religion, or sexual orientation so that we can meet our obligations under the Equality Act 2010, or for example to modify treatment to suit your religion and to meet NHS obligations.
The retention period for special data in patient records is a minimum of 10 years or longer if and may be longer for complex records or to meet our legal requirements. The retention period for staff records is 6 years. The retention periods for other personal data is 2 years after it was last processed. Details of retention periods are available in the Record Retention procedure.
We obtain your personal details when you enquire about our care and service, when you join the practice, when you subscribe to our newsletter or register online, when you complete a registration or medical history form and when another practitioner refers you for treatment at our practice. Occasionally patients are referred to us from other official sources such as NHS clinics or hospitals.
You have the following personal data rights:
- The right to be informed about the collection and use of your personal data
- The right of access – to have a free copy of your data we hold, you can apply to access your medical record online
- The right to rectification – to correct the data we have if it is inaccurate or incomplete
- The right to deletion of your personal data (clinical records must be retained for a certain time period)
- The right to restrict processing of your personal data
- The right to data portability – to have your data transferred to someone else
- The right to object to the processing of your personal data.
- Rights in relation to automated decision making and profiling
Further details of these rights can be seen in our Information Governance Procedures or at the Information Commissioner’s website. Here are some practical examples of your rights:
- If you are a patient of the practice you have the right to withdraw consent for important notifications, newsletters, surveys or marketing. You can inform us to correct errors in your personal details or withdraw consent from communication methods such as telephone, email or text. You have the right to obtain a free copy of your patient records within one month.
- If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
We have carried out a Privacy Impact Assessment and you can request a copy from the details below. The details of how we ensure security of personal data is in our Security Risk Assessment and Information Governance Procedures.
Comments, suggestions and complaints
Please contact the IG lead at the practice who is Dr Oliver Barnsley if you need to raise a complaint about how we process your data.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.
Related practice procedures
You can also use these contact details to request copies of the following practice policies or procedures:
- Data Protection and Information Security Policy
- Consent Policy
- Privacy Impact Assessment
- Information Governance Procedures
- Record Retention
If you have an enquiry or a request, please contact the Information Governance Lead:
Dr Oliver Barnsley
General Practice Extraction Service
NHS Digital has been collecting data from GPs through its trusted General Practice Extraction Service.
This system is now being replaced with their new General Practice Data for Planning and Research (GPDPR) service, a broader general-purpose collection which will enable faster access to pseudonymised patient data for planners and researchers.
The data collection will begin on 1st July.
More information about the service can be found on NHS Digital’s website.
We now include this additional privacy notice, alongside our main privacy notice, that explains what data is used and why.
Opting out
If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail here. Your individual care will not be affected if you opt-out using either option.
The type 1 opt-out form can be downloaded from our website and sent to us at – [email protected]
How data in your GP record is used and how you can control the use (opt-out)
As a practice, we fully respect your right as a patient to control your data. We outline our privacy policy in more detail on our website and explain how we share data with other providers, including the Great North Care Record and NHS Digital for secondary use.
You have the right to opt-out at any time from data being shared.
Your data is used in broadly two different ways:
To provide you with care. This is called “Primary Use“
To allow for planning and research to be done. This is called “Secondary Use“
Both uses will only be made where it is considered secure and appropriate to use patient data.
Opting-out of data sharing is an option for all patients, however it is not without potential downsides. For Primary Use data, if you opt-out and need care in a local hospital, for example, it may be much harder for the staff to access important medical information about you needed to provide safe and effective care. For Secondary Use, the downsides are more indirect. If everyone in the country were to opt-out, it would make it much harder to ensure funding is used in the NHS to develop services where they are needed. It would also be harder to develop new treatments.
It is possible to opt-out of specific parts of data sharing, while keeping some elements of data sharing in place. It is very common, for example, for people who have privacy concerns about Secondary Use, to be happy to continue sharing data for Primary Use/Direct Care.
To summarise visually what opt-outs are possible, we have produced the below diagram:
How to Opt-Out
- Type 1 Opt-out – to apply this opt-out, please send this form to the practice by emailing to – [email protected]
- National Data Opt-out – Visit the NHS website or use the NHS App
- & 4. Primary Use Opt-out – Contact the surgery reception to speak to the practice manager/deputy practice manager to discuss this and we will be able to apply the opt-out
GP Earnings
NHS England require that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown below. However, it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.
All GP practices are required to declare the mean earnings (e.g., average pay) for GPs working to deliver NHS services to patients at each practice.
The average pay for GPs working in this practice in the last full financial year was £97,108 before Tax and National insurance. This is for 4 full time GPs, 9 part time GPs, 1 part time non-GP partner and 1 locum GP who worked in the practice for more than six months.
GP Net Earnings
Primary Care Network
East Durham Medical Group is one of the 4 practices of the Durham Coast Primary Care Network.
For future information regarding the PCN please visit their website – https://durhamcoastpcn.gpweb.org.uk/
Summary Care Record
There is a new Central NHS Computer System called the Summary Care Record (SCR). It is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had.
Why do I need a Summary Care Record?
Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.
This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.
Who can see it?
Only healthcare staff involved in your care can see your Summary Care Record.
How do I know if I have one?
Over half of the population of England now have a Summary Care Record. You can find out whether Summary Care Records have come to your area by looking at our interactive map or by asking your GP
Do I have to have one?
No, it is not compulsory. If you choose to opt out of the scheme, then you will need to complete a form and bring it along to the surgery. You can use the form at the foot of this page.
More Information
For further information visit the NHS Care records website
Violence Policy
The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.
Zero Tolerance
The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.