This notice explains how Robin Lane Health and Wellbeing Centre will collect, look after, use or otherwise process your personal data. “Personal data” is information relating to you as a living, identifiable individual. Click here for an EASY READ Version of this notice!
Who we are and what we do
We are a progressive GP Practice in the centre of Pudsey. Our mission is to improve the health and wellbeing of the local population so that they live longer and healthier lives that are full, active and meaningful. To help us achieve this, we offer a wide range of health services for all ages. Additionally, Pudsey Wellbeing Charity, a foundation trust of the Practice, provides wellbeing activities for the whole community.
The name and contact details of our organisation.
Name: Robin Lane Health and Wellbeing Centre
Address: Robin Lane, Pudsey, LS28 7DE.
The contact details of our data protection officer
Our Data Protection Officer is Louise Whitworth and they can be contacted on: Leedsccg.firstname.lastname@example.org
What we do
As a GP practice we are responsible for your day to day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.
It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).
We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.
Our Commitment to Data Privacy and Confidentiality
As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.
Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.
Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.
All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.
Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.
All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.
As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
In addition to our Data Protection Officer, we also have a senior person within the practice who is responsible for protecting the confidentiality of our records and ensuring that any use of your data is fair and appropriate- this person is the Caldicott Guardian. The Caldicott Guardian for the practice is: Dr Neil Bastow
The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is: ZA424505 and you can view our registration here https://ico.org.uk/ESDWebPages/Entry/ZA424505.
We will endeavour to maintain our duty of confidentiality to you at all times and will only share data about you if we genuinely believe that it would improve the care you provide for you.
Other than for the purposes of direct care or indirect care (such as healthcare planning), we will only share your information without your permission when we are required to do so under exceptional circumstances (such as a serious risk to yourself and others) or if it is required by law.
The categories of personal data we hold and the sources we obtain them from
- Details about you, such as your name, address, carers, biological gender, gender identity, ethnic origin, date of birth, legal representatives and emergency contact details are collected from you when you register with the practice via the GMS1 form and new patient questionnaire you fill in when your register.
- Information that you provide about your health when you consult with healthcare professionals at the practice, which will be recorded in your notes
- Any contact the surgery has with you, such as appointments, clinic visits, emergency appointments, etc. are recorded on our clinical system
- Notes and reports about your health- your historic notes are transferred to us from your old practice- this can happen electronically and your paper notes are transferred via an organisation called Primary Care Support England
- Results of investigations such as laboratory tests, x-rays, etc. which are sent to the practice electronically from hospitals
- Any consultations you may have had with “extended access” hubs, which the practice is part of.
- We are routinely informed of any A&E visits or outpatient appointments at local hospitals
- We are routinely advised of any contact with out of hours providers or NHS111
- We are hold details of any other relevant information from other health professionals, relatives or those who care for you. All information flows within the practice are routinely mapped as part of our GDPR compliance and compliance with the Data Security and Protection toolkit.
How we use your personal data (the purposes of processing).
As health professionals, we maintain records about you in order to support your care. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.
We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. All of our staff are trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to.
For provision of direct care:
In the practice, individual staff will only look at what they need in order to carry out such tasks as booking appointments, making referrals, giving health advice or provide you with care.
Primary Care Networks:
All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.
PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.
We are members of West Leeds PCN along with a number of other local practices. A full list is available here https://www.leedsgpconfederation.org.uk/localities/westleeds/.
This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.
For commissioning and healthcare planning purposes:
In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.
· Leeds City Council: Public Health, Adult or Child Social Care Services
· Leeds Clinical Commissioning Group (or their approved data processors)
· NHS Digital (Formerly known as (HSCIC)
· The ResearchOne Database.
· Other data processors which you will be informed of as appropriate.
In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.
This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
For research purposes:
Research data is usually shared in a way that individual patients are non-identifiable. Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects. The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority.
Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.
For safeguarding purposes, life or death situations or other circumstances when we are required to share information:
We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).
For example, your information may be shared in the following circumstances:
· When we have a duty to others e.g. in child protection cases
· Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.
When you request to see your information or ask us to share it with someone else:
If you ask us to share your data, often with an insurance company, solicitor, employer or similar third party, we will only do so with your explicit consent. Usually the requesting organisation will ask you to confirm your consent, often in writing or electronically. We check that consent before releasing any data and you can choose to see the information before we send it.
The lawful basis for the processing.
We are required to tell you the legal basis that is used for the various ways we process and use your data. In order to process your personal data we must specify a lawful basis and if we process any personal data that is deemed to be “special category” data we must also specify a separate condition for processing special category data.
The following table sets the main ways your personal data may be used and the corresponding legal basis and category of data. Each purpose is covered in more detail within this notice to explain what these mean in more practical terms.
|Purpose of using personal data||Legal basis of processing||Special category of data|
|Provision of direct care and related administrative purposese.g., Consultations, referrals to hospitals or other care providers||GDPR Article 6(1)(e) – the performance of a task carried out in the public interest||GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.|
|For commissioning and healthcare planning purposese.g., collection of mental health data set via NHS Digital or local||GDPR Article 6(1)(c) – compliance with a legal obligation||GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health|
|For planning and running the NHS (other mandatory flow)e.g., CQC powers to require information and records||GDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice)Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC)||GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health|
|For planning & running the NHS – national clinical audits||GDPR Article 6(1)(e) – the performance of a task carried out in the public interest||GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.Special category 9(2)(i) – public interest in the area of public health|
|For research|| GDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.GDPR Article 6(1)(e) – the performance of a task carried out in the public interest|
GDPR Article 6(1)(a) – explicit consent
|GDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes|
|For safeguarding or other legal duties||GDPR Article 6(1)(e) – the performance of a task carried out in the public interestRegulation 6(1)(c) – compliance with a legal obligation||GDPR Article 9(2)(b) – purposes of carrying out the obligations of ..social protection law.|
|When you request us to share your information e.g., subject access requests||GDPR Article 6(1)(a) – explicit consent||GDPR Article 9(1)(a) – explicit consent|
The recipients and categories of recipients of personal data
|Recipient of data|
|Leeds Care Record||Primary, secondary or emergency care|
|Summary Care Record (SCR)||Secondary or emergency care|
|Leeds Teaching Hospitals Trust||Secondary or emergency care|
|Other national providers of health care who you choose to be referred to, in consultation with your healthcare professional||Secondary or specialist care|
|Leeds & York Partnership Foundation Trust||Mental health & learning disability services|
|Mid-Yorkshire Hospitals Trust||Diabetic eye-screening services|
|Leeds Community Healthcare Trust||District Nursing and other community services|
|NHS National Diabetes Prevention Programme||Information and lifestyle education|
|Local Care Direct||Out of Hours primary care provider|
|Leeds City Council||Social Care services|
|Connect Well/PEP or other similar service|
|“One You”||Provider of heathy lifestyle services|
|Forward Leeds||Provider of drug & alcohol services|
|Federated GP services and Primary Care Networks||Providers of extended access appointments over the telephone and at local hubs and other services|
From time to time we may offer you referrals to other providers, specific to your own health needs- in these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.
Leeds and Yorkshire & Humber Care Records
The Leeds Care Record processes Personal Confidential Data (PCD) by registered and regulated health and social care professionals (the specific Data Protection Act Conditions for Processing being set out in Appendix D). Information should be shared between authorised health and social care professionals and their teams with whom the individual has a legitimate relationship where it is necessary for the purpose of their direct care.
Direct Care is defined as outline under Article 9 (2) H of GDPR, this is as follows:”
“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”
The Yorkshire & Humber Care Record is being rolled out across the Yorkshire, Humber Coast and Vale area with the aim of improving care for people who use NHS and social care services.
As part of the Yorkshire and Humber Care initiative additional health and social care organisations, who are involved in providing Direct Care will also have access to the Leeds Care Record for the benefit of the individual for which they are providing direct care and with whom the individual has a legitimate relationship.
To view a list of these participating organisations, visit: https://www.leedscarerecord.org/about/participating-organisations/
The details of transfers of the personal data to any third countries or international organisations.
As a GP surgery, the only occasions when this would occur would be if you specifically requested this to occur- the practice will never routinely send patient data outside of the UK where the laws do not protect your privacy to the same extent as the law in the UK.
Retention periods for your personal data.
As long as you are registered as a patient with the surgery, your paper records are held at the practice along with your GP electronic record. If you register with a new practice, they will initiate the process to transfer your records. The electronic record is transferred to the new practice across a secure NHS data-sharing network and all practices aim to process such transfers within a maximum of 8 working days. The paper records are then transferred which can take longer. Primary Care Services England also look after the records of any patient not currently registered with a practice and the records of anyone who has died.
Once your records have been forwarded to your new practice (or after your death forwarded to Primary Care Services England), a cached version of your electronic record is retained in the practice and classified as “inactive”. If anyone has a reason to access an inactive record, they are required to formally record that reason and this action is audited regularly to ensure that all access to inactive records is valid and appropriate. We may access this for clinical audit (measuring performance), serious incident reviews, or statutory report completion (e.g., for HM Coroner).
A summary of retention periods for medical records can be found on the BMA website.
The rights available to you in respect of data processing.
Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing- for reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:
- Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
- Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.
Right to be informed
You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice
The right of access
You have the right of access. You have the right to ask us for copies of your personal information- this right always applies. There are some exemptions, which means you may not always receive all the information we process.
The right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
The right to erasure
You have the right to ask us to erase your personal information in certain circumstances – This will not generally apply in the matter of health care data
The right to restrict processing
You have the right to ask us to restrict the processing of your information in certain circumstances – You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.
The right to object
You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you
Rights in relation to automated decision making and profiling.
Your rights in relation to automated processing – Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.
Typically, the ones used in the practice may include:
Qrisk– a cardiovascular risk assessment tool which uses data from your record such as your age, blood pressure, cholesterol levels etc to calculate the probability of you experiencing a cardiovascular event over the next ten years.
Qdiabetes– a diabetes risk assessment tool which uses your age, blood pressure, ethnicity data etc to calculate the probability of you developing diabetes.
CHADS – an assessment tool which calculates the risk of a stroke occurring for patients with atrial Fibrillation
This is not an exhaustive list- other tools may be used depending on your personal circumstances and health needs, however whenever we use these profiling tools, we assess the outcome on a case-by-case basis. No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us us assess your possible future health and care needs with you and we will discuss these with you.
The right to data portability
Your right to data portability This only applies to information you have given us- you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances
The right to withdraw consent
Because under the provisions of Data Protection Law most of the data processing activities carried out by the practice are not done under the “lawful basis” of consent you cannot withdraw consent as such, however if you are not happy with the way your data is being processed you do have the right to object and the right to ask us to restrict processing.
There is a new national opt-out that allows people to opt out of their confidential patient information being used for certain reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found here.
In the past, you may have already chosen to prevent your identifiable data leaving NHS Digital, known as a Type 2 opt-out. All existing Type 2 opt-outs will be converted to the new national data opt-out and this will be confirmed by a letter to all individuals aged 13 or over with an existing Type 2 objection in place. Once the national data opt-out is launched, it will no longer be possible to change preferences via local GP practices.
The right to lodge a complaint with a supervisory authority.
If you are happy for your information to be used, and where necessary shared, for the purposes described in this notice then you do not need to do anything.
Should you have any concerns about how your information is managed at the practice, please contact us.
If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via:
· Their website: www.ico.org.uk
· Email: email@example.com
· Telephone: 0303 123 1113 (local rate) or 01625 545 745
· Or by mail: The Information Commissioner, Wycliffe House, Water lane, Wilmslow, Cheshire. SK9 5AF
General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the .
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see: