This privacy notice explains why we collect information about our patients. It explains the ways in which the practice gathers, uses, discloses and manages a patient’s data. It also fulfils a legal requirement to protect a patient’s privacy.
Why we collect information about you?
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.
These records help to provide you with the best possible healthcare.
We collect and hold data for the sole purpose of providing healthcare services to our patients.
In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records will include basic details about you, such as your name and address.
They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.
We need this to ensure compliance with the General Data Protection Regulation (GDPR) Kiyani Medical Practice must ensure that information is provided to patients about how their personal data is processed in a manner which is:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
The GDPR replaces the Data Protection Directive 95/46/EC and is designed to bring together data privacy laws across Europe.
To protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.
The GDPR came into effect on 25th May 2018.
How do we communicate our privacy notice?
Kiyani Medical Practice Privacy Notice is displayed on our website, through signage in the reception area, waiting area, and in writing in our leaflet and as part of our new patient registration.
- Inform patients how their data will be used and for what purpose
- Allow patients to opt out of sharing data, should they so wish
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and other relevant information to enable us to deliver effective medical care.
Processors of personal data
In order to deliver the best possible service, the practice contracts Processors to process personal data, including patient data on our behalf.
When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:
Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.
Delivery services (for example if we were to arrange for delivery of any medicines to you).
Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Maintaining confidentiality and safety
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the GDPR, the NHS Code of Confidentiality and Security, as well as guidance issued by the Information Commissioners Office (ICO).
Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. All our staff are trained to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
Your records are kept at the practice while you remain a patient. Should you change practices, your physical records will be returned to NHS England. Your computer records will be locked from that point.
How do we use your information?
Information may be used for clinical audits to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes. Where we do this we take strict measures to ensure that individual patients cannot be identified e.g. the National Diabetes Audit.
Occasionally your information may be requested to be used for research purposes. The surgery will always gain your consent before releasing any information for this purpose.
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Risk Stratification is a process for identifying and managing patients who are most deemed as being high risk of requiring urgent care.
Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness.
Supporting Medicines Management
CCGs support local GP practices with prescribing queries which generally don’t require identifiable information. CCG pharmacists work with the practice to provide advice on medicines and prescribing queries and review prescribing of medicines to ensure that it is safe and cost-effective.
To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared, in some limited circumstances, where it’s legally required for the safety of the individuals concerned.
Summary Care Record (SCR)
NHS England uses a national electronic record, the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. Full records will only be shared if you have given your express consent to do so.
Your information may be shared if you have received treatment, to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially, it will not be used for any other purpose or shared with any third parties.
For more information please visit: www.nhs.uk/your-nhs-data-matters
You have a right to object to your information being shared. Should you wish to opt out of all data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information. NHS Digital will enable an online national data opt out from the 25th May 2018. Information can be found from digital.nhs.uk/services/national-data-opt-out-programme
Please confirm if you wish to opt in, agree to share your data under the guidelines already explained.
National Data Opt Out - Further Information June 2021 (PDF, 440KB)
Accessing your records
You have a right to access the information we hold about you.
- The request must be made in writing by the individual.
- Requests for children aged 11 and under should be made by their parent or legal guardian. Children aged 12 to 15 will need to counter sign the request. Proof of relationship will be required.
- Patients who are deemed to lack mental capacity under the Mental Capacity Act 2005 may have records requested on their behalf by the person who holds their power of attorney. Proof will be required
- Photo identification must be provided before any information is released. Documents must be collected from the practice.
- The practice has a legal duty to comply with the request within 30 days.
- Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
The practice reserves the right to refuse or charge for requests that are manifestly unfounded, excessive or repetitive.
What to do if you have any questions
If you are unsure about patient data and want to know more, please visit: understandingpatientdata.org.uk/what-you-need-know
- Contact the practice’s data controller via email (provided above) at the practice, GP practices are data controllers for the data they hold about their patients
- Ask to speak to the practice manager
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO.
For further details, visit ico.org.uk and select ‘Raising a concern’.
For details as to how we use your data to manage your care in line with the GDPR and the Data Protection Act of 2018, please visit eastlondonhcp.nhs.uk/our-work/fair-processing-and-gdpr