The details of transfers of the personal data to any third countries or international organisations.
As a GP surgery, the only occasions when this would occur would be if you specifically requested this to occur- the practice will never routinely send patient data outside of the UK where the laws do not protect your privacy to the same extent as the law in the UK.
Retention periods for your personal data.
As long as you are registered as a patient with the surgery, your paper records are held at the practice along with your GP electronic record. If you register with a new practice, they will initiate the process to transfer your records. The electronic record is transferred to the new practice across a secure NHS data-sharing network and all practices aim to process such transfers within a maximum of 8 working days. The paper records are then transferred which can take longer. Primary Care Services England also look after the records of any patient not currently registered with a practice and the records of anyone who has died.
Once your records have been forwarded to your new practice (or after your death forwarded to Primary Care Services England), a cached version of your electronic record is retained in the practice and classified as “inactive”. If anyone has a reason to access an inactive record, they are required to formally record that reason and this action is audited regularly to ensure that all access to inactive records is valid and appropriate. We may access this for clinical audit (measuring performance), serious incident reviews, or statutory report completion (e.g., for HM Coroner).
A summary of retention periods for medical records can be found on the BMA website.
The rights available to you in respect of data processing.
Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these rights apply equally, as certain rights are not available depending on the situation and the lawful basis used for the processing- for reference, these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:
- Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases, the rights of erasure and portability will not apply.
- Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.
Right to be Informed
You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice.
The Right of Access
You have the right of access.You have the right to ask us for copies of your personal information- this right always applies. There are some exemptions, which means you may not always receive all the information we process.
The Right to Rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
The Right to Erasure
You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data.
The Right to Restrict Processing
You have the right to ask us to restrict the processing of your information in certain circumstances– You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.
The Right to Object
You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you.
Rights in Relation to Automated Decision Making and Profiling.
Your rights in relation to automated processing– Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.
Typically, the ones used in the practice may include:
Qrisk– a cardiovascular risk assessment tool that uses data from your record such as your age, blood pressure, cholesterol levels etc to calculate the probability of you experiencing a cardiovascular event over the next ten years.
Qdiabetes– a diabetes risk assessment tool that uses your age, blood pressure, ethnicity data etc to calculate the probability of you developing diabetes.
CHADS – an assessment tool that calculates the risk of a stroke occurring for patients with atrial Fibrillation
This is not an exhaustive list- other tools may be used depending on your personal circumstances and health needs, however whenever we use these profiling tools, we assess the outcome on a case-by-case basis. No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.
The Right to Data Portability
Your right to data portability This only applies to information you have given us- you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances.
The Right to Withdraw Consent
Because under the provisions of Data Protection Law most of the data processing activities carried out by the practice are not done under the “lawful basis” of consent you cannot withdraw consent as such, however, if you are not happy with the way your data is being processed you do have the right to object and the right to ask us to restrict processing.
There is a new national opt-out that allows people to opt-out of their confidential patient information being used for reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt-out can be found online.
In the past, you may have already chosen to prevent your identifiable data from leaving NHS Digital, known as a Type 2 opt-out. All existing Type 2 opt-outs will be converted to the new national data opt-out and this will be confirmed by a letter to all individuals aged 13 or over with an existing Type 2 objection in place. Once the national data opt-out is launched, it will no longer be possible to change preferences via local GP practices.
The Right to Lodge a Complaint With a Supervisory Authority.
If you are happy for your information to be used, and where necessary shared, for the purposes described in this notice then you do not need to do anything.
Should you have any concerns about how your information is managed at the practice, please contact us.
If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via:
- Their website: ico.org.uk.
- Email: firstname.lastname@example.org.
- Telephone: 0303 123 1113 (local rate) or 01625 545 745.
- Or by mail: The Information Commissioner.
Wycliffe House, Water lane
Wilmslow, Cheshire, SK9 5AF