Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way.  We review our procedures regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

1. WHY WE ARE PROVIDING THIS PRIVACY NOTICE

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store, and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer (details below). 

The Law says:

  • We must let you know why we collect personal and healthcare information about you;
  • We must let you know how we use any personal and/or healthcare information we hold on you;
  • We need to inform you in respect of what we do with it;
  • We need to tell you about who we share it with or pass it on to and why; and

We need to let you know how long we can keep it for.

2. THE DATA PROTECTION OFFICER

The Data Protection Officer for Watership Down Health is Judith Jordan, Associate Director of Integrated Governance/Deputy SIRO/Deputy DPO for NHSe & DPO for AGEM CSU.

You can contact her by email at hiowicb-his.watershipdownhealth@nhs.net if:

  • You have any questions about how your information is being held;
  • If you require access to your information or if you wish to make a change to your information;
  • If you wish to make a complaint about anything to do with the personal and healthcare information, we hold about you;
  • If you wish to make a Subject Access Request;
  • Or any other query relating to this Policy and your rights as a patient.

3. ABOUT US

We, at Watership Down Health (‘the Surgery’), are a Data Controller of your information. This means we are responsible for collecting, storing, and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

4. INFORMATION WE COLLECT FROM YOU

The information we collect from you will include:

  • Your contact details (such as your name, email address, home and mobile telephone numbers including place of work and work contact details);
  • Details and contact numbers of your next of kin;
  • Your age range, gender, ethnicity, language, disability status, information we need to allow us to provide information in a more accessible format to you;
  • Details in relation to your medical history;
  • The reason for your visit to the Surgery;
  • Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare.

5. INFORMATION ABOUT YOU FROM OTHERS

We also collect personal information about you when it is sent to us from the following:

  • A hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.
  • Insurance company –in respect of requests for medical information, with your prior approval
  • Police service – in respect of a Firearms application you are making
  • Social Services
  • Solicitors – correspondence from them about you
  • Benefit Agency
  • Driving Vehicle Licensing Authority (DVLA)
  • Indeed, any organisation who you give permission to ask for your medical information

6. YOUR SUMMARY CARE RECORD

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on the Summary Care Record, then please contact the Surgery.

To find out more about the wider use of confidential personal information, such as research and planning future services, and to register your choice to opt out if you do not want your data to be used in this way, please visit www.nhs.uk/mydatachoice.

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

7. WHO WE MAY PROVIDE YOUR PERSONAL INFORMATION TO, AND WHY

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way were allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

  • Hospital professionals (such as doctors, consultants, nurses, etc).
  • Other GPs/Doctors;
  • Pharmacists including Community Pharmacies;
  • Nurses and other healthcare professionals (e.g. District Nurses & Midwives);
  • Dentists;
  • Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
    e.g. Care Navigators, Pharmacists, Social Prescribers.

8. OTHER PEOPLE WHO WE PROVIDE YOUR INFORMATION TO

  • Commissioners;
  • Clinical Commissioning Groups;
  • Local Authorities;
  • Community health services.
    e.g., Care and Health Information Exchange (CHIE) – formerly Hampshire Health Record

The CHIE is an electronic summary record for people living in Hampshire, Portsmouth, and Southampton. GP Surgeries, hospitals, social care, and community care teams collect information about you and store it electronically on separate computer systems. The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire. For more information Visit http://chie.org.uk/

  • For the purposes of complying with the law e.g., Police, Solicitors, Insurance Companies.
  • Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.
  • Enhanced Access – we provide Enhanced Access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Commissioning Board (ICB) and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only

The key Hub practices are as follows:  North Hampshire Urgent Care

  • Data Extraction by the Commissioning Board (ICB) – the commissioning board at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the ICB from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

There are good reasons why the ICB may require this pseudonymised information, these are as follows:

For example, to better plan the provision of services across a wider locality than practice level.

9. ANONYMISED INFORMATION

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

10. YOUR RIGHTS AS A PATIENT

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information, we hold about you please contact the Practice. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex, or repetitive.  Please note that we use Medi2data for all Subject Access requests.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you detailed online access, including written consent and production of documents that prove your identity and current residential address (within the last three months).

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

From November 2022, all patients with Online Accounts were given what is known as Prospective Access.

Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number/landline or current address has changed.

Removal

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible. This includes information that was added from a previous GP Practice.

Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Practice in this way. Please note the Anonymised Information section in this Privacy Notice.

Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

11. THIRD PARTIES MENTIONED ON YOUR MEDICAL RECORD

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

12. HOW WE USE THE INFORMATION ABOUT YOU

We use your personal and healthcare information in the following ways:

  • when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on-going Healthcare.
  • when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

13. LEGAL JUSTIFICATION FOR COLLECTING AND USING YOUR INFORMATION

The Law says we need a legal basis to handle your personal and healthcare information.

CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.

LAW: Sometimes the Law obliges us to provide your information to an organisation (see above).

14. SPECIAL CATEGORIES

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

  • PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
  • CONSENT: When you have given us consent.
  • VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g., if you have had an accident and you need emergency treatment).
  • DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party.
  • PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services.

15. HOW LONG WE KEEP YOUR PERSONAL INFORMATION

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

16. UNDER 16s

There is a separate privacy notice for patients under the age of 16.

17. IF ENGLISH IS NOT YOUR FIRST LANGUAGE

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.

18. COMPLAINTS

If you have a concern about the way, we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.

However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office: https://ico.org.uk/.

19. OUR WEBSITE

The only website this Privacy Notice applies to is the Surgery’s website. Currently this is: www.watershipdownhealth.com

If you use a link to any other website from the Surgery’s website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of any other websites.

We do not hold any responsibility for any other Web Site providers who take or amend details from our Web Site. We ask all patients registered with Watership Down Health to go to www.watershipdownhealth.com for information on our Practice.

20. COOKIES

The Surgery’s website uses cookies. For more information on which cookies, we use and how we use them, please see our Cookies Policy. This is in the ‘Practice Policies’ section at the bottom of our homepage.

21. SECURITY

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

22. TEXT MESSAGING, EMAIL, TELEPHONING AND CONTACTING YOU

Because we are obliged to protect any confidential information, we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up-to-date details. This is to ensure we are sure we are actually contacting you and not another person.

If you do not wish to be contacted by text or email, please notify the surgery.

23. WHERE TO FIND OUR PRIVACY NOTICE

You may find a copy of this Privacy Notice on our website, or a copy may be provided on request.

24. CHANGES TO OUR PRIVACY NOTICE

We regularly review and update our Privacy Notice.

This Privacy Notice was last updated on 14 February 2024. 

Appendix A

Who we share your information with and why?

Activity Rationale
Commissioning Board (ICB) Purpose – Anonymous information is shared to plan and design care services within the locality.

Legal Basis – non identifiable data only. 

Data Processor – HIOW

Individual Funding Requests – The CSU Purpose – We may need to share your information with the IFR team for the funding of treatment that is not normally covered in the standard contract.

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this.

Data processor – We ask NHS South, Central and West Commissioning Support Unit (CSU) to do this on our behalf.

Summary Care Records

 

Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Legal Basis – Direct Care

Full details of the Summary Care Record supplementary privacy notice can be found here

Patients have the right to opt out of having their information shared with the SCR by completion of the form which can be downloaded here and returned to the practice. Please note that by opting out of having your information shared with the Summary Care Record could result in a delay care that may be required in an emergency.

Processor – NHS England and NHS Digital via GP connect

Test requests and results Purpose – Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken.  The laboratory will also hold the details of the request and the result.  The result/report will be sent electronically to the practice who will hold it in the patient’s record.

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Controller of test data – The laboratory that process the request and result are a controller of the data generated by the test process.

CHIE Purpose – To provide Healthcare Professionals with complete, accurate and up to date information. This information comes from a variety of sources including GP practices, community providers, acute hospitals and social care providers.  CHIE is used by GP out of hours, acute hospital doctors, ambulance service, GPs and others on caring for patients – you may opt out of having your information shared on this system.

Legal Basis – This service is for your direct care and in an emergency.

Data Processor – NHS SCW.

CHIA Purpose – Is a database used for analysing trends in population health in order to identify better ways of treating patients.   CHIA is a physically separate database, which receives some data from CHIE.  Prior to this transfer from CHIE to CHIA patient identifiers are removed from the data.  This includes names, initials, addresses, dates of birth and postcodes.  NHS numbers are encrypted in the extract and cannot be read.  This process is called ‘pseudonymisation’.  This subset of data does not include information typed in by hand, so there is no possibility of it containing references to family members or other people.  It contains only coded entries for things like allergies and prescribed drugs.  It is not possible to identify any patient by looking at the ‘pseudonymised’ data on the CHIA database.  People who have access to CHIA do not have access to CHIE.  Data in CHIA is used to plan how health and care services will be delivered in future, based on what types of diseases are being recorded and how many are being referred to hospital etc.  Data is also used to help research into new treatments for diseases.

Legal basis – You can opt out of this service

Data processor – NHS SCW

 

 

General Practice Data for Planning and Research (GPDPR) Purpose: Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found here

Patients may opt out of having their information shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out.  Details of how to Opt Out can be found on our Privacy Notice.  For the National Data Opt Out patients are required to register their preference below. https://www.nhs.uk/your-nhs-data-matters/

For Type 1 Opt Out they can complete the form and return it to their registered practice for action by the 1st September 2021. https://nhs-prod.global.ssl.fastly.net/binaries/content/assets/website-assets/data-and-information/data-collections/general-practice-data-for-planning-and-research/type-1-opt-out-form.docx

Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice – NHS Digital

Processor: NHS Digital

Other GP practices Purpose –   We will enable other GPs and staff in other GP practices to have access to your medical record to allow you to receive acute medical care within that service.

Legal Basis – this service is for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service and again once you are in the consultation.

Data processor – Your registered surgery will continue to be responsible for your full medical record.

Community Nursing –

Complex Care Team

Diabetes Team

Home Visiting Service

Leg Ulcer Service

Heart Failure Service

Multi-Disciplinary Team

District Nurses

Midwives

 

Purpose – We will enable the Community Nursing Team to have access to your medical record to allow you to receive care from the community nurses for the services listed.

Legal Basis – these services are for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service

Data processor – Your registered surgery will continue to be responsible for your full medical record

Individual Funding Requests Purpose – We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available.

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time.  If you are happy for the request to be made, the basis for processing your data is:  Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process.

Child Health Information Service Purpose – We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses.

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Controller to which data is disclosed: https://www.southernhealth.nhs.uk/

Medication/Prescribing Purpose: Prescriptions containing personal identifiable and health data will be shared with chemists/pharmacies, in order to provide patients with essential medication or treatment as their health needs dictate. This process is achieved either by face-to-face contact with the patient or electronically. Where patients have specified a nominated pharmacy, they may wish their repeat or acute prescriptions to be ordered and sent directly to the pharmacy making a more efficient process. Arrangements can also be made with the pharmacy to deliver medication

Legal Basis: Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

Patients will be required to nominate a preferred pharmacy.

Processor – Pharmacy of choice

Pharmacists from the ICB Purpose – to provide monitoring and advice in line with the national directive for prescribing. Anonymous data is collected by the ICB.

Legal Basis – direct care.

Data Processor – HIOW ICB.

Medicines optimisation Purpose – We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective.  We do not share your identifiable data with the companies that provide these packages.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

MASH – Multi Agency Safeguarding Board – Safeguarding Children

Safeguarding Adults

Purpose – We share information with health and social care authorities for safeguarding issues.

Legal Basis – Because of public Interest issues, e.g., to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.

Data Processor – Multi Agency Safeguarding Authorities.

Risk Stratification Purpose – Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems.

GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

Legal Basis – Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority

NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP practices.

Data Processors – NHS South, Central and West Commissioning Support Unit (CSU) to assist us with providing Risk Stratification tools.

Data Processing activities for Risk Stratification – The GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number.

Opting Out – If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. They can add a code to your records that will stop your information from being used for this purpose.  Further information about risk stratification is available from:https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

Population Health Management

 

Purpose – Health and care services work together as ‘Integrated Care Systems’ (ICS) and are sharing data in order to:

  • Understanding the health and care needs of the care system’s population, including health inequalities
  • Provide support to where it will have the most impact
  • Identify early actions to keep people well, not only focusing on people in direct contact with services, but looking to join up care across different partners.

Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data.  NB only organisations that provide your individual care will see your identifiable data.

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) Provision of health and care

Processor to which data is disclosed:  Cerner Ltd, Optum Ltd, NECS CSU

Population Health Management also incorporates the use of risk stratification tools as an integral part of the purpose.

Quality monitoring, concerns and serious incidents Purpose – We need to ensure that the health services you receive are safe, effective and of excellent quality. Sometimes concerns are raised about the care provided or an incident has happened that we need to investigate.  You may not have made a complaint to us directly but the health care professional looking after you may decide that we need to know in order to help make improvements.

Legal Basis – The health care professional raising the concern or reporting the incident should make every attempt to talk to you about this and gain your consent to share information about you with us. Sometimes they can do this without telling us who you are.  We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.

Data processor – We share your information with health care professionals that may include details of the care you have received and any concerns about that care. In order to investigate these concerns, we may need to talk to other organisations such as HIOW ICB as well as other Public bodies and Government agencies such as NHS Improvement, the Care Quality Commission, NHS England as well as the providers of your care.

Commissioning, planning, contract monitoring and evaluation Purpose – We share aggregated, anonymous, patient data about services we have provided.

Legal Basis – Our legal basis for collecting and processing information for this purpose is statutory.   We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you.

If patient level data was required for clarity and extensive evaluation of a service, consent will be gained for the surgery to share this information.

Data Processor – Various organisations, CCG, third party organisations commissioned by the NHS to perform actuarial services, NHS England

eConsultation services – anonymised aggregated numbers of contacts are shared for the online consultation tool.

Clinical Audit Purpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.
National Registries National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Care Quality Commission CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider it is necessary to carry out their functions as a regulator.

CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised.

CQC Privacy Notice is available on the CQC website

Surveys and asking for your feedback Sometimes we may offer you the opportunity to take part in a survey that the practice is running. We will not generally ask you to give us any personal confidential information as part of any survey.

Legal Basis – you are under no obligation to take part and where you do, we consider your participation as consent to hold and use the responses you give us.

Data Processor – Survey Monkey, We love surveys

Research Purpose – To support research-oriented proposals and activities in our commissioning system

Legal Basis – Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. If this is not possible then the organisation wishing to use your information will need to seek formal approval from The Independent Group Advising on the Release of Data (IGARD) Digital NHS UK – IGARD

We may write to you offering you the opportunity to take part in research, for which your consent will be sought.

Screening Purpose – To support disease monitoring and health prevention for specific patients

Legal Basis – Your consent is sought either implicitly or explicitly. You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Hampshire County Council Purpose – To support disease monitoring and health prevention for specific patients

Legal Basis – Your consent is sought either implicitly or explicitly. You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Other organisations who provide support services to us Purpose – The Practice may use the services of additional organisations (other than those listed above), who will provide additional expertise to support the Practice.

Legal Basis – We have entered contracts with other organisations to provide some services for us or on our behalf.

Confidential – Shred It provide confidential waste destruction services on site.

NHS England use City Sprint to transfer medical records. We use NoteSpace (Oasis) to provide Secure storage of medical records and digitalisation services.

Language Line Solutions for Translation and Interpreting

Continence and Stoma Service – for direct care in providing continence/stoma products and monitoring.

Andover MIND

The Red Cross

Circle Musculo-skeletal services

Hampshire Hospitals Foundation Trust and relevant hospitals patients attend

Mind Space Counselling

Smoke Free Hampshire/Solutions for Health

Southern Health Foundation Trust and relevant community services that patients attend

Surrey Hampshire Physiotherapy

iTalk Counselling service

Dementia Friendly

Springboard

Dietitian

Health Visitors

Midwives

Palliative Nurses

Clinical Waste

YPI Counselling

IT service providers:

AccuRx

APEX for Capacity and Demand Management

Arden’s QMaster

Arden’s Manager and Portal

Arden’s GEMs

DocMan (One Advanced)

Eclipse NHS Pathways (Prescribing Services)

Egton for our Automatic Patient Check In system

EMIS for our Clinical System

Healtheintent for Population Health

ImmForm

Insight Population Analytics

Lexacom for Transcription Services

Medi2data for SARs/Insurance Medicals and a range of other private information requests

National Services for Health Improvement (NHSI)

Primary Care Support England (PCSE)

Population Health Management Cerner

Silicon Practice for Website Hosting

Survey Monkey

UNITE for Asthma project

Patient Record data base support Purpose – The practice uses electronic patient records.  Our supplier of the electronic patient record system is:  EMIS WEB

Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.

Payments Purpose – Payments to the practice come in many different forms.  Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws.

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below

Controllers that data is disclosed to – NHS England, CCG, Public Health, PCSE

National Fraud Initiative – Cabinet Office Purpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see:

https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative

NFI activities vary each year, so data would only be disclosed if required by the focus of their activities

Legal Basis – Part 6 of the Local Audit and Accountability Act 2014

Controller – Cabinet Office

Police Purpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

Legal Basis

Article 6(1)e – task carried out in the public interest

Article 9(2)c – Vital Interests

Article 9(2)f – Legal claims or judicial acts

Article 9(2)g – Reasons of substantial public

Controller disclosed to – Police

 

Reviews of and Changes to our Privacy Notice

We will keep our Privacy Notice under regular review. This notice was last reviewed 14 Feb 2024.