This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

GDPR Practice Privacy Notice

PRACTICE PRIVACY NOTICE FOR PATIENTS

 

Buxton Medical Practice (the Practice)

 

Data Protection Privacy Notice for Patients

 

Introduction:

 

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

This privacy notice applies to personal information processed by or on behalf of the practice.

This Notice explains

  • Who we are, how we use your information and information about our Data Protection Officer?
  • What kinds of personal information about you do we process?
  • What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • What should you do if your personal information changes?
  • For how long your personal information is retained by us?
  • What are your rights under data protection laws?

 

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information, the DPA 2018 deals with elements of UK law that differ from the European Regulation. These came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

 

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 the practice responsible for your personal data is [Practice Name].

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights

How we use your information and the law.

Buxton Medical Practice will be what’s known as the ‘Controller’ of the personal data you provide to us.

We collect basic personal data about you which does include special types of information and location-based information.  This does include name, address, medical conditions, contact details such as email and mobile number etc.

We will collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third parties.


 

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare. 

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which the Practice hold about you may include the following information; 

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you
  • Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with: -

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.


 

Risk Stratification 

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

Patient Communication

The Practice will use like to use your name, contact details and email address to inform you of NHS services, or provide inform about your health/information to manage your healthcare or information about the management of the NHS service.  There may be occasions were authorised research facilities would like you to take part in research in regard to your particular health issues, to try improve your health, your contact details may be used to invite you to receive further information about such research opportunities.

Safeguarding

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do. 

Our legal basis for processing For the General Data Protection Regulation (GDPR) purposes is: -

            Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is: -

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

 

Research

Clinical Practice Research Datalink (CPRD) collects de-identified patient data from a network of GP practices across the UK. Primary care data are linked to a range of other health related data to provide a longitudinal, representative UK population health dataset.  You can opt out of your information being used for research purposes at any time (see below), full details can be found here: -

https://cprd.com/transparency-information

 

The legal bases for processing this information

CPRD do not hold or process personal data on patients; however, NHS Digital (formally the Health and Social Care Centre) may process ‘personal data’ for us as an accredited ‘safe haven’ or ‘trusted third-party’ within the NHS when linking GP data with data from other sources. The legal bases for processing this data are:

  • Medicines and medical device monitoring: Article 6(e) and Article 9(2)(i) - public interest in the area of public health
  • Medical research and statistics: Article 6(e) and Article 9(2)(j) - public interest and scientific research purposes

Any data CPRD hold or pass on to bona fide researchers, except for clinical research studies, will have been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. We will hold data indefinitely for the benefit of future research, but studies will normally only hold the data we release to them for twelve months.

Categories of personal data

The data collected by Practice staff in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographic and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

Sources of the data

The Practice will either receive or collect information when someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns and make enquiries to relevant providers.

Recipients of personal data

The information is used by the Practice when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e. their GP or mental health team).

Third party processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

  • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Further details regarding specific third-party processors can be supplied on request.

 

How do we maintain the confidentiality of your records? 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

 

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. 

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

 

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary.  If a sub-contractor acts as a data processor for [Practice Name] an appropriate contract (art 24-28) will be established for the processing of your information.

 

In Certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent.  If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

 

 

With your consent we would also like to use your information

There are times that we may want to use your information to contact you or offer you services, not directly about your healthcare, in these instances we will always gain your consent to contact you.  We would however like to use your name, contact details and email address to inform you of other services that may benefit you, we will only do this with your consent.  There may be occasions were authorised research facilities would like you to take part on innovations, research, improving services or identifying trends, you will be asked to opt in to such programmes.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.
This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice DPO as below.

 

National Opt-Out Facility

You can choose whether your confidential patient information is used for research and planning.

 

Who can use your confidential patient information for research and planning?

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

Making your data opt-out choice

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Will choosing this opt-out affect your care and treatment?

No, your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What should you do next?

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time. To find out more or to make your choice visit nhs.uk/your-nhs-data-matters or call 0300 303 5678

 

Where do we store your information Electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place Such as a Data Processor as above).  We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

EMIS Web

The Practice uses a clinical system provided by a Data Processor called EMIS, with effect from 10th June 2019, EMIS will start storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).

 

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

 

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • Primary Care Network
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi Agency Safeguarding Hub (MASH)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

 

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

Computer System This practice operates a Clinical Computer System on which NHS Staff record information securely.  This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

To provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations.  Wherever possible, their staff will ask your consent before your information is viewed.

 We consider patient consent as being the key factor in dealing with your health information.

Shared Care Records

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems.  The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.  

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for [Practice Name] an appropriate contract (art 24-28) will be established for the processing of your information.

 

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • where there is a serious risk of harm or abuse to you or other people;
  • where a serious crime, such as assault, is being investigated or where it could be prevented;
  • notification of new births;
  • where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS);
  • where a formal court order has been issued;
  • where there is a legal requirement, for example if you had committed a Road Traffic Offence.

 

How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016)

How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.

Primary Care Network

The objective of primary care networks is for group practices together to create more collaborative workforces which ease the pressure of GP’s, leaving them better able to focus on patient care. The aim is that by July 2019, all areas within England will be covered by a PCN.

Primary care networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons, including improving the ability of practices to recruit and retain staff; to manage financial and estates pressures; to provide a wider range of services to patients and to more easily integrate with the wider health and care system. 

All GP practices are expected to come together in geographical networks covering populations of approximately 30–50,000 patients by June 2019 if they are to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes, which exist in many places in the country, but much smaller than most GP Federations. 

 

This means the practice may share your information with other practices within the PCN to provide you with your care and treatment.

 

Access to your personal information 

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

  • Your request should be made to the Practice – for information from the hospital you should write direct to them
  • There is no charge to have a copy of the information held about you
  • We are required to respond to you within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the GP Practice Manager or the Data Protection Officer as above. If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below.

 

Information Commissioner:

Wycliffe house

Water Lane

Wilmslow

Cheshire 

SK9 5AF

 

Tel:       01625 545745

https://ico.org.uk/

 

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything.  If you have any concerns about how your data is shared, then please contact the Practice Data Protection Officer.  

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.

Data Protection Officer:

 

The Practice Data Protection Officer is Paul Couldrey of PCIG Consulting Limited. Any queries regarding Data Protection issues should be addressed to him at: -

 

Email:   Couldrey@me.com

Postal: PCIG Consulting Limited

                        7 Westacre Drive

                        Quarry Bank

                        Dudley

                        West Midlands

                        DY5 2EE

 

Changes:

It is important to point out that we may amend this Privacy Notice from time to time.  If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer.

 

 

Risk Stratification

 

Risk stratification is a process for identifying and managing patients who are at high risk of requiring emergency or urgent care. Typically this is because patients have a long term condition such as COPD, cancer or other medical condition at risk of sudden worsening. NHS England (the national Commissioning Board) encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to provide care plans and planned care with the aim to prevent avoidable admissions or other emergency care.

 

Information about you is collected from a number of sources including NHS Trusts and from this GP practice. A risk score is then arrived at through an analysis of your de-identified information using software provided by EMIS as the data processor and is provided back in an identifiable form to your GP or member of your care team as data controller.

 

Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.

 

Please note that you have the right to opt out of Risk Stratification.

 

Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the practice, please contact the practice, or your healthcare professional to discuss how the disclosure of your personal information can be limited.

 

Patients have the right to change their minds and reverse a previous decision. Please contact the practice, if you change your mind regarding any previous choice.

 

Invoice Validation

 

If you have received treatment within the NHS your personal information may be shared within a strictly monitored, secure and confidential environment in order to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.

 

Information such as your name, address and date of treatment may be passed on to enable the billing process - these details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.

 

How do we maintain the confidentiality of your records?

 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

 

All of our staff, contractors and committee members receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

 

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

 

Who are our partner organisations?

 

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

 

  • NHS Trusts
  • Specialist Trusts
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police
  • Other ‘data processors’

 

Access to personal information

 

You have a right under the Data Protection Act 1998 to access/view information the practice holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:

 

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form

 

If you would like to make a ‘subject access request’, please contact the practice manager in writing. There may be a charge for this service. Any changes to this notice will be published on our website and on the practice notice board.

 

The practice is registered as a data controller under the Data Protection Act 1998. The registration number is Z6271828 and can be viewed online in the public register at http://www.ico.gov.uk/

 

Change of Details

 

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

 

Notification

 

The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioners Office website www.ico.org.uk. The practice is registered with the Information Commissioners Office (ICO).

 

Who is the Data Controller?

 

The Data Controller, responsible for keeping your information secure and confidential is David Doig, Practice Manager. Any changes to this notice will be published on our website and displayed in prominent notices in the surgery.

 

The Partnership is registered as a data controller under the Data Protection Act 1998 Z6271828. Our registration can be viewed on-line in the public register at www.ico.gov.uk

Data Protection Impact Assessment (DPIA)

When to carry out a DPIA

 

The DPIA identifies and assesses privacy implications where information (data) about individuals is collected, stored, transferred, shared, and managed.  It should be process rather than output orientated.

 

The purpose is to have the potential to detect and mitigate information risks, as well as to modify plans accordingly.

 

A PIA should be completed when the following activities occur:

·         Developing or procuring any new programme, policy, procedure, service, technology or system ("project") that handles or collects information relating to individuals.

·         Developing revisions to an existing programme, policy, procedure, service, technology or system which significantly change how information is managed.

The General Data Protection Regulation (GDPR) became law on 24th May 2016, is a single EU-wide regulation on the protection of confidential and sensitive information. It enters into force on the 25th May 2018, repealing the Data Protection Act (1998).

 

The Regulation in Article 35 (recitals 84, 89, 90, 91, 92, 93, 95) makes it obligatory to perform a Data Protection impact assessment in case of large scale processing of special categories of data (as in this case health data and genetic data see article 9(1). This could help to ascertain the legal basis for processing, which will be helpful for public authorities now that the open door of ‘legitimate interests’ is closed. It is also important to note that “a single assessment may address a set of similar processing operations that present similar high risks”. This could significantly help in reducing the administrative burden for hospitals and health and care providers when performing such an \\assessment.

 

A data protection impact assessment shall in particular be required in the case of:

 

(a)  a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

 

(b)  processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

 

(c)  a systematic monitoring of a publicly accessible area on a large scale.

 

This DPIA has been designed to meet the requirements of current legislation and common law duties and the expanded requirements of the GDPR as above, however Consent modelling / Fair Processing modification should be addressed by separate Trust GDPR action plans and strategies as several of the policies currently in use will need to be updated to reflect legislative changes.

 

 

 

 

 

 

 

Step 1 – EMIS WEB

Project name/title

Transfer of EMIS web to AWS Infrastructure

Description and purpose of the initiative – Include how many individuals will be affected by the initiative. 

 

A data processor acting on our behalf, EMIS Health, is changing certain technical aspects of the way in which it delivers services to us (see https://www.emisnug.org.uk/blog/next-generation-emis-x-announced), and as part of this transition it will be moving the data which it hosts on our behalf from its own data centre to a third party data centre, which is owned and operated by Amazon Web Services (AWS). Delivery of the services is subject to the terms of the GP Systems of Choice Framework (GPSOC) which is managed by NHS Digital on behalf of the Secretary of State for Health. The exercise will involve a change to the manner in which data is being processed on our behalf. Although this change does not introduce processing that is likely to result in a high risk to individuals (which would necessitate the undertaking of a DPIA), given that the data includes special category data we nevertheless feel that it is appropriate that we undertake a review.



Details of any link to any wider initiative

(if applicable)

N/A

Stakeholder Analysis

List those who may be affected (stake holder have been consulted prior to project start), eg.
Service Users, Clients, Staff-managers and practitioners, Trade Unions, Visitors, Professional organisations, IT providers, Regulators and inspectorial bodies, MPs, Councillors, Partner organisations, Media, Carers

 

Internal: Partners

 

External: EMIS/Patients

 

Does the initiative involve the use of existing personal and/or confidential data:

·         For new purposes?

·         In different ways?

If so, please explain

(if not already covered above)

As detailed above, the data (which includes special category data (i.e. health data) which is collected via the processor’s clinical IT system and which forms the patient’s medical record) will be stored in a third party data centre (which will act on the instructions of EMIS Health, who in turn will act in accordance with instructions received from (or on behalf of) ourselves as the relevant controller pursuant to our call off contract under the GPSOC framework or as otherwise documented). Aside from the manner in which the data is being hosted, we have not identified, as part of this change, any material change to the manner in which the data is being processed (in terms of data sharing and/or use)

Are potential new purposes likely to be identified as the scope of the initiative expands?

No

What is already available?

Any Previous PIA, Research or Consultation undertaken.

 

 


 

 

Step 2 – Contacts

Who is completing this assessment?

Name

 

Paul Couldrey

Job Title

 

Data Protection Officer

Department/Directorate name

 

Contact address

 

Couldrey@me.com

Email address

 

Couldrey@me.com

Telephone number

 

07525 623939

Connection to Project

 

DPO for Practice

 

 

 

 

Step 3 – Screening Questions

The purpose of these questions is to establish whether a full Privacy Impact Assessment is necessary and to help to draw out privacy considerations

 

Yes

No

Unsure

Comments - document initial comments on privacy impacts or clarification for why this is not an issue or why you are unsure

I

Is the information about individuals likely to raise privacy concerns or expectations e.g. health records, criminal records or other information people would consider particularly private?

 

X

 

 

ii

Will the initiative involve the collection of new information about individuals?

 

X

 

 

iii

Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?

 

X

 

 

iv

Will the initiative require you to contact individuals in ways which they may find intrusive[1]?

 

X

 

 

v

Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?

 

X

 

 

vi

Does the initiative involve you using new technology which might be perceived as being privacy intrusive e.g. biometrics or facial recognition?

X

 

 

The scope of the data processing is as detailed in the relevant GP Systems of Choice contract (and related call off contract (and deed of undertaking)) or as otherwise agreed in writing between EMIS Health and ourselves.  As noted above, aside from the hosting element the manner in which the data is being used or otherwise processed will not materially change as a result of this change

vii

Will the initiative result in you making decisions or taking action against individuals in ways which can have a significant impact on them?

 

X

 

 

viii

Will the initiative compel individuals to provide information about themselves?

 

X

 

 

 

If you answered No to all of the above screening questions, and you can evidence/justify your answers in the comments box above, you do not need to continue with the PIA.

 

Should the project at any point in the future use personal information you will need to revisit the screening questions and the PIA.

 

If you answered   or Unsure to any of the above, please continue with the PIA.


 

Step 4 – Data Collection

Please mark all information to be collected

Description

Specific data item (s)

Justification

Reason that the data item(s) is/are needed

Personal Details

 

 

Family, lifestyle and social circumstances

Marital/partnership status    

Next of kin    

Carers/relatives    

Children/dependents   

Social status e.g.    

Housing 

 

The lawful basis for processing (a mixture of consent, explicit consent, fulfilling public duties and providing direct healthcare) the patient records does not change as a result of this proposed change, the only difference is a technical one in terms of how the services is being delivered by the relevant processor (i.e. EMIS Health).  We have in place a privacy notice which refers to the use of third party processors/service providers, which would include EMIS Health. We are informed that the data will not be transferred overseas in connection with this change of service.

Strictly private & confidential

3

The processing which is undertaken by EMIS Health on our behalf is governed by the terms of the GP Systems of Choice Framework Agreement (together with the relevant Call Off Contract) which includes broad data protection obligations and we are able to directly enforce those obligations against the processor pursuant to a deed of undertaking which has been signed by EMIS Health and which each individual practice can rely upon

Education and training details

Education/

Qualifications 

Professional training 

Not applicable 

 

The lawful basis for processing (a mixture of consent, explicit consent, fulfilling public duties and providing direct healthcare) the patient records does not change as a result of this proposed change, the only difference is a technical one in terms of how the services is being delivered by the relevant processor (i.e. EMIS Health).  We have in place a privacy notice which refers to the use of third party processors/service providers, which would include EMIS Health. We are informed that the data will not be transferred overseas in connection with this change of service.

Strictly private & confidential

3

The processing which is undertaken by EMIS Health on our behalf is governed by the terms of the GP Systems of Choice Framework Agreement (together with the relevant Call Off Contract) which includes broad data protection obligations and we are able to directly enforce those obligations against the processor pursuant to a deed of undertaking which has been signed by EMIS Health and which each individual practice can rely upon

Employment details

Employment status  X

Career details  X

Other 

specify:

 

Not applicable

 

As above

Financial details

Income 

Salary 

Bank details 

National Insurance number 

Benefits  X

Other 

specify:

 

Not applicable

As Above

Sensitive Data:

Racial or ethnic origin

X

As above

Sensitive Data:

Physical or mental health or condition

 

NB.

Includes treatment if applicable.

 

Include Mental Health status eg. whether detained or voluntary under the Mental Health Act if applicable.

X

As above

Sensitive Data:

Sexual identity and life

X

As above

Sensitive Data:

Religious or other beliefs of a similar nature

x

As above

Sensitive Data:

Trade union membership

Not applicable

As above

Sensitive Data:

Offences including alleged offences

X

 

 

 

As above

Sensitive Data:

Criminal proceedings, outcomes and sentences

X

 

 

 

 

As above

 

 

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or another way of describing data flows. What types of processing identified as likely high risk are involved?

 

As detailed above, the data (which includes special category data (i.e. health data) which is collected via the processor’s clinical IT system and which forms the patient’s medical record) will be stored in a third party data centre (which will act on the instructions of EMIS Health, who in turn will act in accordance with instructions received from (or on behalf of) ourselves as the relevant controller pursuant to our call off contract under the GPSOC framework or as otherwise documented). Aside from the manner in which the data is being hosted, we have not identified, as part of this change, any material change to the manner in which the data is being processed (in terms of data sharing and/or use).

 

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

 

The scope of the data processing is as detailed in the relevant GP Systems of Choice contract (and related call off contract (and deed of undertaking)) or as otherwise agreed in writing between EMIS Health and ourselves.  As noted above, aside from the hosting element the manner in which the data is being used or otherwise processed will not materially change as a result of this change.

 

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

 

This DPIA distinguishes between: (i) the day to day processing undertaken (by us as a controller and EMIS Health as a processor acting on our behalf (and which will not change and so is not covered in detail)); and (ii) the change to the manner in which the data is being hosted by or on behalf of the processor (and which is the focus of this DPIA). We are aware that cloud computing is an established technology and the adoption of which is something which is being driven within the public sector – https://www.gov.uk/guidance/use-cloud-first The use of cloud computing has been recognised by the Government as being beneficial because:

 

  • you can avoid upfront investments in your infrastructure, reducing overall costs;
  • there’s greater flexibility to trial new services or make changes, with minimal cost;
  • pricing models are scalable - instead of building for the maximum usage you buy for less usage and increase or decrease as appropriate;
  • it will be easier to meet the Greening Government Commitments - cloud facilities typically try to use server space and power in the most efficient way possible;
  • upgrades and security patches can be applied continuously; and
  • the supplier will have responsibility for making sure the service has good availability for users.

 

In terms of issues of public concern, we understand that individuals may have an issue with their medical record being held by a commercial organisation but, the fact is that the relevant patient records are already being held by third party commercial organisations (either EMIS or one of the other primary system suppliers under GPSoC (or by sub-processors acting on their behalf)) and the only real change here is the identity of the third party (i.e. the data is moving from a processor to a sub-processor).  With regard to questions of security we are aware that the National Cyber Security Centre has issued guidance on cloud security - https://www.ncsc.gov.uk/collection/cloud-security and we understand that the relevant service provider in this instance (AWS) operates at the very highest levels of security (details of which are set out at https://aws.amazon.com/security/).

 

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing for you, and more broadly?

 

As noted under the question above, the move to a third party cloud environment is seen as beneficial for a number of reasons for us as a controller (in terms of improved availability, resilience and service in respect of the services being delivered to us by the processor) and in respect of the patients (in terms security, integrity and availability of their data).

 

Consultation process 

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

 

The GPSoC services are provided pursuant to a framework agreement as between NHS Digital and EMIS Health (with services then being purchased at a CCG level on our behalf as a service recipient). Under the terms of the GPSoC framework, NHS Digital essentially acts for and on our behalf in terms of approving the appointment of processors to the framework and, once they are appointed, the use of any subcontractors (and so sub-processors). We understand that EMIS Health has engaged with NHS Digital in order to secure a variation to the framework agreement to provide for the appointment of AWS as an approved material sub-contractor. EMIS Health has notified the relevant GP practices, including ourselves, so that we have an opportunity to raise any concerns with regard to the proposed change but as this change is a universal technical/operational change it is more appropriate for such matters to take place at a framework level (which is why the GPSOC Framework Agreement is structured as it is). In any event, the Guidance issued by the ICO would suggest that this is a move which the processor is entitled to drive on its own behalf provided that it remains within the scope of the relevant contract (i.e. in its Controller/Processor detailed guidance the ICO states “In certain circumstances, and where allowed for in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf.”).

 

 

Assess necessity and proportionality 

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfer?

 

The lawful basis for processing (a mixture of consent, explicit consent, fulfilling public duties and providing direct healthcare) the patient records does not change as a result of this proposed change, the only difference is a technical one in terms of how the services is being delivered by the relevant processor (i.e. EMIS Health).  We have in place a privacy notice which refers to the use of third party processors/service providers, which would include EMIS Health. We are informed that the data will not be transferred overseas in connection with this change of service.  The processing which is undertaken by EMIS Health on our behalf is governed by the terms of the GP Systems of Choice Framework Agreement (together with the relevant Call Off Contract) which includes broad data protection obligations and we are able to directly enforce those obligations against the processor pursuant to a deed of undertaking which has been signed by EMIS Health and which each individual practice can rely upon.

 

Identify and assess risks 

 

Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary

 

 

Likelihood of harm (Remote, possible or probable)

Severity of harm (Minimal, significant or severe)

 

Overall risk (Low, medium or high)

 

Loss of data in the transfer of data to the sub-processor

 

[Remote]

[Severe]

[Medium]

 

Misuse of data by the sub-processor

[Remote]

[Severe]

[Medium]

 

 


 

Identify measures to reduce risk Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step above

 

 

Risk

Options to reduce or eliminate risk 

Effect on risk

Residual Risk

 

Measure approved

 

Loss of data in the transfer of data to the sub-processor

 

 We are informed that the data will be transferred in a very secure manner and in any event EMIS Health will retain a copy of the data in its current hosting centre unless or until there is evidence that all of the relevant data has been transferred.

 

[Reduced]

[Low]

DPO 03 June 2019

Misuse of data by the sub-processor

We are informed that the way in which the AWS service operates means that there is no opportunity for AWS employees to access or view the data held within the EMIS Health allocated areas of the hosting service. The data will be encrypted both at rest and in transit and AWS will not have access to the encryption keys. See https://aws.amazon.com/security/ for further details). AWS already provides numerous services to Governmental organisations (such as Crown Commercial Services and the Ministry of Justice (see - https://aws.amazon.com/solutions/casestudies/uk-moj/) who will have undertaken their own detailed assessments.

 

[Reduced]

[Low]

DPO 03 June 2019

 


 

References

Data Protection Act 1998;

General Data Protection Regulations 2016

The Caldicott Principles;

Common Law Duty of Confidentiality;

The Freedom of Information Act 2000;

The Mental Capacity Act 2005;

Section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health

and Social Care Act 2001);

Public Health (Control of Disease) Act 1984;

Public Health (Infectious Diseases) Regulations 1988;

The Gender Recognition Act 2004;

Confidentiality: NHS Code of Practice 2003;

IGA Records Management Code of Practice for Health and Social Care 2016;

Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013;

Abortion Regulations 1991;

Road Traffic Act 1988;

ICO Data Sharing Code of Practice;

Confidentiality and Disclosure of Information Directions 2013;

Health and Social Care Act 2012;

The Criminal Justice Act 2003;

The NHS Information Security Management Code of Practice 2007;

The Computer Misuse Act 1990;

The Electronic Communications Act 2000;

The Regulation of Investigatory Powers Act 2000;

The Prevention of Terrorism Act 2005;

The Copyright, Designs and Patents Act 1988;

The Re-Use of Public Sector Information Regulations 2005;

The Human Rights Act 1998;

The NHS Care Record Guarantee 2007; and

Anonymisation Standard for Publishing Health and Social Care Data Code of Confidentiality.

[1] Intrusion can come in the form of collection of excessive personal information, disclosure of personal information without consent and misuse of such information. It can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages

Further information

 

Further information about the way in which the NHS uses personal information and your rights in that respect can be found in:

 

 

An independent review of information about patients is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review, be found at: https://www.gov.uk/government/publications/the-information-governance-review

 

NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support commissioning.

 

Please visit the NHS Digital website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found.

 

The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the www.ico.gov.uk

 



Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website