Data Processing

Privacy Notice

What information do we collect about you?

We only collect the information (“data”) that we need to help us keep you healthy – such as your name, address, next of kin, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.

How do we use your information?

    • We share your medical records with other health professionals who are involved in providing you with care and treatment. This is only ever on a need-to-know basis and event by event.

    • Some of your data is automatically copied to the Shared Care Summary Record.

    • We share some of your data with local out-of-hours provider

    • Data about you is used to manage national screening campaigns such as flu, cervical cytology and diabetes prevention.

    • Your data about you is used to manage the NHS and make payments.

    • We share information when the law requires us to, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people

    • Your data is used to check the quality of care provided by the NHS.

    • We may also share medical records for medical research

Enhanced Access Privacy Notice

Streatham PCN is made up of a number of GP Practices and has been created for members practices to work collaboratively to deliver the requirements of the PCN Directed Enhanced Service Contract.

The following practices are part of Streatham PCN:

    • Palace Road Surgery

    • Streatham Hill Group Practice

    • Valley Road Surgery

    • The Exchange Surgery

    • Streatham Common Practice

    • The Vale Surgery

As part of the PCN DES service, we are required to provide Enhanced Access to patients registered with practices in the PCN. Enhanced Access is patient appointments outside core practice hours – that is between 6.30-8.00 pm on weekdays, and on Saturdays 9.00 am till 5.00pm. We have chosen to also offer some appointments between 7.00 am-8.00 am on weekdays. We have also chosen to subcontract some of the provision of these appointments to our local GP federation (Lambeth GP Federation), who have previously provided access hubs in the area.

The Enhanced Access service for our patients requires the following:

  • An interoperable Clinical IT solution and
  • Data Sharing between the PCN practices and the GP Federation

To enable us to provide our Enhanced Access Service to you, clinicians from other practices in our PCN and working for our local Federation will at times have access to your full GP record, but only when providing direct care to you.

People who have access to your information will only normally have access to information that they need to fulfil their roles. For example, admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments; the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst any GP you see or speak to will normally have access to everything in your record.

1. Controller Contact Details

The controller of your data when it is in your practice clinical record will be your registered GP practice. The Exchange Surgery, Lucie Lehane, Practice Manager/ IG Lead, [email protected], 2-6 Gracefield Gardens, SW16 2ST, London.

The controller of your data when it is in the GP Federation clinical record system is Lambeth GP Federation, 1 Alleyn Park, London, SE21 8AU.

2. Data Protection Officer Contact Details

Danielle Gibbons, GP Data Protection Officer, [email protected].

3. Purpose of the Processing

To provide our patients with direct care.

4. The Lawfulness Conditions and Special Categories

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.

5. Recipient or Categories of Recipients of the Shared Data

6. Rights to Object

You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.

GP Practices process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with:

  • The General Data Protection Regulations (GDPR)
  • The Freedom of Information Act
  • The NHS Constitution
  • The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009

By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.

7. Right to Access and Correct

Under GDPR and the Data Protection Act 2018, you have the right to see or be given a copy of any personal data we hold about you. To gain access to a copy of your information, you will need to make a Subject Access Request (SAR) to the Practice you are normally registered with.

You also have the right to have incorrect data held about you corrected.

8. Retention Period

The data will be retained for the period as specified in the national NHS records retention schedule.

9. Right to Complain

You have the right to complain to the Information Commissioner’s Office or call their helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).

The NHS App

We use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS England.

Data Provision Notices

NHS Digital has powers, under sections 259(1)(a) and 259(1)(b) of the 2012 Health and Social Care Act 2012, which requires health and social care bodies in England to provide NHS England with certain datasets.

The DPN makes it clear whether an organisation is legally required to supply the data or is being requested to do so only.

In either case, when data is provided in response to a requirement or a request made under section 259, the data can be supplied without breaching the common law duty of confidentiality.

For more information about Dara Provision Notices, please see https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/data-provision-notices-dpns

COVID-19 Public Health Directions 2020

NHS England established the OpenSAFELY service Trusted Research Environment (TRE). It supports the use of data for COVID-19 purposes only including research, clinical audit, service evaluation and health surveillance.

NHS England has been directed by the Government to establish and operate the OpenSAFELY service. This service provides a Trusted Research Environment that supports COVID-19 research and analysis.

Each GP practice remains the controller of its own patient data but is required to let researchers run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym, through OpenSAFELY.

Only researchers approved by NHS England are allowed to run these queries and they will not be able to access information that directly or indirectly identifies individuals.

GP Connect Privacy Notice

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

  • for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
  • for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Your rights

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

London Care Record – One London

What is the London Care Record?

The London Care Record is a secure view of your health and care information.

It lets health and care professionals involved in your care see important details about your health when and where they need them.

It can show doctors, nurses and other care professionals any conditions you have, your test results, medicines you take, anything you’re allergic to and plans for your care.

Having a single, secure view of your information helps speed up communication between care professionals across London, and beyond

This helps to improve the safety of care and can save lives.

OneLondon is working to ensure as many health and care staff as possible can access the London Care Record and that it provides them with the information they need.

The SEL ICS Privacy Notice for the London Care Record has now been published on the ICS website: The London Care Record – South East London ICS (selondonics.org)

Find out more about the London Care Record see www.onelondon.online.

South East London ICS Privacy Policy

The Exchange Surgery is commissioned by South East London ICS. ICS collects, processes and protects the personal data of its service users.

For more information on the onelondon data sharing framework visit https://www.selondonics.org/who-we-are/our-work/digital-and-data/data-services/

How we use your Health and Care Data

How we use your data

Summary Care Record Supplementary Transparency Notice

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place, unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following:

  • Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
  • Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
  • Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate ‘legal basis’ needs to be in place and recorded. The legal bases for direct care via SCR is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

  • for the processing of personal data: Article 6.1 (e) of the UK GDPR: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
  • for the processing of ‘Special Category Data’ (which includes your medical information): Article 9.2 (h) of the UK GDPR: ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

Your rights

Because the legal bases used for your care via SCR are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

Find out more about SCR.

Don’t want to share?

All our patients can choose not to share their information. Should you wish to opt out of data collection, please contact a member of staff, alternatively,

Patients can set their opt-out preferences at www.nhs.uk/your-nhs-data-matters You will need their NHS number and a valid email address or telephone number which is on the GP record or on the Personal Demographics Service database to register their decision to opt out. Patients who are unable to use the online facility can use a phone helpline to manage their choice 0300 303 5678. A paper print-and-post form is also available at www.nhs.uk – Other ways to make a choice about sharing data.

Alternatively, please contact a member of staff for support.

Have a question?

If you have any questions, ask a member of the surgery team. You can:

Contact the practice’s data controller via email at [email protected]. GP practices are data controllers for the data they hold about their patients

Ask to speak to the practice manager Lucie Lehane who is also Data Protection Champion for The Exchange Surgery.

Data Protection Officer (DPO) contact for The Exchange Surgery: [email protected]

GP DPO Service Lead: Danielle Gibbons

If you’re not happy about how we manage your information

We really want to make sure you’re happy, but we understand that sometimes things can go wrong. If you are unhappy with any part of our data-processing methods, you can complain. For more information, visit ico.org.uk and select ‘Raising a concern’.

We always make sure the information we give you is up-to-date. Any updates will be published on our website, in our newsletter and leaflets, and on our posters. This policy will be reviewed in May 2019.