If you require a chaperone, wherever possible we would ask you to make this request at the time of booking your appointment so that arrangements can be made.

Where this is not possible we will endeavour to provide a formal chaperone at the time of request; however occasionally it may be necessary to reschedule your appointment.

If you would like to see a copy of our Chaperone Policy or have any questions please contact either the reception team or the practice manager.

Prevail Study – Do you have breathing problems? 

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

CQC are an independent regulator of health and adult social care in England.

They make sure health and social care services provide people with safe, effective, compassionate, high-quality care and we encourage care services to improve.

View our CQC report

Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

Net GP Earnings 2022-2023

Tier One – Overview of information held and shared

This Privacy Notice explains and describes how this GP Practice uses and manages the information it holds about its patients and service users. This includes how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of information is maintained.

Our contact details

• Practice Name: The Blackmore Vale Partnership
• Address: Old Market Hill, Sturminster Newton, Dorset DT10 1QU
• Phone number: 01258 474500
• Data Protection: Officers Sara Froud and Sarah Barford-Pike
• Data Protection: Registration Number Registration number ZA134218

What type of personal information do we hold about our patients?

We currently collect and process the following information about our patients:

• identity details – name, gender, sexual orientation, date of birth, NHS Number;
• contact details – address, telephone, email address;
• ‘Next of Kin’ details – the contact details of a close relative or friend;
• details of any carer you may have, or anyone you care for;
• details of any appointments with the GPs and nursing staff;
• ·reports from secondary care of any A&E visits, inpatient stays or clinic appointments;
• results of any scans, X-rays and pathology tests requested;
• details of any diagnosis and treatments given;
• details of any longstanding health concerns and conditions;
• details about your health, treatment and care and other relevant information from health professionals, care providers or relatives who care for you;
• information about any allergies;
• information about any DNAR decisions and any living wills that we know of;
• correspondence from other Health and Social Care providers that provide you with services.

We work with a number of Health and Social care organisations and independent treatment centres in order to provide you with the best possible care and options for treatment. Your information may therefore be shared securely to provide continuity of care.

Sharing patient information

We know that good communication with other healthcare professionals involved in your care is beneficial to you, and so we work closely with many organisations in order to provide you with the best possible care. This means that if another healthcare professional or service is involved in your care, it might be appropriate to share information with them in order for you to receive the required care.

Your information will be shared between those involved in providing health care services and treatments to you. This includes doctors, nurses and allied health professionals, but may also include administrative staff who deal with booking appointments or typing clinic letters.

Access to information is strictly controlled and restricted to those who need it in order to do their jobs. All of our staff receive annual mandatory training on confidentiality and data security and also have strict contractual clauses within their employment contracts which oblige them to respect data protection and confidentiality.

Who we share with

The Practice shares and receives patient information from a range of organisations or individuals for a variety of lawful purposes, including:

• disclosure to hospitals and other NHS staff for the purposes of providing direct care and treatment to the patient, including screening programmes, and administration;
• disclosure to social workers or to other non-NHS staff involved in providing health and social care;
• disclosure to specialist employees or organisations for the purposes of clinical auditing;
• disclosure to those with parental responsibility for patients, including guardians;
• disclosure to carers without parental responsibility;
• disclosure to medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
• disclosure to NHS managers and the Department of Health for the purpose of planning, commissioning, managing and auditing healthcare services;
• disclosure to bodies with statutory investigative powers e.g. the Care Quality Commission, the GMC, the Audit Commission and Health Services Ombudsman;
• disclosure to national registries e.g. the UK Association of Cancer Registries;
• commissioning support units;
• NHS Digital;
• NHS 111;
• MJog for the purposes of providing appointment reminders, service updates and communications by text messaging;
• AccuRx for the purposes of e-consultation, video calling (using a data processor, Whereby) or text messaging you to provide or request health information related to your direct care and treatment;
• Attend Anywhere for providing a secure video call service for video consultations for the purposes of providing direct care and treatment;
• approved health app providers to allow you to enter your own health data into the apps for clinical observation and monitoring;
• education services;
• fire and rescue services – emergency;
• ambulance trusts;
• voluntary sector providers;
• independent contractors such as dentists, opticians, pharmacists;
• disclosure to solicitors, insurance companies, the police, the Courts (including a Coroners Court) and to tribunals and enquiries.

Confidential patient identifiable information is only shared with other organisations where there is a legal basis to do so, such as:

• when there is a Court Order or a statutory duty to share patient data;
• where there is a statutory power to share patient data;
• when the patient has given his/her explicit consent to the sharing;
• when the patient has implicitly consented for the purpose of direct care;
• when the sharing of patient data without consent has been authorised by the Health Research Authority’s Confidentiality Advisory Group (HRA CAG) under s.251 of the NHS Act 2006.

Patient identifiable information is only shared on a need to know basis, where there is a direct purpose to do so, limited to what is necessary for that purpose. Patient information may be shared, for the purposes of providing direct patient care, with other NHS provider organisations such as NHS Acute Trusts (hospitals), NHS Community Health, other NHS General Practitioners (GPs), NHS Ambulance services in order to maintain patient safety; this data will always be identifiable. For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations such as NHS Dorset, and NHS England. In such cases, the shared data is made anonymous or pseudonymised, wherever possible, by removing all patient identifiable details, unless the law requires the patient’s identity to be included.

For the benefit of the patient, the Practice may also share information with non-NHS organisations which are also providing health, care and emergency/front line services. These non-NHS organisations may include, but are not restricted to, social services, education services, local authorities, the police, voluntary sector providers, and private sector providers.

Patients are not legally or contractually obliged to share information with their healthcare provider however, your care will be affected if your clinicians do not have the relevant information necessary in order to diagnose and treat you. If you have set sharing and opt-out preferences these will be respected where there is no lawful obligation to share the information.

Tier Two – Purposes of processing, retention and your rights

Purposes of processing

Our Practice processes patient data for the following primary purposes:

providing direct healthcare;

• providing other healthcare providers with information regarding your healthcare;
• supporting social care with safeguarding vulnerable patients.

We keep records in order to:

• have accurate and up to date information available to the right care and treatment options;
• have information available to clinicians that you may see or be referred to at another NHS organisation or organisation providing NHS services.

Summary Care Record (SCR)

There is a national NHS healthcare records database provided and facilitated by NHS England, which holds your Summary Care Record (SCR). Your SCR is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had. Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP Practice is closed. This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.

Only healthcare staff involved in your care will access your Summary Care Record. When you are registered with a GP Practice in England your Summary Care Record is created automatically. It is not compulsory to have a Summary Care Record. If you choose to opt-out, you need to inform the Practice. For further information about SCR, visit the NHS Digital website.

Enhanced Summary Care Record (eSCR)

With your consent, additional information can be added to your Summary Care Record in order to provide more tailored care to you. Other information that you can choose to include could be:

• information about your long term health conditions – such as asthma, diabetes, heart problems or rare medical conditions;
• information about your relevant medical history – clinical procedures that you have had, why you need a particular medicine, the care you are currently receiving and clinical advice to support your future care;
• information about your health care preferences – you may have your own care preferences which will make caring for you more in line with your needs, such as special dietary requirements;
• information about your personal preferences – you may have personal preferences, such as religious beliefs or legal decisions that you would like to be known;
• information about your immunisations – details of previous vaccinations, such as tetanus and routine childhood jabs;
• specific sensitive information – such as any fertility treatments, sexually transmitted infections, pregnancy terminations or gender reassignment will not be included, unless you specifically ask for any of these items to be included.

Additional information is only included in your SCR when you request it, for further information about including additional information on your SCR, visit the NHS Digital website.

GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. other GP Practices in a Primary Care Network) will be able to book appointments for patients at GP Practices and other local services. For additional information about the GP Connect facility, visit the NHS Digital website.

GP clinical system – electronic patient records

Our Practice uses an electronic patient record to securely process and share information between NHS staff. This means that the healthcare professional who is caring for you can see your medical history, including any allergies and current medications, to provide you with safe care.

Our Practice uses SystmOne as our Electronic Patient Record. You can find out more about SystmOne on the TPP Website, or further details on sharing in SystmOne can be found here.

Enhanced data sharing model (EDSM) in SystmOne

We are able to share clinical information about your health and care requirements held on your SystmOne electronic patient record with other health organisations including other GP practices, child health services, community health services, hospitals, out of hours, continuing healthcare team at NHS Dorset and other similar organisations. This means that the healthcare professional looking after you has the most relevant information to enable them to provide you with the most appropriate care. We automatically set up the sharing facility in our electronic patient record system to allow your information to be shared out to other health organisations for the purpose of direct patient care.

Local trusted organisations that we work with on a regular basis are able to access your record immediately once they have asked your permission. If you say “no” they will not be able to see any information. An audit log is maintained, showing who accessed your record and when it was accessed. You are entitled to request a copy of this log.

If you see a healthcare professional outside your local geographic area (who also uses SystmOne), and you agree that they can have access to your medical records, you will be asked to provide additional security details in the form of a verification code which is sent to you either as a text, email or via your SystmOnline account. It is therefore important that we always have your up-to-date contact details.

If you do not wish us to share your information in this way, please let us know at Reception and we will ensure that your information is not shared.

Primary care networks

Primary Care Networks (PCNs) are groups of GP Practices working closely together with their local partners (e.g. other primary and community care staff, mental health, social care, pharmacy, hospital and voluntary services) for the benefit of patients and the local community.

Working as part of a network rather than a stand-alone business means that the GP Practices in our PCN can share expertise and resources which means that we can offer a wide range of services to suit the needs of our local community to give you the best possible care. You may be seen by clinicians from anywhere in our PCN, at any of our Practices. In order that they can give you the best possible care, they will have access to your health data. Only healthcare staff involved in your care will have access to your record.

Social Prescribing

Social prescribing enables GPs, nurses and other primary care professionals to refer patients to a range of local, non-clinical community services to help patients to improve their health, wellbeing and social welfare. This can include advice and information on local services and connecting individuals to social activities, clubs, groups, and like-minded individuals in the community. For example, signposting people who have been diagnosed with dementia to local dementia support groups. The Practice will do this by employing someone to act as a ‘link’ between the Practice, the patient and the non-clinical services within the community. Current providers in our area include:

• Livewell Dorset
• Home Start West Dorset
• Help and Care

We will refer you to one of these providers and will send basic information such as name, NHS number, address, date of birth and background to your health and wellbeing needs. The providers are bound by confidentiality in the same way that Practice staff are, and there is a Data Sharing Agreement in place to ensure that personal data is used in a lawful and appropriate way. More information about social prescribing can be found on the NHS England website.

Dorset care record (DCR)

Health and social care organisations in Dorset may hold different sets of records about you, and not every organisation uses SystmOne. The Dorset Care Record is a confidential computer record that joins up all these different records to create one complete and up to-date record. This provides direct access for authorised health and social care professionals to obtain as full a picture as possible of your history, needs, support and service contacts.

If you do not wish your information to be shared in this way, you will need to opt-out of the Dorset Care Record. You can do this by contacting the Privacy Officer on the DCR website. The Dorset Care Record have their own Privacy Notice, available on the website.

Dorset Integrated Care Board (ICB)

Dorset’s integrated care board, named ‘NHS Dorset’, undertakes the statutory responsibilities of the previous Clinical Commissioning Group (CCG) and is responsible for healthcare planning to meet the needs of people and communities in Dorset. NHS Dorset will work more closely with other NHS organisations and local authorities in Dorset’s integrated care system, known locally as ‘Our Dorset’ to improve services to meet the needs of local people and deliver better outcomes. The partnership includes:

• Foundation Trusts: Dorset County Hospital NHS Foundation Trust, University Hospitals Dorset NHS Foundation Trust, Dorset Healthcare University NHS Foundation Trust and South Western Ambulance Service NHS Foundation Trust;
• Bournemouth, Christchurch and Poole Council, and Dorset Council;
• Public Health Dorset;
• People and communities within Dorset.

NHS Dorset have a ‘Dorset Intelligence and Insight’ (DiiS) Business Intelligence platform which uses pseudonymised data to reveal important insights into local and community health care, in order to inform the future of health care for communities. Information is pseudonymised so that when a new service is introduced to help with a particular long term condition in a particular community, the Practice can ask for any of their own patients to be re-identified from the data in order to invite you to use the new service.

Diabetic eye screening

The Dorset Diabetic Eye Screening Programme is provided by NEC Care, commissioned by NHS England South (Wessex) as part of the National Diabetic Eye Screening Programme. The programme supports your invitation for eye screening and ongoing care by the screening programme. Your information may be shared with any Hospital Eye Services you are under the care of to support further treatment, and with other healthcare professionals involved in your care. We also share information with Health Intelligence in order to provide diabetic retinopathy screening for our diabetic patients.

You can find out more about the Diabetic Eye Screening on their website.

Diabetes prevention programme

The Healthier You: NHS Diabetes Prevention Programme is provided in Dorset by ‘Live Well Taking Control (LWTC)’, commissioned by NHS England, as part of the National Diabetes Prevention Programme. This programme identifies those at high risk of Type 2 diabetes and refers them onto a behaviour change programme run by ‘Live Well Taking Control’.

You can find out more about the Diabetes Prevention Programme on their website.

ACR project for patients with diabetes (and/or other conditions)

The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care.

Further information about this is available on their website

Individual funding request

An ‘Individual Funding Request’ is a request made on behalf of a patient, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that NHS Dorset has agreed to commission for the

local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental, and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Invoice validation

Invoice validation is an important process. It involves using your NHS number to check which ICB is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

Other ways in which patient information may be used:

Incident management

If you are involved in an incident, for example you slip and fall whilst in the Practice, your information may be included in the incident report and used as part of the investigation process.

Recorded telephone calls

We record all incoming and outgoing telephone calls to and from the Practice for the following purposes:

• to help with staff training (in this instance a transcript of the call is created which contains no patient identifiable or sensitive information);
• to enable us to obtain the necessary facts in the event of a complaint;
• for patient telephone consultations (in this instance a transcript of the call is created and entered into the individual patient health record);
• for medico-legal purposes; and
• for quality assurance to allow us to audit and improve our service to you.

Recordings of telephone calls will only be accessed where necessary by the Practice management team. Recordings are stored in accordance with the NHS Records Management Code of Practice 2021 Retention Schedule, after which they are deleted.

SMS communications

If you have provided us with your mobile telephone number, we may use this to send you SMS messages relating to your healthcare. These may include automatic appointment reminders or cancellations, reminders of clinics, invitations to screening, medication reviews, vaccination appointments, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit, or to update you about local and national health promotions. If you do not wish to receive these messages, please let the reception team know.

Complaints and queries

If you raise a complaint or query with the Practice, the team will hold information about you within their secure database in order to ensure that your complaint or query is answered appropriately by the relevant person or department. Details of complaints or queries will not be stored within your medical records.

Secondary uses

We may also process data for the following secondary uses:

• Clinical Research: sometimes your information may be requested to be used for research purposes – the practice will always gain your consent before using information for this purpose.
• Clinical Audit: information may be used for audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes. Where this is done we make sure that individual patient records cannot be identified, e.g. the National Diabetes Audit. Audits will have approval from the Clinical Advisory Group, under s.251 of the NHS Act 2006 and data submissions will be signed off by our Caldicott Guardian.
• Improving Services: NHS Dorset will sometimes extract pseudonymised medical information about you to help identify areas for improvement in the services provided to you.
• Risk Stratification: data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by NHS approved third parties and is only provided back to your GP as data controller in an identifiable form. We are working with partners Dorset Healthcare and Optum to improve short term and medium-term health outcomes for local populations through the application of Population Health Management. We use the services of Dorset Healthcare as part of the Intelligent Working Programme (IWP) to pseudonymise and extract the data and transfer it to Optum for linking with Secondary Uses data. A small number of analytics specialists from Optum, alongside analytics staff in Dorset, will have access to this pseudonymised data. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.
• National Archiving: records made by an NHS organisation are Public Records in accordance with Schedule 1 of the Public Records Act 1958. The Public Records Act 1958 requires organisations to select core records for permanent preservation at the relevant Place of Deposit (PoD) appointed by the Secretary of State for Culture, Media and Sport. PoDs are usually public archive services provided by the relevant local authority. The selection and transfer must take place at or before records are 20 years old and is a separate process from appraisal for retention to support current service provision. Potential transfers of digital records should be discussed with the PoD in advance to ensure that technical issues can be resolved. Records no longer required for current service provision may be temporarily retained pending transfer to a PoD and records containing sensitive personal data should not normally be transferred early.

These secondary uses help the NHS to:

• prepare and analyse statistics on NHS performance;
• audit NHS services, locally and nationally;
• monitor how we spend public money;
• plan and manage health services for the population of Dorset;
• conduct health research and development of treatments.

Our Practice values the concept of data minimisation and will use anonymised or pseudonymised information as much as possible. We rely on UK GDPR Articles 6(1)(e) and Articles 9(2)(h) for lawfully processing identifiable data. Where you have opted-out of the use of identifiable data for secondary purposes, your data will not be used unless it is anonymised or unless there is a legal obligation for us to process it.

National data opt-out

Whenever you use a health or care service, important information about you is collected in your patient record for that service to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

Patients can view or change their national data opt-out choice at any time by using the online service Your NHS Data Matters, or by calling 0300 3035678.

Further information is available at:

• Information about patients  (which covers health and care research), and
• Introducing patient data  (which covers how and why patient information is used, the safeguards and how decisions are made)

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our Practice compliant with the national data opt-out policy

Data controller and processors

The Practice is the Data Controller of the data which we gather, hold and create about you.

The Practice engages with data processors who may process your data. All Data Processors are held to strict contractual obligations, which specify the limitations, any access arrangements, storage and retention of data on our behalf as well as strict confidentiality and information handling clauses. All data processors are also held to high information security standards and are asked to provide evidence of how they meet Data Protection legislation. These processors may be software suppliers or specialist and support services.

Cross Border Transfers between the UK, the EU, other third countries or international organisations

Following the UK’s exit from the European Union the UK has now become a third country under the EU GDPR. An adequacy decision for the UK has been approved by the EU Commission under Article 45(3) of the EU GDPR, allowing the free flow of personal data between the EU and the UK to continue. The Practice does not routinely transfer data outside of the European Economic Area and will assess any adhoc transfers against adequacy (UK GDPR Article 45) and appropriateness of safeguards and data protection (UK GDPR Article 46) of the country of transfer.

Retention periods

The Practice works to the NHS Records Management Code of Practice 2021 Retention Schedule.

Data subject rights

The law gives you certain rights to your personal healthcare information that we hold:

Right of access to your information

You have the right to request a copy of the personal information that we hold about you; this is known as a Subject Access Request. We have one month to reply to you and give you the information that you require. This can be extended by two further months if the request is complex or we have received a number of requests from you. Subject Access Requests can be made by you the patient, by a legal representative; a solicitor acting on your behalf, a carer, parent, guardian or appointment representative, with appropriate consent. A personal representative also has the right of access to deceased records.

If you would like a copy of the information we hold about you, please contact: Sarah Barford-Pike, IT and Data Quality Manager on 01258 474500

We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We can restrict disclosure of your information if your doctor feels that granting access would disclose information likely to cause serious harm to your physical or mental health or that of another individual, and where you do not already know the information. Or where granting access would disclose information relating to or provided by a third party who could be identified from the information, and who has not provided consent for it to be released.

Right to restrict or object to the use of your information

We cannot share your information with anyone else for a purpose that is not directly related to your health without your consent. Patients have the right to restrict the processing of your personal information for secondary purposes through NHS Digital’s National Data Opt-Out. 

The right to restrict processing of healthcare data can only be exercised in the following circumstances:

• the accuracy of the data is contested;
• the processing is unlawful.

Right to have incorrect information corrected

If you feel that information held about you is incorrect, you have the right to ask for it to be corrected. This applies to matters of fact, not opinion. Incorrect contact information such as your address will be corrected immediately. If the information is of a clinical nature, this will need to be reviewed and investigated by the Practice, which will result in one of the following outcomes:

• the Practice considers the information to be correct at the time of recording and will not amend the data. A statement from you may be placed within the record to demonstrate that you disagree with the information held. You have the right to appeal to the Information Commissioner;
• the Practice agrees that the information is incorrect, however it is not legal to modify or remove information within the record as it represents ‘historical information’ which may have influenced subsequent events of decisions made. In these circumstances, a note will be made in the record which advises the reader of the inaccuracy and of the correct facts. The Practice will agree the content of the note with you.

Right to data portability

This right only applies where the original processing is based on the data subject’s consent or fulfilment of a contract that they are party to, and if the processing is automated. However, in the spirit of the Regulations, you have the right to request that your personal and/or healthcare information is transferred in an electronic or other form to another organisation.

Right to appropriate decision making

The right to appropriate decision making applies to automated processing, including profiling, which produces legal outcomes, or that significantly affects you. The Practice has not identified any automated processing which is solely automated and without human involvement in the outcome of the processing.

Right to erasure

s is sometimes known as ‘the right to be forgotten’, but it is not an absolute right. You cannot ask for this right of erasure in relation to records which the Practice is legally bound to retain. The Practice has an obligation, not only to retain information for a specified time period, but also not to retain information for longer than is necessary and to dispose of information securely.

Please see above section on retention.

Right to lodge a complaint

If you are dissatisfied with the handling of your personal information, you have the right to make a complaint. In the first instance, formal complaints should be addressed to:

• Laura Grant, Operational Manager, Blackmore Vale Partnership, Old Market Hill, Sturminster Newton Dorset DT10 1QU

You also have the right to make a complaint to the Information Commissioner’s Office – the independent regulator of data protection: How to contact the Information Commissioner’s Office.

Tier Three – The law explained

Data Protection Principles

There are six core principles to data protection legislation:

1. Personal data must be processed lawfully, fairly and transparently (lawfulness, fairness and transparency).
2. Personal data must be collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes (purpose limitation).
3. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
4. Personal data must be accurate and up to date (accuracy).
5. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation).
6. Personal data is processed in a manner that ensures appropriate Security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

Lawful basis

From 1 January 2021, the ‘UK GDPR’ has replaced the GDPR as the UK’s data protection law. The Practice processes personal data for primary purposes under the following legal basis:

• UK General Data Protection Regulation Article 6(1)(e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

For the processing of personal data for secondary purposes the Practice may rely on one of the following legal bases depending on the circumstances:

• UK General Data Protection Regulation Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”

There are some National Audits and patient registers which require the Practice to process your information under Article 6(1)(c) in accordance with UK legislations such as the National Health Service Act 2006 and Health and Social Care (Safety and Quality) Act 2015.

There are also obligations within the Crime and Disorder Act 1998, Terrorism Act, Children’s Act(s) 1989 and 2004, Mental Health Act 1983 and 2007 to share information with the Police or Social Services.

The Practice processes special categories of data (health data) for primary purposes under the following legal bases:

• UK General Data Protection Regulation Article 9(2)(h): “Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contact with a health professional and subject to the conditions and safeguards referred to in paragraph 3” – Paragraph 3: “Personal data referred to in paragraph 1 [special categories of data] may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of a professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.”
• UK General Data Protection Regulation Article 9(2)(b): “Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject”

The Practice processes special categories of data for secondary purposes under the following legal bases:

• UK General Data Protection Regulation Article 9(2)(j): “Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects”
• UK General Data Protection Regulation Article 9(2)(i): “Processing is necessary for reasons of public interest in the areas of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”

Where data has been anonymised it is not considered to be personal data and the UK General Data Protection Regulation and Data Protection Act 2018 will not apply. The Practice will use anonymous data for audit and population health management.

Occasionally, the Practice may rely on consent as a legal basis:

• UK General Data Protection Regulation Article 6(1)(a): “the data subject has given consent to the processing of his or her personal data for one or more specific circumstances”

Where you are asked for your consent to take part in Research, Clinical Trials or Audits, your care will not be affected if you decline to take part. Research and Audit are vital for the NHS to evaluate and improve Healthcare for everyone.

• UK General Data Protection Regulation Article 9(2)(a): “the data subject has given explicit consent to the processing of those personal data for one of more specified purposes”

However, these circumstances will be few and the Practice will not rely on consent where there is another lawful basis that we should use.

• UK General Data Protection Regulation Recital 43 specifies that for consent to be freely given it “should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

Our Practice upholds transparency and fairness through the use of this privacy notice. We uphold data minimisation techniques like pseudonymisation and anonymisation where possible to protect data and ensure that the purpose of processing is relevant and adequate.

The Practice holds data security in the highest importance; our systems have role-based access and clinical systems are auditable to ensure transparency in the use of systems by staff. Devices are encrypted and all our staff undertake annual mandatory data security training.

iGPR Technologies Limited (“iGPR”)

We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.

iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

Nova Healthcare Solutions Ltd (Nova)

In order to improve patient access, we will be working in partnership with Nova Healthcare Solutions Ltd.  This company provide us with clinicians who work remotely to help us assess and triage the e-consult online service and urgent on the day demand. They will only access your medical record if you have requested medical input.  Your data will not be transferred to another company, will be treated confidentially, and will stay under our control as it is with other locum clinicians we employ.

 Patients will either complete Klinik request at home or phone our Patient Services team who will take the pertinent clinical details to complete a Klinik for you.  This will be added to the appointments for a Nova clinician to triage and complete.  They may need to phone you for more details and will introduce themselves as part of our extended team here at The Blackmore Vale Partnership.  They are able to assess and treat you remotely either by return e mail or over the phone.  If you require medication, this will also be organised for you.  If you require to see a clinician in person following their assessment, this will be arranged for you through our patient services team.

 Nova Healthcare Solutions is a UK based company established by GPs wanting to support General Practice struggling with an increasing workload.  Nova is a company with highly trained Multi-disciplinary staff including GPs, Advanced Practitioners and administrative staff.  They are registered with the Care Quality Commission and are NHS Digital approved, Organisation Data Service registered and have Data Security and Protection approval.

We use Nova to assist us a processor responding to clinical correspondence relating to your patient data. Nova manages the clinical workflow correspondence process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to Nova include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

National Obesity Audit: NHS England Transparency Notice – NHS Digital

Data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by NHS approved third parties and is only provided back to your GP as data controller in an identifiable form. Through the Dorset Intelligence & Insight Service (DiiS) we are working to improve short term and medium-term health outcomes for local populations through the application of Population Health Management and Analysis. The DiiS, set up and run by NHS staff across Dorset and hosted within Dorset HealthCare, pseudonymise at source and extract the data to analyse the use of services and identify areas for prevention and improvement in overall patient health and well-being outcomes. A small number of specialist analytics staff from NHS Trusts manage this data within the DiiS platform. In addition, the DiiS work with Sollis to provide risk stratification of this data which enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services including social prescribing.

Why is sharing my health information important?

Your electronic health record contains lots of information about you, including your medical history, the types of medication you take, any allergies you have and demographic information like your home address, and your next of kin.

In many cases, particularly for patients with complex conditions, the shared record plays a vital role in delivering the best care. Health and social care professionals can ensure coordinated response, taking into account all aspects of a person’s physical and mental health. Whilst some patients have extensive knowledge of their conditions and care requirements, this is not true for everyone. Many patients are understandably not able to provide a full account of their care. The shared record means patients do not have to repeat their medical histories at every care setting, or make guesses about their previous care.

A shared record ensures health or social care professionals always have the most accurate, up to date information. They can rely on their colleagues, sharing accurate and relevant data in a timely way, to provide you with safe and efficient care.

Which services could I go to that could access my medical record with your consent:

• GP practices
• Community services such as district nurses, therapists and diabetes services
• Child health services that undertake scheduling of treatments such as vaccinations
• Urgent care organisations such as Minor Injury Units and Out of Hours services
• Community hospitals
• Palliative care hospices and community services
• NHS Hospitals (including A/E Departments) and Mental Health Trusts
• Care homes
• Social care – registered and regulated professionals within social care organisations coordinating care (not social care providers

Can I choose what is made available?

To give you the most personalised care, it is recommended that you share your whole health record with every service that cares for you. However, you have control over your record and have the choice to specify specific elements of the record you don’t want to be shared. For example, if you have had a consultation about a particularly sensitive matter, you can ask for this section of the record to be marked as private. That way, even if you consent for another service to see your record, that consultation will not be shown. If a consent override is used, then consultations marked as private will be accessible.  

As a practice we would strongly advise patients to register for online services with your mobile number and email address. This will allow you to order prescriptions and book appointments over the web as well as being kept up to date with all practice information. By registering online you can also request access to view your medical record.

Why we collect information about you and what records do we keep

To provide you with the best quality care possible, we must keep health records about you. These contain information about the treatment and support you receive which is recorded by the professionals who have been involved in your care. This may include:

• basic details about you such as address, date of birth, next of kin;
• any contact we have had with you such as clinical visits;
• notes and reports about your health;
• details and records about your treatment and care;
• hospital letters;
• results of x-rays, laboratory tests etc.;
• any other relevant information from people who care for you and know you well such as health professionals and relatives.

How we keep your records confidential

Everyone working for the NHS has a legal duty to keep information about you confidential and secure. To help us protect your confidentiality, it is important to inform us about any relevant changes that we should know about, such as change of address, telephone, change of personal circumstance.

All staff working in the practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty. Access to patient records by staff other than clinical staff is regulated to ensure they are only accessed when there is a genuine need to do so, such as when identifying and printing repeat prescriptions for patients, or when typing referral letters to hospital consultants. We will share information in your health record to allow health professionals to work together more effectively to ensure you receive the best quality care.

Summary Care Record

One of the ways of sharing your health information for your care is through the Summary Care Record (SCR). The SCR is available nationally to health professionals who may care for you. It contains important information about any medicines you are taking, any allergies you suffer from, and any bad reactions to medicines that you have had. Access to this information can prevent mistakes from being made when caring for you in an emergency, or when your GP practice is closed. If you are registered with a GP practice in England your SCR is created automatically, unless you have opted out. You can also ask for your SCR to include additional information about you, such as your current health conditions. This is known as an Enhanced SCR.

MORE INFORMATION ON SCR

SystmOne – GP Clinical System

Our Practice and our Primary Care Network (PCN) share your information for your care through the confidential electronic record system that we use, called SystmOne. This is a fully auditable system that is used widely across the NHS and care organisations to keep accurate medical records about you. These records store important information about your illnesses and the care you have received in the past. Your record will contain information from different health and social care organisations such as a hospital, a minor injuries unit, or from a community care service such as district nursing. Your record is only accessed by individuals who have a legitimate reason to do so and who are providing you with care.

How does this work?

Local trusted organisations who work with our PCN on a regular basis will be able to access your record immediately when delivering direct care. Other local health care organisations close to your home, but outside of our PCN, will only access your medical record if you give them permission.

For organisations that are further afield and that we do not work with on a regular basis, we can send you a verification (security code) which allows you to choose whether to let that organisation view your medical record or not. For example, you may be working or on holiday in another part of the country and need care from a hospital or a clinic. Having access to your whole medical record will improve the care they can provide you. We will use your preferred mobile phone number or email address recorded on your medical record, so remember to let us know if this changes.

If you already use the SystmOnline patient portal, then you can select organisations to allow or prevent them from accessing your records. If you do not have a phone or email address and don’t use SystmOnline, then we will be happy to record your choices about which organisations you are happy to share your whole record with.

MORE INFORMATION

Other access

If you are a carer and have the appropriate and evidenced authority, then you can agree access to the record on behalf of the patient who lacks capacity. If you do not have authority to make decisions about access to a patient record, then you can raise any concerns with the patient’s doctor, who will make a decision in the best interests of the patient.

If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then they can make this decision for themselves.

Can I access my records?

The Data Protection Act 2018 (DPA) and the General Data Protection Regulation give every living person, or authorised representative, the right to apply for access to their health records. An audit log is maintained showing who has accessed your record, and when. You are also entitled to request a copy of this log.

You can view your own health record, change how your record is accessed, and view an audit trail of who has accessed your record by using the SystmOnline patient portal or NHS app. Ask your practice for details on how to set up a SystmOnline account or download the NHS app. Alternatively, you can make a request in writing and we will respond within a month. You will be required to provide ID before any information is released to you.

If you would like any further details about your information rights under the General Data Protection Regulation or think that anything in your record is factually inaccurate, please contact us.

Other people who may view my record

Occasionally we may receive requests from insurance companies. Once the insurance company has provided a copy of your consent, we will issue a medical report rather than releasing your medical records.

We may also need to provide limited information to local authorities about some infectious diseases or if you have had food poisoning. Very rarely, doctors may also be required to disclose information in order to detect a serious crime. Likewise, a Court Order can require doctors to disclose certain information during a court case.

Data sharing outside of our GP practice for secondary uses

You can register a type 1 opt with us if you wish to prevent your personal information being used outside this GP practice for purposes other than your individual care. A Type 1 secondary use objection does not in any way affect how healthcare professionals provide patients with direct medical care or prevent them from accessing a patient’s medical record if, and when, appropriate.  Secondary uses are not about information sharing between healthcare professionals, your information can still be used to provide secondary care, for example, if you are referred to a specialist.

Data sharing by NHS Digital and other health and care organisations for secondary uses such as research and planning

NHS England links together information from all the different places where you receive care, such as hospital, community service and your GP Surgery. This allows them to compare the care you receive in one area against the care you receive in another. This information is held in a secure environment by NHS Digital. The role of NHS Digital is to ensure that high quality data is used appropriately to improve patient care. NHS Digital has legal powers to collect and analyse data from all providers of NHS care. They are committed, and legally bound, to the very highest standards of security and confidentiality to ensure that your confidential information is always protected. This data can also be used, with permission from NHS England, for research purposes.

You can choose whether or not you want your confidential patient information to be shared by NHS Digital and other health and care organisations for purposes other than your individual care such as research and planning. You can set your own opt-out choice by the NHS Website or by phoning 0300 303 5678. You will need to provide:

• your NHS number, or your postcode (as registered with your GP practice)
• your mobile phone number or email address provided previously at your GP practice or other NHS service.

If you would like to view this information in an alternative format, for example large print or easy read, or, if you need help communicating with us, for example because you use British Sign Language, please let us know on 01258 474500 / 01747 856700