Practice Policies & Patient Information
Access To Records
Under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) 2018, patients are entitled to request full copies of their medical records. This is commonly known as a Subject Access Request (SAR).
Whilst this service is usually free of charge, the surgery reserves the right to charge a reasonable fee for a SAR if the request is manifestly unfounded or excessive.
Confidentiality
Introduction
The reasons for the policy:
- All information held at the practice about patients is confidential, whether held electronically or in hard copy
- Other information about the practice (for example its financial matters) is confidential
- Staff will by necessity have access to such confidential information from time to time
Applicability
The policy applies to all employees and partners, and also applies to other people who work at the practice e.g. self-employed staff, temporary staff and contractors (all collectively referred to as ‘staff’ below).
This does not include situations which are covered under existing safeguarding legislation, under which there may be a duty to disclose information in certain circumstances.
These are:
- If we are concerned about the safety of a child (someone under the age of 18, this may be the client)
- If we are concerned about the safety of a vulnerable adult (A person aged 18+ whose physical or mental condition makes them particularly vulnerable)
- The patient is acting, or likely to act, in a way that could cause serious harm to him or herself, or put others at risk of harm
- There is the possibility of serious risk to a particular person or persons, or to the public in general
- Information relating to an act of terrorism or money laundering is disclosed
In these cases the patient must be stopped if possible before the disclosure and warned that the practice’s confidentiality policy ceases in these circumstances, and that if disclosure is made then the practice will be bound to report the matter to the appropriate authorities.
Policy
- Staff must not under any circumstances disclose patient information to anyone outside the practice, except to other health professionals on a need to know basis, or where the patient has provided written consent or in situations that are covered by legislation (covered above).
- All information about patients is confidential: from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the practice.
- Staff must not under any circumstances disclose other confidential information about the practice to anyone outside the practice unless with the express consent of the practice manager or the individual acting as the practice manager in the practice manager’s absence.
- Staff should limit any discussion about confidential information only to those who need to know within the practice.
- The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
- Staff must be aware of and conform to the requirements of the caldicott recommendations.
- All patients can expect that their personal information will not be disclosed without their permission (except in circumstances covered by legislation, listed above).
- Electronic transfer of any confidential information, once approved by the practice Manager, must be transmitted via the NHSnet. Staff must take particular care that confidential information is not transmitted in error by email or over the internet.
- Staff must not take data from the practice’s computer systems (e.g. on a memory stick or removable drive) off the premises unless authorised to do so by the practice manager.
- Staff who suspect a breach of confidentiality must inform the practice manager immediately.
- Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.
- Staff remain bound by the requirement to keep information confidential even if they are no longer employed at the practice.
Responsibilities of Practice Staff
All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a patient is passed to anyone or any agency without the express permission of that patient, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.
All health professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.
Additionally, Northenden Group Practice, as Employers:
- Are responsible for ensuring that everybody employed by the practice understands the need for, and maintains, confidentiality
- Have overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality
- Have vicarious liability for the actions of those working in the practice – including health professionals and non-clinical staff (i.e. those not employed directly by the practice but who work in the surgery)
Standards of confidentiality apply to all health professionals, administrative and ancillary staff- including receptionists, secretaries, practice manager, cleaners and maintenance staff who are bound by contracts of employment to maintain confidentiality.
They must not reveal, to anybody outside the practice, personal information they learn in the course of their work, or due to their presence in the surgery, without the patient’s consent. Nor will they discuss with colleagues any aspect of a patient’s attendance at the surgery in a way that might allow identification of the patient unless to do so is necessary for the patient’s care.
If Disclosure is Necessary
If a patient or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional can take advice from colleagues within the practice, of from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the patient or another person. If a decision is taken to disclose, the patient should always be informed before disclosure is made, unless to do so could be dangerous.
If at all possible, any such decisions should be shared with another member of the practice team.
Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the patient.
Equality and Diversity Policy
Our commitment as a service provider:
- We aim to provide services to which all clients are entitled regardless of age, disability, gender reassignment, marriage and civil partnership, pregnancy or maternity, race, religion or belief, sex or sexual orientation, offending past, caring responsibilities or social class.
- We will make sure that our services are delivered equally and meet the diverse needs of our service users and clients by assessing and meeting the diverse needs of our clients.
- This policy is fully supported by senior management and has been agreed with employee representatives.
- This policy will be monitored and reviewed annually.
- We have clear procedures that enable our clients, candidates for jobs and employees to raise a grievance or make a complaint if they feel they have been unfairly treated.
- Breaches of our equality and diversity policy will be regarded as misconduct and could lead to disciplinary proceedings.
Policy Statements
Age
We will:
- Ensure that people of all ages are treated with respect and dignity.
- Ensure that people of working age are given equal access to our employment, training, development and promotion opportunities.
- Challenge discriminatory assumptions about younger and older people.
Disability
We will:
- Provide any reasonable adjustments to ensure disabled people have access to our services and employment opportunities.
- Challenge discriminatory assumptions about disabled people.
- Seek to continue to improve access to information by ensuring availability of loop systems, braille facilities, alternative formatting and sign language interpretation.
Race
We will:
- Challenge racism wherever it occurs.
- Respond swiftly and sensitively to racists incidents.
- Actively promote race equality in the company.
Gender
We will:
- Challenge discriminatory assumptions about women and men.
- Take positive action to redress the negative effects of discrimination against women and men.
- Offer equal access for women and men to representation, services, employment, training and pay and encourage other organisations to do the same.
- Provide support to prevent discrimination against transsexual people who have or who are about to undergo gender reassignment.
Sexual Orientation
We will:
- Ensure that we take account of the needs of lesbians, gay men and bisexuals.
- Promote positive images of lesbians, gay men and bisexuals.
Religion or Belief
We will:
- Ensure that patients’ religion or beliefs and related observances are respected and accommodated wherever possible.
- Respect people’s beliefs where the expression of those beliefs does not impinge on the legitimate rights of others.
GP Earnings
All GP Practices are required to declare the mean earnings for GPs working to deliver NHS services to patients at each practice.
The average pay for GPs working in Northenden Group Practice in the last financial year was £33,314 before tax and National Insurance. This is for 11 part time GPs and 3 Locum GPs who worked in the practice for more than six months.
Meet the Team
Click here to see our team
Mission Statement
To be an exceptional practice providing the local community with excellent, accessible and equitable health care, where all staff are valued and supported to thrive.
Named GP
All patients registered at this GP practice are required to be allocated a named accountable GP. The named accountable GP takes responsibility for the co-ordination of all appropriate services required under the contract and ensure that they are delivered to each of their patients where required.
Please contact the practice if you wish to know who this is. If you have a preference as to which GP this is, we shall make reasonable efforts to accommodate this request.
This does not prevent you from seeing any GP of your choice in the practice as you currently do now, and you are unlikely to see any notable change in the way care is delivered to you by us.
Privacy Notice
The Data Controller is: Allison Hey – Practice Manager
How We Use Your Information
This privacy notice explains why the Northenden Group Practice collects personal information about you, and how that information may be used.
We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
As Data Controllers, GPs have responsibilities under the Data Protection Act 2018 (DPA18). This means ensuring that your personal data is handled in ways that are safe, transparent and what you would reasonably expect.
We respect your trust in us to use, store and share your information. In this notice we explain how we collect personal information about you, how we use it and how you can interact with us about it.
We try to keep this notice as simple as possible but if you are unfamiliar with our terms, or want more detail on any of the information here, please contact us at [email protected].
Capturing images – CCTV
Visiting our premises
Our premises are monitored by CCTV so your image may be captured whenever you enter our site boundary and within our premises. We use CCTV for maintaining public safety, the protection and security of our property and our staff and for the detection, prevention and investigating of crime. It may also be used to monitor staff when carrying out work duties.
For these reasons, the information processed may include visual images, including personal appearance and behaviour of those displayed and recorded on the system.
Where the CCTV is located on our premises but near a public space, it may also record these images even if you have not directly visited our premises.
There are signs to show you when you are entering an area monitored by our CCTV. CCTV images are normally held for 30 days and then deleted unless we require to retain them for investigative or policing enquiries.
Meeting Our Legal and Regulatory Obligations
To use your information lawfully, we rely on one or more of the following legal bases:
- For the performance of a task carried out in the public interest or where it is necessary in the exercise of official authority vested in us
- The performance of a contract
- Where the processing is necessary for compliance with our legal obligations
- Protecting the vital interests of you or others
- For our organisational legitimate interests; e.g. for incidental and ancillary data processing, for example the management of non-patient or medical databases used for our internal administrative purposes
- Where appropriate with your consent
- Where necessary for the purposes of preventative or occupational medicine, for the assessment of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
We also respect the common law duty of confidentiality and to satisfy the common law we may rely on implied consent to share confidential health data for the provision of direct care; for example, when a patient agrees to a referral from one healthcare professional to another.
Health care professionals are required to maintain records about your health including any treatment or care you have received within the NHS (e.g. NHS hospital trust, GP surgery, walk-in clinic, etc.). Using these records helps us to provide the best possible healthcare for our patients.
NHS health records may be processed electronically or on paper or a mixture of both and a combination of working practices and technology are used to ensure that your information is kept confidential and secure.
Records used and stored by this GP practice may include the following information:
- Any contact we have with you, such as appointments, clinic visits, emergency appointments, telephone triage etc.
- Notes and reports about your health
- Details about your treatment and care
- Details about you, including your date of birth, NHS number, address and next of kin etc.
- Results of investigations about you such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, agencies, relatives or those who care for you
This practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that such sensitive information is kept confidential.
However, we may disclose your personal information if:
- It is required by law
- You consent to do so – either implicitly (e.g. for your own treatment and care) or explicitly for other purposes (e.g. sending you newsletters etc.)
- It is justified in the public interest
Some of your personal data will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.
Sometimes information about you may be requested to be used for research purposes. Northenden Group Practice will always endeavour to gain your consent before releasing such information.
Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request personal data from GP practices without seeking the patient’s consent.
Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.
Any patient can choose to withdraw their consent to their data being used in this way. When Northenden Group Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website, at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.
A patient can object to their personal information being shared with other health care providers, however if this limits the treatment that you can receive then the doctor will explain this to you at the time.
Risk Stratification
Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Normally, this is because patients have a long-term condition such as chronic obstructive pulmonary disease (COPD) or some cancers. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.
In order to achieve this, information about you is collated from several sources, including this GP Practice and from NHS Trusts etc. A risk score is then produced through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form.
Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.
Please note that you have the right to opt out of Risk Stratification.
Should you have any concerns about how your information is managed or wish to opt out of any data collection at Northenden Group Practice, please contact your GP or a healthcare professional to discuss how the disclosure of your personal information can be restricted.
All our patients have the right to change their minds and reverse a previous decision. Please contact Northenden Group Practice if you change your mind regarding any previous decision.
Invoice Validation
If you have received treatment within the NHS, access to your personal information may be required to determine which Clinical Commissioning Group should pay for the treatment or procedure that you have received.
This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further purposes.
Hospital Attendance
Personal data about any hospital attendance is obtained from the Health and Social Care Information Centre (HSCIC) and matched to NHS data to create a risk profile about you.
NHS Health Checks
All our patients aged 40-74, not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at Northenden Group Practice will see confidential information about you during the invitation process. Your details will be securely transferred to a third-party data processor (if appropriate). You may be offered the chance to attend your health check either within Northenden Group Practice or at a local community venue. If your health check is at a community venue, all data collected will be securely transferred back into the Northenden Group Practice system and nobody outside the healthcare team at Northenden Group Practice will see any confidential information about you during this process.
How Do We Maintain The Confidentiality of Your Records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the DPA18 and DPA 18, the Human Rights Act, the Common Law Duty of Confidentiality, the Health and Social Care Act 2012 and the NHS Codes of Confidentiality and Security.
All our staff, contractors and professional members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. They also have employment contractual obligations to uphold your confidentiality, which are enforceable through disciplinary procedures. Your information may be shared internally, including with members of the practice team but only a limited number of authorised staff have access to your personal information (where it is appropriate to their role) and access is only allowed on a strict ‘need-to-know’ basis.
We strive to maintain our duty of confidentiality to you at all times. We will only ever use or pass on personal identifiable information about you if others involved in your care have a genuine need to have it. We will not disclose your information to any third-party without your permission, unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
We are mindful of the UK information sharing principle following Dame Fiona Caldicott’s information sharing review amongst health professionals. We recognise that our duty to share information can be as important as the duty to protect patient confidentiality. Therefore, we encourage our health and social care professionals to have the confidence to share information in the best interests of our patients within the framework set out by the Caldicott principles;
‘To share or not to share – the Information Governance Review’.
Who Do We Share Your Information With?
We may also share your information, subject to strict agreements on how it will be used, with other care providers and agencies.
These could include:
- NHS and specialist hospitals, Trusts
- Other GPs
- Independent Contractors such as dentists, opticians, pharmacists
- Private and Voluntary Sector Providers
- GP practice federations
- Ambulance Trusts
- Clinical Commissioning Groups and NHS England
- NHS Digital
- National Institute for Health and Care Excellence
- Care Quality Commission
- NHS Improvement
- NHS Shared Business Services
- Universities
- Social Care Services and Local Authorities
- Education Services
- Police and Fire and Rescue Services
- Other ‘data processors’ during specific project work e.g. Diabetes UK
Health and Safety Requirements
If you have an accident whilst you are on any of our premises, this must be reported and will be recorded and kept for the purposes of health and safety and insurance requirements.
How Do We Protect Your Data?
We take the security of your data very seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where we engage with third parties to process personal data on our behalf, we stipulate our privacy expectations in written instructions. They are under a strict duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Access to Personal Information
We aim to be as open as we can regarding access to personal information.
Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the DPA 18. You also have the right to require it to be amended or removed should it be inaccurate.
If we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding it
- Tell you who it could be disclosed to
- Let you have a copy of the information in an intelligible form provided it is lawful to do so
To make a request to Northenden Group Practice for any of your personal information we may hold, you need to contact our Data Protection officer on the data controller address given in this document.
You have the right to complain to the Information Commissioner’s’ Office if you believe that we have not complied with the requirements of the DPA18 regarding your personal data.
Storing or transferring your information outside the European Economic Area (“EEA”).
We do not transfer or store your personal information outside the EEA.
How Long We’ll Keep Your Information
We only keep your information for as long as we need it. We’ll retain certain information (e.g. contact information and bank details) for as long as you have a relationship with us. The length of time depends on the purpose of the processing. Generally, we keep data for ten years.
Complaints or Queries
Northenden Group Practice tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. We are happy to provide any additional information or explanation needed. Any queries you have should be addressed to: [email protected] or telephone us on 0161 998 3206.
You can also contact the Information Commissioner’s Office at www.ico.org.uk or write to Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or 0303 123 1113 for information, advice or to make a complaint.
Any changes to this notice will be published on our practice website.
Document name: Members Privacy Notice
Version: 0.1
Name of originator/author: Allison Hey
Policy Owner: Northenden Group Practice
Date created: May 2018
Date reviewed: June 2018
Reviewer: Practice Manager
Date ratified: 24/3/2019
Suggestions, Comments and Complaints
To pursue a complaint, please collect a complaints form from reception or contact reception on 0161 998 3206 who can complete a complaints form over the phone. To pursue a complaint online, please complete the below form.
Your complaint should be acknowledged by the GP practice either verbally or in writing within 3 working days. As part of this acknowledgment, you should be informed about the length of time it will take to investigate your complaint. We aim to reply within 40 working days and up to 60 working days for more complex cases.
During the investigation you should be kept up to date with the progress of your complaint.
For more information, please see our Complaints Procedures Leaflet.
Zero Tolerance
At Northenden Group Practice, we follow a zero tolerance policy regarding abusive behavior towards staff and patients. This includes the use of offensive language and speech that specifically references homophobia, biphobia and transphobia.
We have, and follow, an Equality and Diversity policy, taking into account the needs of all patients and staff, including on the grounds of sexual orientation, gender identity and trans status. This policy is reviewed and updated with staff undergoing training, every 12 months.