It is important that our Surgery is always a safe place to work and visit. Patients and staff must not feel threatened.

Practice staff will always work with patients to resolve difficulties when they arise. This process is helped by a positive and calm manner from both the patient and staff member. If the patient displays hostile behaviour or an angry attitude this can make staff and other patients feel threatened.

In light of this the Practice has clear procedures on unacceptable behaviour.

Such unacceptable behaviours include, but are not limited to:

• Any display of a violent temper
• Shouting or raised voice, pointing fingers
• Not engaging with staff positively
• Being pushy or trying to intimidate staff
• Hostile or aggressive behaviour
• Threats, swearing, spitting
• Any mention or display of any object that could be used as a weapon

Patients will be warned if their behaviour is unacceptable and asked to stop. Where patients do not comply they will receive a BEHAVIOURAL AGREEMENT WARNING letter. Where patients behaviour is unacceptable on a subsequent occasion, they will receive a REMOVAL NOTICE from the practice list.

Patients will be told exactly the nature of the unacceptable behaviour.

We are pleased that incidents of unacceptable behaviour in the surgery are rare.

Repeatedly Missing Appointments

The surgery is under a lot of pressure to provide as many appointments as possible. If they choose to patients may receive an SMS text reminder for their appointments and can text back to cancel their appointment. If you would like to take advantage of this service please let us know and give us your mobile number. Please note the text back facility cannot be used when there are less than three hours before the appointment.

Missed appointments are a waste of resources and we must take action to keep these to a minimum; therefore it is unacceptable behaviour for patients to repeatedly miss booked appointments. Patients who frequently miss booked appointments will be contacted by letter with a behaviour warning and reminder of this policy.

Patients who persistently miss booked appointments risk being removed from the practice register.

At Albany House Surgery, we want to make sure you and your family have the best care now and in the future.

Confidential information from your medical records is stored securely and can be used by the NHS to improve the services offered so we can provide the best possible care for everyone.

This information, along with your postcode and NHS number but not your name, is sent to a secure system where it can be linked with other health information.

This allows those planning NHS services or carrying out medical research to use information from different parts of the NHS in a way which does not identify you.

We will respect your decision if you do not wish your information to be used for any purpose other than your care but, in some circumstances, we may still be legally required to disclose your data, such as a public emergency such as the declaration of a pandemic.

For further information, please read Your Data Matters to the NHS.

National Data Opt-Out

This was introduced on 25th May 2018 and replaces the previous ‘type 2’ opt-out.

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. The new programme provides a facility for individuals to opt out of the use of their data for research or planning purposes.

For anyone who had an existing ‘type 2’ opt-out, it will have been automatically converted to a national data opt-out from 25th May 2018 and you will have received a letter giving you more information alongside a leaflet explaining the new national data opt-out from NHS England.

The national data opt-out choice can be viewed or changed at any time by using the online service at: www.nhs.uk/your-nhs-data-matters.

If you wish to opt out of sharing your data, please follow this link to manage your choice:

https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/

For more information, please read the information sheet published by the NHS.

Consent Forms

• Consent for Medical Records
• Consent for Insurance report/claim or other fee service

You are entitled to have a chaperone present if you wish, and we will endeavour to make one available. If this cannot be arranged immediately you may have to make an appointment at another time.

We work hard to deliver first-class health care. We value the opinions of patients and visitors so we can continually make improvements to our services.

In order to attain and maintain high standards of care, feedback is needed from those to whom the care is delivered. We strive to deliver high-quality patient care at all times and in all areas of contact with the patient or patient’s representative, but we appreciate that there are times when we may fail to meet patient expectations.

Compliments, comments and suggestions

Compliments, comments and suggestions can be submitted to any member of practice staff, via the forms in the practice waiting areas, via our Friends and Family Test page (here), by submitting a review to NHS England (here)  or by submitting a review to Google (here)

Complaints

The Practice Complaints Procedure is aimed at quick resolution of problems. This procedure enables the patient (or the person complaining on the patient’s behalf with the patient’s written consent) to fully articulate the issues or concerns in writing, which in turn enables the Practice to thoroughly and efficiently investigate and respond. To make a complaint, please read how to make a complaint.

As a patient, you have a right to complain about any aspect of the service with which you are less than satisfied.

After your complaint is submitted, you will receive an acknowledgment within 3 working days from receipt of the complaint by the Practice.

Any complaint you make will be investigated and you will receive a written response from the Practice as to the outcomes of the investigations and, where appropriate, the steps taken to ensure the situation does not reoccur.

We aim to reply within 10 working days, depending on the nature of the complaint and the investigation that needs to be carried out. Where other parties are involved, you will be kept informed as to the steps being taken to obtain their statements.

If considered appropriate by all parties, you may be invited to a telephone or video call to discuss the matter with the Assistant Practice Manager and, where appropriate, one or more of the Doctors.

If you prefer, you may address your complaint to NHS England or the Parliamentary and Health Service Ombudsman (PHSO). You can also contact independent conciliation/advocacy services should you prefer.

Please refer to the Practice’s Complaints Leaflet for further information.

(This privacy notice is to run alongside our standard organisation privacy notice.)

As we move away from the initial response to COVID-19 the health and social care system will need to continue to take action to manage and mitigate the spread and impact of the outbreak. This includes ensuring that approved researchers can continue to securely access pseudonymised data held by GP IT systems to assist the health and care service’s response to COVID-19 by, for example:

• recognising trends in COVID-19 diseases and identifying risks it poses
• controlling and preventing the spread of COVID-19
• monitoring and managing outbreaks

The OpenSAFELY COVID-19 research service provides a secure analytics service that supports COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

Under the COVID-19 Public Health Directions 2020 NHS England has been directed by the Secretary of State for Health and Social Care to establish and operate the OpenSAFELY service.  While each GP practice remains the data controller of its own patient data, they are required under the provisions of s259 of the Health and Social Care Act 2012 to provide access to de-identified (pseudonymised) patient data through the OpenSAFELY service.

The service enables individuals (academics, analysts and data scientists) approved by NHS England to run queries on pseudonymised GP and NHS England patient data which is held within the GP system suppliers’ data environments.  Controls are in place to ensure that individuals only have access to aggregated outputs from the service (i.e. they cannot access information that either directly or indirectly identifies individuals).

Purpose of this Notice

OpenSAFELY service is used to analyse de-identified (pseudonymised) data within the EMIS and TPP boundaries, to support COVID-19 related research.

This is a continuation of a service which is supported by the BMA which has been operating since 2020. The permanent legal basis (the COVID-19 Direction) above allows the practice to provide this data to NHSE as an ongoing service.

The OpenSAFELY service is a Trusted Research Environment (TRE) established within the secure environment of EMIS and TPP. Researchers write their analysis code away from the patient data; the code is run automatically on de-identified (pseudonymised) patient data; and only the aggregated outputs (now anonymous) are shared with researchers to be used, for example, in journal publications, reports or presentations.

These controls keep patient data secure inside EMIS and TPP and confidential from researchers. The use of TREs and the data processing principles which OpenSAFELY represents is supported by the RCGP.

To date, this service has supported a range of important COVID-19 related research, including one of the world’s first and largest studies to identify the clinical factors associated with COVID-19 related death, which informed the national COVID-19 vaccination strategy and Green Book guidance. Other studies have also informed COVID-19 related NICE guidance and decisions made by SAGE.

All NHS England approved research studies are published online, including sharing the exact analysis code each study used to analyse the patient data, by whom and when such code was run. In future, NHSE will also publish approvals on our data release register.

During the pandemic, and in the recovery phase, de-identified data has been crucial in helping to save lives. It has supported research into COVID-19 and the ways that it has affected our lives, our health, and to identify effective medicines and treatments.

Research has helped to identify new treatments for COVID-19 and to understand how we can keep our communities safe. Data has helped us to prioritise the right care to the most vulnerable in our society and to develop vaccines to protect against COVID-19.

If you have any questions, please contact us at [email protected]

Recording of processing

A record will be kept by Albany House Medical Centre of all data processed under this Notice.

Sending Public Health Messages

Data protection and electronic communication laws will not stop Albany House Medical Centre from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

Digital Consultations

It may also be necessary, where the latest technology allows Albany House Medical Centre to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. All references to NHS Digital now, or in the future, relate to NHS England.

You are able to see your own records online through our online service systmonline and its associated app, TPP Airmid* available below:

If you have not already done so and you wish to register for our online services, please complete our Register for Online Services form

Information about your health and care helps us ​and other healthcare organisations to improve your individual care, speed up diagnosis, plan your local services, and help to research new treatments.

Albany House Medical Centre and the NHS are committed to keeping patient information safe and always being clear about how it is used.

How your data is used

Information about your individual care, such as treatment and diagnoses, is recorded whenever you use health and care services.

This information allows us, and other healthcare organisations to:

• Improve individual care
• Speed up diagnoses
• monitor the long-term safety and effectiveness of care
• Plan local clinics and services
• Help research new treatments and medicines

It is only used in this way when there is a clear legal basis to use the information, to help improve health and care for you, your family and future generations.

Where data is supplied to external sources, we try to use data that does not identify you through Anonymisation or pseudo-Anonymisation, but sometimes it is necessary to use your confidential patient information.

You have a choice

You do not need to do anything if you are happy about how your information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out. You can change your mind about your choice at any time.

Will choosing this opt-out affect your care and treatment?

No.  Choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, immunisations and annual reviews.

What do you need to do?

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.

If you have previously registered a Type 1 Opt-out with your GP practice your data will not be shared with NHS Digital.

If you do wish to opt-out you can do this by downloading the following Type 1 Opt Out Form and returning the completed form to the Practice by 1^st September 2021.

Type 1 opt-out form

If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the above form to do this.

If you submit the Type 1 Opt-out Form after 1 July 2021, no more of your data will be shared with NHS Digital.  However, NHS Digital will still hold the patient data, which was shared with us dating back at least 10 years prior to you opting out.

If you do not want NHS Digital to share your data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out via the NHS website

More Information

To find out more about the benefits of data sharing and how data is protected visit the NHS website

*Other apps are available

Download a copy of the patient leaflet

Page last updated 08 June 2021

Publication of GP earnings

All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay, before tax and National Insurance, for GPs working in Albany House Medical Centre in the last financial year was £140,176.

The number of full time GPs that this relates to is 4.

The number of part time GPs that this relates to is 3.

The number of locum GPs working in the practice for over six months, that this relates to is 0.

Please note that NHS England requires that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown above. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not form any judgement about GP earnings, nor to make any comparison with any other practice.

The practice is required by the Government under the terms of the latest GP contract to allocate all patients a named accountable GP.

Given that we have nearly 20,000 patients and that we need to keep a sensible balance of patients between each GP, it has been simply impossible to allow every patient to express a preference. Please contact us if you want to know who your named accountable GP is.

Please note that there is no need to book your GP appointment with your named accountable GP. You should continue to see whichever healthcare professional is available.

PATIENT PRIVACY NOTICE

As a registered patient, the Albany House Medical Centre has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information, or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Paul Couldrey of PCDC on [email protected]

The main things the law says we must tell you about what we do with your personal data are:

• We must let you know why we collect personal and healthcare information about you
• We must let you know how we use any personal and/or healthcare information we hold about you
• We need to inform you in respect of what we do with it
• We need to tell you about who we share it with or pass it on to and why
• We need to let you know how long we can keep it for

What is a privacy notice?

A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the organisation must:

• Have lawful and appropriate reasons for the use or collection of personal data
• Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)
• Be open about how the data will be used and provide appropriate privacy notices when collecting personal data
• Handle personal data in line with the appropriate legislation and guidance
• Not use the collected data inappropriately or unlawfully

What is fair processing?

Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.

The Practice manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• UK General Data Protection Regulations 2016
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality and Information Security
• Information: To Share or Not to Share Review

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Hospital Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Who is the data controller?

The Albany House Medical Centre is registered as a data controller under the Data Protection Act 2018. Our registration number is Z5265981 and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

What type of information do we collect about you?

Information held by this organisation may include the following:

• Your contact details (such as your name, address and email address)
• Details and contact numbers of your next of kin
• Your age range, gender, ethnicity
• Details in relation to your medical history
• The reason for your visit to the organisation
• Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
• Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
• Details about the treatment and care received
• Results of investigations such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you
• Recordings of telephone conversations between yourself and the organisation

Information collected about you from others

We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

• It is required by law
• You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes
• It is justified to be in the public interest

To ensure you receive the best possible care, your records are used to enable the care you receive. Information held about you may be used to help protect the health of the public and to help us to manage the NHS.

Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may used for statistical purposes. Where we do this, we ensure that patient records cannot be identified.

Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. When the organisation is about to participate in any new data-sharing scheme, we will make patients aware by displaying prominent notices and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

What is special category data?

The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information may be as follows:

The legal justification for collecting and using your information

The law says we need a legal basis to handle your personal and healthcare information.

How do we use your information?

Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.

In order to comply with its legal obligations, this organisation may have to send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Under the General Data Protection Regulation, we will be lawfully using your information in accordance with:

• Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Who can we provide your personal information to and why?

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:

• Hospital professionals (such as doctors, consultants, nurses etc.)
• Other GPs/doctors
• Primary Care Networks
• NHS Trusts/Foundation Trusts/Specialist Trusts
• NHS Commissioning Support Units
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi-agency Safeguarding Hub (MASH)
• Independent contractors such as dentists, opticians, pharmacists
• Any other person who is involved in providing services related to your general healthcare including mental health professionals
• Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
• Voluntary sector providers
• Ambulance Trusts
• Integrated Care Systems
• Clinical Commissioning Groups
• Local authority
• Social care services
• Education services
• Other ‘data processors’, e.g., Diabetes UK

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Who may we provide your information to:

• For the purposes of complying with the law, e.g., the police
• Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed
• Computer systems – we operate a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication. We will make information available to our partner organisations (above) unless you have declined data sharing to ensure you receive appropriate and safe care. Wherever possible, staff will ask your consent before your information is viewed.
• Extended access – we provide extended access services to our patients so that you can access medical services outside of our normal working hours. To provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group whereby certain key ‘hubs’ offer this service for you as a patient to access outside of our opening hours.

This means those key ‘hubs’ will have to have access to your medical record to be able to offer you the service. Please note to ensure that those hubs comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

• Data extraction by the Clinical Commissioning Group – the Clinical Commissioning Group at times extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them

This information only refers to you by way of a code that only your own practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

Your rights as a patient

The law gives you certain rights to your personal and healthcare information that we hold as set out below:

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above.  We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.

The Albany House Medical Centre uses a clinical system provided by a data processor called SystmOne and an online triage platform by a data processor called Anima Health.

Data does remain in the UK and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the highest levels of security and support.

Maintaining your confidentiality and accessing your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for the Practice an appropriate contract (Article 24-28) will be established for the processing of your information.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent.  In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Sharing your information without consent

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

• Where there is a serious risk of harm or abuse to you or other people
• Safeguarding matters and investigations
• Where a serious crime, such as assault, is being investigated or where it could be prevented
• Notification of new births
• Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
• Where a formal court order has been issued
• Where there is a legal requirement, for example if you had committed a road traffic offence.

Third party processors

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the organisation will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.
• Further details regarding specific third-party processors can be supplied on request to the data protection officer as below.

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members. 

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Audit

Auditing of clinical notes is done by the Albany House Medical Centre as part of their commitment to the effective management of healthcare whilst acting as a data processor.

Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’” No consent is required to audit clinical notes for this purpose.

Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.

Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary.

It is also prudent to audit under Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17: Good Governance.

GP connect service

The GP connect service allows authorised clinical staff at NHS 111 to seamlessly access our clinical system and book directly on behalf of a patient. This means that, should you call NHS 111 and the clinician believes you need an appointment, the clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the organisation directly for an appointment.

We will not be sharing any of your data and we will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us but you will be made aware of this. This will help in knowing what treatment/service/help you may require.

Invoice validation

Your information may be shared if you have received treatment to determine which Integrated Care Board (ICB) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

NHS health checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check.  Nobody outside the healthcare team in the Albany House Medical Centre will see confidential information about you during the invitation process.

Patient communication

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the organisation know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.

Digital Telephony and Online consultation services

Practices are required to submit data in relation to the usage of  digital telephony and online consultation services to NHS England.  This data may also be provided to Wellingborough and District PCN and Northamptonshire ICB.  The data covers both clinical and administrative interactions facilitated through telephony and online consultation systems.  No personal details are included in these submissions.

Albany House Medical Centre also reviews this information to allow us to understand how digital platforms impact patient care and make informed, evidence based  decisions on to help improve service delivery.

Primary care networks

The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces that ease the pressure of GPs, leaving them better able to focus on patient care. All areas within England are covered by a PCN.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons including improving the ability of practices to recruit and retain staff, to manage financial and estates pressures, to provide a wider range of services to patients and to integrate with the wider health and care system more easily.

All GP practices have come together in geographical networks covering populations of approximately 30–50,000 patients to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes that exist in many places in the country but are much smaller than most GP federations.

This means that the Albany House Medical Centre may share your information with other practices within the Primary Care Network to provide you with your care and treatment.

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g., cancer. Your information is collected by a number of sources including the Albany House Medical Centre. This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

Safeguarding

The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:

• Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

• Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information such as referrals to safeguarding teams is retained by the Albany House Medical Centre when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

Shared care

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.  You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Telephone system

Our telephone system records all telephone calls.  Recordings are retained for up to three years and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training.  Access to these recordings is restricted to named senior staff – the Partners and Operations Manager.

CCTV

Closed-circuit television (CCTV), also known as video surveillance, is the use of video cameras to transmit a signal to a specific place, on a limited set of monitors.  They are primarily for surveillance and security purposes.  The Practice prioritises the safety and security of all patients, staff and visitors and aims to provide environments that are safe and secure.  To this end, CCTV covers external areas such as entrances to the building and staff parking area in addition to a number of non-clinical areas inside the building.

The system operates 24 hours per day, 365 days of the year.  The CCTV installation comprises of fixed cameras, signs, recording and playing equipment and all data is held onsite.

Footage is retained for no longer than 30 days, unless it is required for evidential purposes in legal or other investigation proceedings.  Footage retained for evidential purposes will be removed from the system and retained in a secure place to which access is controlled.

Opt-outs

National opt-out facility

This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following:

• Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice
• Telephone service 0300 303 5678 which is open Monday to Friday between 09:00 and 17:00
• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
• “Print and post” registration form: https://assets.nhs.uk/prod/documents/Manage_your_choice_1.1.pdf

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.  It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.

• Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS Digital and a proxy form is available to assist in registration.

Note: Unfortunately, the national data opt-out cannot be applied by this organisation.

General Practice Data for Planning and Research opt out (GPDPR)

The NHS needs data about the patients it treats to plan and deliver its services and to ensure that the care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, patient data can help the NHS to:

• Monitor the long-term safety and effectiveness of care
• Plan how to deliver better health and care services
• Prevent the spread of infectious diseases
• Identify new treatments and medicines through health research

GP practices already share patient data for these purposes but this new data collection will be more efficient and effective. This means that GPs can get on with looking after their patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

What patient data is shared about you with NHS Digital?

The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:

• Any living patient registered at a GP practice in England when the collection started – this includes children and adults
• Any patient who died after the data collection started and was previously registered at a GP practice in England when the data collection started

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that no one will be able to directly identify you from the data. The diagram below helps to explain what this means. The diagram below helps to explain what this means and using the terms in the diagram, the data we share would be described as de-personalised.

The data collected by NHS Digital

We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.

Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.

NHS Digital will collect:

• Data on your sex, ethnicity, and sexual orientation
• Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health
• Data about the staff who have treated you

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS Digital will not collect:

• Your name and address (except for your postcode in unique coded form)
• Written notes (free text) such as the details of conversations with doctors and nurses
• Images, letters and documents
• Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
• Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

NHS Digital legal basis for collecting, analysing and sharing patient data

When NHS Digital collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone’s data.

NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.

NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm’s-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.

How NHS Digital uses patient data

NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHS Digital can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).

These national data sets are analysed and used by NHS Digital to produce national statistics and management information including public dashboards about health and social care which are published. NHS Digital never publish any patient data that could identify any individual. All data they publish is anonymous statistical data.

For more information about data NHS Digital publish see Data and Information and Data Dashboards.

Who does NHS Digital share patient data with?

All data that is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

• The Department of Health and Social Care and its executive agencies including Public Health England and other government departments
• NHS England and NHS Improvement
• Primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
• Local authorities
• Research organisations including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

If the request is approved, the data will either be made available within a secure data access environment within the NHS Digital infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHS Digital plan to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment.

Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:

• Where the data is needed by a health professional for the patient’s own care and treatment
• Where the patient has expressly consented to this, for example to participate in a clinical trial
• Where there is a legal obligation, for example where there are COPI Notices
• Where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) – this is sometimes known as a ‘section 251 approval’

This would mean that the data was personally identifiable in the diagram above. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared.

Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register. 

Where does NHS digital store patient data?

NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.

Some of the NHS Digital processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

• Contact the Practice by writing to: the Albany House Medical Centre, 3 Queen Street, Wellingborough, Northamptonshire, NN8 4RW. GP practices are data controllers for the data they hold about their patients.
• Write to the data protection officer at: [email protected]
• Ask for a call back from the Practice Manager or Assistant Practice Manager to discuss.

The data protection officer (DPO) for the Albany House Medical Centre is Paul Couldrey of PCDC.

Objections or complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Assistant Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.

This policy was last reviewed on 31 March 2022.

The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had.

Why do I need a Summary Care Record?

Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.

This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.

Who can see it?

Only healthcare staff involved in your care can see your Summary Care Record.

How do I know if I have one?

Over half of the population of England now have a Summary Care Record. You can find out whether Summary Care Records have come to your area by looking at our interactive map or by asking your GP

Do I have to have one?

No, it is not compulsory. If you choose to opt out of the scheme, then you will need to complete a form and bring it along to the surgery. You can use the form at the foot of this page.

More Information

For further information visit the NHS Digital Website.

Summary Care Record Opt-out form