Lung Health Checks

The Importance of Lung Health Checks Attending a lung health check can lead to early diagnosis and successful treatment of respiratory conditions. Telephone Assessment A telephone assessment is a crucial step in the healthcare process that involves a 20-minute conversation with a trained nurse.

Practice Fair Processing & Privacy Notice

Dr Sims and Partners has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff within this practice maintain records about your health and the treatment you receive in electronic and paper format.   

This website collects some personal data from users, as stated in our website provider’s Privacy Policy.

Your information, your rights

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR). 

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

This notice reflects how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.

Data Controller

As your registered GP practice, we are the data controller for any personal data that we hold about you.

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether received directly from you or from a third party in relation to your care.

We will collect the following types of information from you directly, or about you from a third party (provider organisation) engaged in the delivery of your care:

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and [NHS number/HCN number/ CHI number];
  • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

How the NHS and care services use your information

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g., from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services).  These records may be electronic, a paper record or a mixture of both.  We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Dr Sims and Partners is one of many practices working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

National Data Opt-Out

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is currently compliant with the national data opt-out policy.

Why do we collect this information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.  To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests;
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
  • Perform tasks in the public’s interest;
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services.

Who will we share your information with?

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • Local GP Practices, as part of a Primary Care Network (PCN), in order to deliver extended primary care services
  • NHS Secondary Care, i.e. Hospitals
  • 111 and Out of Hours Service
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by [Mid & South Integrated Cared System]

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

Your information will not be transferred outside of the European Union.

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.

In addition, we receive data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

My Care Record

Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.

My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This will make it easier and faster for them to make the best decisions. For example, a doctor treating you in hospital or a nurse working in the community could view the information they need from your GP record.

Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed.

The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.

The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.

You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.

It is important to understand that not allowing access to your information may affect the quality of the care you receive.

In many situations it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.

There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety. Please see the My Care Record website www.mycarerecord.org.uk for more information.

More information about the areas where your information may be used can be found on the My Care Record website My Care Record: Privacy Notice

Primary Care Networks

Many people are living with long term conditions such as diabetes and heart disease or suffer with mental health issues and may need to access their local health services more often.

To meet these needs, GP practices are working together with community, mental health, social care, pharmacy, hospital, and voluntary services in their local areas in groups of practices known as primary care networks (PCNs).

PCNs build on existing primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care for people close to home. Clinicians describe this as a change from reactively providing appointments to proactively caring for the people and communities they serve.

We are part of the East Basildon PCN (Primary Care Network) which is a network of GPs practices established to provide integrated services to the local population. Members of the network are:

  • Dr Sims and Partners
  • Felmores Medical Centre
  • Aryan Medical Centre
  • Matching Green Surgery

By operating as a network, we as the PCN are responsible for delivering the following services working collaboratively with other providers:

Social Prescribing; Covid Vaccination Programme; First Contact Physiotherapy; First Contact Psychological Wellbeing Practitioner

Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network and with our collaborative organisations to support safe, efficient and effective care and treatment.

If you are not happy for your health data to be shared with the organisations detailed above if you wish to access PCN services, then you can object to this. To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.

Data Processors

Data processors act on behalf of the Practice, as a data controller and under our authority. In doing so, they serve our interests rather than their own. A processor can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual, for example a consultant.

The following is a list of processors that the practice has engaged, and a description of the work they carry out on our behalf:

  • The Phoenix Partnership (TPP)
    • SystmOne (GP clinical system) – The practice uses a computer system to record and store patient’s clinical information, this is provided by TPP. All information recorded within the system is held on TPP servers, accessible to the practice over the secure Health and Social Care Network (HSCN). All data processed by TPP is used and stored within the UK.
  • Mid & South Essex Integrated Care Board (ICB)
    • Information Governance (IG) [& Data Protection Officer (DPO)] Services – The IG service supports the practice with GDPR and Data Protection compliance, including advice and assistance with breaches of legislation, data subjects’ rights and other data protection issues raised by patient’s or public, as well as helping with completion of the Data Security & Protection Toolkit, and data protection impact assessments. [The DPO service provides a named experienced IG professional within the team to act on behalf of the practice as their Data Protection Officer, to assist monitoring internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).]
  • Arden & GEM Commissioning Support Unit (CSU)
    • Primary Care Enabling Services (IT) – The IT service includes access to the secure network (including HSCN) and cyber security, including electronic storage of information on hosted servers.
    • Business Intelligence (BI) – The BI function within the CSU, receives pseudonymised patient data, combines this with other pseudonymised data sets provided by the ICB (including hospital, community, mental health and ambulance data), then supports practices with analysis of that information, in order for the practice to better target services to their population. This includes population health management and risk stratification (more detail on these programmes of work is available below).
  • NHS Digital
    • Data Services for Commissioners Regional Office (DSCRO) – Hosted within Arden & GEM CSU, but contracted to work for NHS Digital, the DSCRO receives clear patient identifiable information and applies a key to scramble this information, this is called pseudonymisation and renders the data essentially anonymous although still linkable across other datasets pseudonymised using the same key. This data is then shared with the CSU BI Team for linkage and analysis.
    • NHSmail – Provides the practice with a secure email service, common across much of the NHS. This includes access to Microsoft Teams and other software.
  • E-Consult
  • E-Consult provides a text-based clinical consultation service which guides patients through a consultation algorithm to assess their symptoms and recommend appropriate next steps, which may include arranging a GP appointment, self-care advice or signposting to other services (e.g. NHS111, pharmacies etc.). It does not facilitate real-time consultations between patients and GPs but does make GPs aware of all assessments undertaken on their patients.
  • iGPR
  • iGPR The iGPR Managed Service Solution enables GP surgeries to devolve to iGPR Technologies Ltd (iGPR), the administrative workload involved in responding to requests for medical reports based on the patient medical record from Requesting Third Parties (RTP) with informed patient consent in place, and Data Subject Access Requests (DSARs) received from Requesting Third Parties acting on behalf of the patient or directly from the patient themselves.
  • Lloyd George Paper Medical Record Digitalisation Project
  • Mid and South Essex ICB have secured funding to enable GP practices in the area to fully digitalise their paper records across a two year period. The contract is between the ICB and NEC Software Solutions. This process is already underway in the area and due for completion in April 2024.

        The advantages to undertaking this project are:

  1.  Safer care for patients by having all notes available digitally.
  2.  Reduction in loss of and/or damaged notes
  3.  Free up space in practices currently taken up with notes storage by converting  patient records rooms into additional clinical capacity.
  4.  Secure, cloud based storage of patients confidential data.

On completion of the digitisation process, paper based records will be securely    destroyed. The scanning and destruction of the paper records will follow strict data protection guidelines adhered to by the NHS.

Any new records received by the Practice after the initial project is complete will be also digitalised on an ongoing basis.

If you have any questions or concerns about this process, please do not hesitate to contact the practice manager. Her email address is [email protected] or she can be contacted by calling the practice number

ACR project for patients with diabetes (and/or other conditions)

  • The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes.

The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and send you a test kit. 

This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice.

Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care.

Further information about this is available at: https://lp.healthy.io/minuteful_info/.

You have the right to object to data processors handling your personal information, though bear in mind that this is not an absolute right, the practices legitimate grounds can override objections raised. Please raise any issues with the practice manager who will arrange for a discussion and consideration of any objections. Further information on this right is available here:

https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information that has been collected lawfully.  Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Information is not held for longer than is necessary.   We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Consent and Objections

Do I need to give my consent?

The GDPR sets a high standard for consent.  Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation.  However, consent is only one potential lawful basis for processing information.  Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.  Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice.  Your consent will be documented within your electronic patient record.

What will happen if I withhold my consent or raise an objection?

You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing.  Please contact your GP Practice for further information and to raise your objection.

Population Health Management

Population Health Management (PHM) – is helping us understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services and make better use of public resources.

We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.

This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.

In order to carry out this data linkage, your pseudonymised data will be passed to Arden & GEM Commissioning Support Unit, part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses.

PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in addressing the interdependent issues that affect people’s health and wellbeing.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the population health management tools used by the ICB include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

Section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence, if the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 2018 and the Human Rights Act 1998.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

There is no requirement for a legal basis for use of the aggregated information which is available to the ICB as this does not identify individuals.

Data Processing Activities

The practice processes this data internally.

Data is also processed by Arden & GEM Commissioning Support Unit and Mid and South Essex ICB.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the PHM service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform the practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Sub-licensing

Integrated Care Systems (ICSs) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of the ICS is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs.

The new Health and Care act 2022 established 42 Integrated Care Boards (ICBs) across England as statutory bodies and abolished the 106 Clinical Commissioning Groups (CCGs). The ICB will take on the NHS commissioning functions of the former CCGs as well as some of NHS England’s commissioning functions. It will also be accountable for NHS spend and performance within the system. The Board of the ICB will, as a minimum, include a chair, the CEO and representatives from NHS providers, general practice and local authorities.

In order to assure a smooth transition to the new commissioning landscape, the ICB need to be able to share data with providers and local authorities within their ICS so they are fully able to contribute to commissioning decisions.

The ICS Sub-License approach will allow the ICB to share data they receive from NHS Digital via their commissioning agreements with members of their ICS. This will be limited to pseudonymised commissioning data without the provider unique local patient id included.

Re-identification – This is permitted but the ICB will be responsible for determining which users will have this ability. They must be a health or social care professional with a legitimate (direct care) relationship to the patient.

It is important to note that direct care relies on the “implied consent” legal basis. Therefore, the patient must be aware of this relationship through clear communication.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information used by the ICS Partners include:

  • Age
  • Gender
  • GP Practice, Community and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

The legal basis for sharing the data with ICS members is:

Article 6 (1) (e) – processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

and Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Data Processing Activities

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit.

The ICS Partners currently involved in the Sub-Licensing process are:

  • Essex County Council
  • Southend City Council
  • Thurrock Council
  • Mid and South Essex NHS Foundation Trust
  • East of England Ambulance
  • Essex Partnership University NHS Foundation Trust
  • North East London NHS Foundation Trust
  • Provide CiC

The ICS Partners will become Data Controllers in their own right for the data received under the sub-licensing, however certain rules will apply to this:

  • Onward sharing of the data by ICS members is not permitted.
  • Data must be segregated from other datasets and additional linkage is not permitted.

Opt out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The ICB also uses risk stratified data to understand the health needs of the local population to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.

There is currently s251 support in place for the ICB to be able to receive data with the NHS Number as an identifier from both NHS Digital and the GP Practice to enable this work to take place.  The Data is sent directly into a risk stratification tool from NHS Digital /GP Practices to enable the data to be linked and processed as described above.  Once the data is within the tool ICB staff only have access to anonymised or aggregated data.

GPs can identify individual patients from the risk stratified data when it is necessary discuss the outcome and consider preventative care.

Your GP will use computer-based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third-party accredited Risk Stratification provider.  The risk stratification contracts are arranged by Mid and South Essex Integrated Care Board in accordance with the current Section 251 Agreement. Neither the CSU nor your local Integrated Cared Board (ICB) will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment.  This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information put into the risk stratification tools used by the ICB:

  • Age
  • Gender
  • GP Practice and Hospital attendances and admissions
  • Medications prescribed
  • Medical conditions (in code form) and other things that affect your health.

Legal Basis

Statutory requirement for NHS Digital to collect identifiable information.

A Section 251 approval (CAG 2-03(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority, enables the use of pseudonymised information about patients included in the datasets.

Data Processing Activities

The practice processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit and Prescribing Services Ltd on behalf of the practice.

Opt-out details

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out.

In this case, because pseudonymised data is being used, the National Data Opt-Out does not apply.

Instead, please inform your GP practice who will apply an opt-out code to your record to ensure that your information is not included in the programme.

As mentioned above, you have the right to object to your information being used in this way.  However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care.  Please contact the Practice Manager to discuss how disclosure of your personal data can be limited

GP Connect

GP Connect allows authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently.

It makes patient information available to all appropriate clinicians when and where they need it, leading to improvements in both care and outcomes. GP Connect can only be used to share patient information for direct care purposes, not for any other reasons such as planning or research. 

From a privacy, confidentiality, and data protection perspective, GP Connect provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of transferring information, such as email or telephone.  

Examples of organisations that may wish to use GP connect to view GP patient records include:

  • GP surgeries that patients are not registered at – for example, if they need to see a doctor when they are away from home.
  • secondary care (hospitals) if they need to attend A&E or are having an operation.
  • GP hubs/primary care networks (PCNs)/integrated care systems (ICSs), partnerships between healthcare providers and local authorities.
  • local ‘shared care‘ record systems.
  • ambulance trusts, so paramedics can view GP patient records in an emergency.
  • healthcare professionals such as community services.
  • acute and emergency care service providers.
  • NHS 111.
  • Pharmacies.
  • Optometrists.
  • Dentistry.
  • Mental health trusts.
  • Hospices.
  • Social care.
  • Care and nursing homes.

All access to your GP patient record is stored within an audit trail at your GP practice and within the organisation that information has been shared with. If patients wish for more information about how their data has been shared using GP Connect, they may need to contact both organisations.

Further information on GP Connect can be found on the following link:

https://digital.nhs.uk/services/gp-connect

Type of Information Used

Different types of commissioning data are legally allowed to be used by different organisations within, or contracted to, the NHS. Information used by the ICS Partners include:

  • Patient details
  • Summary
  • Notes
  • Allergies & adverse reactions; Clinical terms; Encounters; Immunisations; Medication; Observations; Problems; Referrals
  • Access Record: provides access to ‘sections’ of a patient record in a structured format.

Legal basis

The legal basis for sharing personal data is the delivery of direct care, supported by:

Article 6 (1) (e) – processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller

and Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Confidentiality

Confidentiality and trust are essential to the relationship between GPs and their patients.

The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.

GP Connect relies on ‘implied consent’.

Explicit consent is not required when information is shared for a direct care purpose. If a patient does not want their information to be shared using GP Connect, they can opt out.

The NDSA and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.

In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.

Organisations using GP Connect are notified of their duty as ‘controllers’ to be fair and transparent about their processing of their patients’ information and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.

Opting out of GP Connect

If patients do not wish their information to be shared using GP Connect, they can opt out by contacting their GP practice.

National Data Opt-out

The National Data Opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

The National Data Opt-out only applies to any disclosure of data for purposes beyond direct care, so having National Data Opt-out will not prevent your GP patient record being shared via GP Connect.

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare.  Our local electronic systems (such as SystmOne, EMIS and Eclipse) enables your record to be shared with organisations involved in your direct care, such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, considering all aspects of a person’s physical and mental health.  Many patients are understandably not able to provide a full account of their care or may not be able to do so.  The shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record.  This will mean that the information recorded by your GP will not be visible at any other care setting. 

You can also reinstate your consent at any time by giving your permission to override your previous dissent. 

Your Right of Access to Your Records

The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format.  This is known as the “right of access”.  If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information.  This can be your GP, or a provider that is or has delivered your treatment and care.  You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.  If you would like access to your GP record, please submit your request in writing to:

The Administration Team

Dr Sims and Partners, East and West Wings, Dipple Medical Centre, Wickford Avenue, Pitsea, Essex, SS13 3HQ

Email address: [email protected]

Right of Rectification and Erasure

Following a Subject Access Request, or in other circumstances, should you notice anything in your records that you consider to be incorrect, please get in touch with the practice manager (details above) to discuss how this could be reviewed and potentially rectified.

In most circumstances, information would not be able to be removed, as decisions may have been taken with that information in mind, but a note can be added to records to indicate alternative situations.

Data Protection Officer

A Data Protection Officer (DPO) is a role appointed within by public bodies, to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

The practices Data Protection Officer (DPO) is Jane Marley, Head of IG at the ICB.

To contact the DPO, please use the following email address:

[email protected]

Complaints

In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at:

The Practice Manager

Dr Sims and Partners, East and West Wings, Dipple Medical Centre, Wickford Avenue, Pitsea, Essex, SS13 3HQ

[email protected]

Information Commissioners Office

The Information Commissioners Office (ICO) is the national authority overseeing Data Protection and Freedom of Information in the UK.

You are able to raise complaints and concerns directly with them, and information on how to do so is available here:

https://ico.org.uk/make-a-complaint/

Parliamentary Health Service Ombudsman

The Ombudsman is independent of government and the NHS.  The service is confidential and free of charge.  There are time limits for taking a complaint to the Ombudsman although this can be waived if there is good reason to do so.  If you have questions about whether the Ombudsman will be able to help you, or about how to make a complaint, you can contact:

Further information about the ombudsman is available at Ombudsman

You can write to the Ombudsman at:

The Parliamentary and Health Service Ombudsman,

Millbank Tower, Millbank, London, SW1P 4QP