Comments and Complaints Policy and Procedure
Comments and Complaints
We welcome your views and constructive suggestions which will help us improve our service to you. There is a suggestion / comments box located in reception for this purpose.
Practice Complaints Procedure:
If you have a complaint about the service you have received from any of the doctors or staff working at this Practice, please let us know. We operate a Practice complaints procedure as part of the NHS system for dealing with complaints. Our procedure meets national criteria.
We hope that most problems can be sorted out easily and quickly, preferably at the time they arise and with the person concerned. If your problem cannot be sorted out in this way and you wish to make a complaint, we would like you to let us know as soon as possible, ideally within a matter of days, or at the most a few weeks, as this will enable us to establish what happened more easily.
If it is not possible to do that, please let us have details of your complaint:
- Within 12 months of the incident that caused the problem, or
- Within 12 months of discovering that you have a problem.
Complaints should be addressed to the Practice Manager, Vanessa Graham in the first instance, or one of the doctors. Alternatively, you may ask for an appointment with the Practice Manager in order to discuss your concerns. She will explain the complaints procedure to you and will ensure your concerns are dealt with promptly. It will be a great help if you are as specific as possible about your complaint.
Mechanism for dealing with a complaint:
We shall acknowledge your complaint within 3 working days and aim to have looked into your complaint within 10 working days of the date when you raised it with us. We shall then be in a position to offer you an explanation, or a meeting with the people involved.
When we look into your complaint, we shall aim to:
- Find out what had happened and what went wrong;
- Agree a plan on how your complaint will be dealt with and the timescales involved;
- Make it possible for you to discuss the problem with those concerned, if you would like this;
- Make sure you receive an apology where appropriate;
- Identify what we can do to make sure the problem doesn’t happen again.
Complaining on behalf of someone else
Please note that we keep strictly within the rules of medical confidentiality. If you are complaining on behalf of someone else, we have to know that you have their permission to do so. A note signed by the person concerned will be needed, unless they are incapable (because of illness) of providing this or in the case of a minor.
Complaining to the Primary Care Trust:
We hope that if you have a grievance you will use our Practice complaints procedure. We believe this will give us the best chance of correcting whatever has gone wrong and an opportunity to improve our Practice. Nevertheless, this does not affect your right to approach Sunderland CCG.
If you feel you cannot raise your complaint with us, you can raise the complaint through the NHS Customer Service Centre on 0300 311 2233.
In addition, ICAS (Independent Complaints Advocacy Service) are available to help you through the complaints process. Their services are free of charge and they can be contacted on 0808 802 3000 or at
Room 312, Aidan House, Sunderland Road, Gateshead, Tyne & Wear, NE8 3HU
If you are dissatisfied with the result of our investigation you can contact the Parliamentary and Health Service Ombudsman:
- By telephone: 0345 015 4033; or
- In writing to:
The Parliamentary and Health Service Ombudsman,
SW1P 4QP; or
- By email: [email protected]
Data Protection Legislation is Changing
What is Changing?
From the 25th May, the current UK Data Protection Act 1998 is being replaced by the EU General Data Protection Regulation (GDPR) and Data Protection Act 2018.
The new legislation is very similar to the 1998 Act but provides some enhanced rights for individuals around how the Practice uses your information.
Why do we Need your information?
The NHS Act 2006 and Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service to improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education & training. To do this we will need to process your information in accordance with current data protection legislation to:
Protect your vital interests:
- Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or vulnerable adult
- Performs tasks in the public’s interests
- deliver preventative medicine, medical diagnosis, medical research; and
- Manage the health and social system and services.
Should require any further information on GDPR or Data Protection Act, this can be found on the Information Commissioner’s Office (ICO) website:
You can also contact the Practices Data Protection Officer. When contacting the Data Protection Officer please ensure that you include the details of the Practice.
Data Protection Officer: Mr James Carroll
Tel No: 0191 404 1000 Ext 3436
Email address: [email protected]
Data Protection Policy
|means Grangewood Surgery, a registered Practice.
|means the General Data Protection Regulation.
|Data Protection Act
|Means the Data Protection Act 2018
|Data Protection Lead
|means Dr John Mackay
|Register of Processing
|means a register of all systems or contexts in which personal data is processed by the Practice.
Grangewood Surgery is a General Practitioner contracted by NHS England to provide General Medical Services. The personal data that Grangewood Surgery processes to provide these services relates to its patients, relatives and Practice staff.
This policy sets out Grangewood Surgery commitment to ensuring that any personal data, including special category personal data, which Grangewood Surgery processes, is carried out in compliance with data protection law. Grangewood Surgery is committed to ensuring that all the personal data that it processes is done in accordance with data protection law. Grangewood Surgery ensures that good data protection practice is imbedded in the culture of our staff and our organisation.
Grangewood Surgery other data protection policies and procedures are (these should be considered and may not all be necessary):
- record of processing activities (data mapping/data flow documentation)
- privacy notices (website, clients, employees)
- personal data breach reporting process and a breach register
- data retention policy (NHS Records Management Code of Practice)
- data subject rights procedure
- data protection impact assessment process (DPIA Template on Team Net)
- IT security policies (NECS Acceptable User / Security Policies)
‘Data Protection Law’ includes the General Data Protection Regulation 2016/679; the UK Data Protection Act 2018 and all relevant EU and UK data protection legislation.
This policy applies to all personal data processed by the Practice. All staff are expected to comply with this policy and failure to comply may lead to disciplinary action up to and including dismissal.
1. Data protection principles
The Practice is committed to processing data in accordance with its responsibilities under the Data Protection Act and General Data Protection Regulations (GDPR).
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General Provisions
- This policy applies to all personal data processed by the Practice.
- The Data Protection Lead shall take responsibility for the Practice’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Practice shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, Fair and Transparent Processing
- The Practice will publish a Privacy Notice that provides details in relation to its processing of information.
- The privacy notice shall identify:
- Details of the Data Controller
- Details of the Data Protection Officer
- Purpose of the processing
- Lawful basis for processing
- Recipients or categories of recipients of data
- Individuals rights.
- The Practice privacy notice will be reviewed and updated annually or as required following any major changes to processing activities.
- To ensure its processing of data is lawful, fair and transparent, the Practice shall maintain a Register of Processing.
- The Register of Processing shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the Practice shall be dealt with in a timely manner in accordance with the requirements of the legislation.
4. Lawful Purposes
- All data processed by the Practice must be based on the appropriate lawful basis for both personal and special category data.
- Processing shall be based on at least on for the following:
- Legal basis for processing personal data;
- Necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation to carry out the processing.
- Necessary to protect the vital interests of the data subject or another individual.
- Necessary for the performance of a task carried out in the public interest.
- Necessary for the legitimate interests of the Practice or by a third party.
- Legal basis for processing personal data;
- Legal basis for processing special category data;
- Explicit Consent
- Necessary for the purposes of carrying out obligations in the field of employment, social security or social protection law
- Necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent.
- The data subject has deliberately put the data within the public domain.
- Necessary for the establishment, exercise or defence of legal claims.
- Necessary for reasons of substantial public interest.
- Necessary for the purposes of preventative or occupational medicine, for the assessment of working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
- Necessary for reasons of public interest in the area of public health.
- Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- Legal basis for processing special category data;
- The Practice shall note the appropriate lawful basis in the Register of Processing.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Practice’s systems.
5. Data Minimisation
- The Practice shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- The Practice shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
- To ensure that personal data is kept for no longer than necessary, the Practice shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The Practice shall ensure that personal data is stored securely.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this will be done safely such that the data is irrecoverable.
- Appropriate backup and disaster recovery solutions shall be in place.
As an individual working for, on behalf of or within, the Practice you are subject to an obligation of confidentiality and must adhere to the Data Protection Act 2018 (DPA18), General Data Protection Regulation (GDPR), Caldicott Guidelines, Records Management and NHS Information Security Procedures which form part of all employees, contractors, volunteers and honorary staff Terms and Conditions of Employment/Engagement.
All employees have a duty of confidence to patients and staff under common law. Furthermore statute law imposes legal obligations regarding confidentiality of patient data whether it is manually documented or collected and held within computer systems.
To access patient identifiable clinical information, you must have a legitimate relationship with the individual service user to whom the information relates or be part of the team providing / supporting that care. A legitimate relationship is created only when an individual is an active recipient of the service providing care. The relationship ends when the individual is discharged from that service.
At no time are you permitted to access your own or clinical information relating to friends or relatives without a legitimate relationship being in place. Access to confidential clinical information outside of a legitimate relationship is deemed unauthorised access and may be subject to disciplinary action by the Trust or in some circumstances legal action.
While you are at work you will have access to information about patients/colleagues and/or the Practice. You may come in to contact with this type of information during the course of your work or simply see, hear or read something while you are working. In these circumstances where a duty of care, either to the patient or the staff member potentially overrides the duty of confidentiality, you must discuss the matter with the Practice manager. Otherwise, you must keep this information confidential.
The Practice will establish and maintain policies and procedures to ensure compliance with the requirements contained in the NHS Data Security & Protection Toolkit.
Professional bodies (e.g. Nursing & Midwifery Council (NMC), General Medical Council (GMC)) provide additional supplementary advice and guidance for their own disciplines. These guidelines are complementary to this policy and do not conflict with this policy or legislation.
All staff are responsible for:
- protecting the integrity, availability and confidentiality of Trust information;
- acting to prevent the improper use or disclosure of information;
- following the guidance as set out in this and other related documentation;
- reporting breaches of Confidentiality through the Trust Incident Reporting procedure;
- ensuring the safe collection, storage, processing and disclosure of personal and confidential information;
- attending relevant training, induction and annual mandatory training in relation to Information Governance.
- Where necessary, informing Information Governance of any new or proposed uses of data
9. Data Subject Rights
Grangewood Surgery has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be considered without undue delay and within one month of receipt as far as possible.
Subject access: the right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
- the purpose of the processing
- the categories of personal data
- the recipients to whom data has been disclosed or which will be disclosed
- the retention period
- the right to lodge a complaint with the Information Commissioner’s Office
- the source of the information if not collected direct from the subject, and
- the existence of any automated decision making
Rectification: the right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: the right to have data erased and to have confirmation of erasure, but only where:
- the data is no longer necessary in relation to the purpose for which it was collected, or
- where consent is withdrawn, or
- where there is no legal basis for the processing, or
- there is a legal obligation to delete data
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
- if the accuracy of the personal data is being contested, or
- if our processing is unlawful but the data subject does not want it erased, or
- if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims, or
- if the data subject has objected to the processing, pending verification of that objection
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if Grangewood Surgery was processing the data using consent or on the basis of a contract.
Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless Grangewood Surgery can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Practice shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
- Responsibility for the processing of personal data
The partners of Grangewood Surgery]take ultimate responsibility for data protection.
If you have any concerns or wish to exercise any of your rights under the GDPR, then you can contact the data protection lead in the following ways:
Name James Carrol
Address DPO, Information Governance Dept
Harton Wing, South Tyneside District Hospital
Harton Lane, South Shields, NE34 0PL
Telephone 0191 404 1000 Ext 3436
NHS England require that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown below. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.
All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.
The average pay for GPs working in this practice in the last full financial year was £91,106 before Tax and National insurance. This is for Xero full time GPs, 6 part time GPs and 1 locum GP who worked in the practice for more than six months.
Grangewood Surgery wish to inform all patients that they have been allocated a named GP who will have overall responsibility for the care and support that our surgery provides to them.
This does not prevent you from seeing any GP in the practice as you currently do.
If you would like to know who your allocated GP is, please ask at reception or a member of staff.
Physical Health Checks for people with Severe Mental Illness (PHSMI) Data Collection
A Data Provision Notice (DPN) has been received for this new data collection.
The data, as specified by the DPN, supports a Direction from NHS England. Organisations that are in scope of the notice are legally required to comply.
All General Practices are therefore mandated to comply with this invitation and approve the collection.
As NHS Digital is collecting personal data from General Practices through this collection, we have a legal duty to be transparent and to provide patients with transparency information under GDPR about the data we are sharing with NHS Digital. For further information relating to the use of data for this collection, please go to:
Privacy Notice – Direct Care
GRANGEWOOD SURGERY – Privacy Notice – Direct Care (routine care & referrals)
|This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
Our use of the Great North Care Record
As a partner in the Great North Care Record (GNCR), we are required to request and share your information from and with other relevant parties who are part of your care provision and ongoing support. This includes NHS Providers (such as General Practitioners, Acute Health Providers, Ambulance Services and Mental Health Care Providers) as well as local authorities who provide social care.
Full details of the member organisations of the GNCR, what data may be viewed across the GNCR network, and what are the benefits to being part of the GNCR are available from the GNCR website – https://www.greatnorthcarerecord.org.uk/
If you wish to opt-out of your data being shared via the GNCR, or you wish to speak to someone about this use of your data you can contact the practice manager. Please note that this will only prevent your information being shared via the GNCR and will not opt you out of sharing with those organisations who are currently providing you with your care, or may provide it in the future. Your consent is not required to do this as it is necessary to ensure you receive the safest and highest quality of care and treatment.
Exclusion from the GNCR may have a detrimental effect on the service we can provide to you. We will always seek to comply with your request, but in some circumstances there may be additional reasons where the sharing of your information may be necessary, for example a Court Order or where information is required to be shared should there be a concern that yourself or others are at risk of harm.
Shared PCN Clinical Services
As a partner practice in Coalfields Primary Care Network (PCN) we will share your information with other shared services within the PCN who are part of your care provision and ongoing support. Where you engage with these services, your healthcare information will be held within a common system that can be accessed by all practices within the PCN.
All individuals who will have access to your records via PCN shared services are bound be the same requirements to maintain the confidentiality of your information as the staff within your practice.
The information held about you is used to provide health and social care, for the management of the services that the PCN provide, the management of the NHS, and also for public health reasons. It may also be used to contact you regarding the provision of these services.
Where you are receiving care from PCN shared services, information relating to the care provided will be added to your practice clinical record.
Information about you held within the PCN Clinical system will be accessed by authorised individuals who are involved in providing direct care to you or who support the provision of direct care or the management of these services. This will include:
· Doctors and nurses who provide you with treatment
· Other clinical staff such as Pharmacists and Radiologists
· Clinical Managers
Coalfields PCN consists of the following practices:
To access any of your healthcare information held within the PCN Shared services, please contact the practice manager.
General Practice Data for Planning and Research
Grangewood Surgery is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending the Practice, Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment and to ensure that the standards of service provided are of the highest quality. Your data may be used to contact you about your experiences of using such services via surveys and questionnaires.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
• improving the quality and standards of care provided
• Monitor the long-term safety and effectiveness of care
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• plan how to deliver better health and care services
• prevent the spread of infectious diseases
• identify new treatments and medicines through health research
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
The data is collected about any living patient registered at a GP practice in England when the collection of data started and any patient who dies after the collection of data started.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, full postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it leaves the practice. In some circumstances and where allowed by legislation organsiations such as NHS Digital will be able to convert the unique codes back to identifiable information.
Further information can be found on the NHS Digital Website by clicking this link:
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
If you do not want your identifiable patient data to be shared outside of the practice for purposes other than the provision of care please ask the practice for a form to register your Type 1 Opt-out preference.
For further information on the National Opt-Out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
· See what is meant by confidential patient information
· Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
· Find out more about the benefits of sharing data
· Understand more about who uses the data
· Find out how your data is protected
· Be able to access the system to view, set or change your opt-out setting
· Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
· See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
What we hold about you:
We hold the following types of information about you:
· Basic details about you, such as your name, date of birth, NHS Number
· Contact details such as your address, telephone numbers, email address
· Contact details of your ‘Next of Kin’, a close relative, friend or advocate
· Contacts we have had with you; scheduled and unscheduled appointments
· Details about your care; treatment and advice given and referrals made
· Results of investigations, eg blood tests
· Relevant information from people who care for you and know you well
|1) Data Controller
Houghton le Spring
Tyne & Wear DH4 4RB
|2) Data Protection Officer contact details
0191 404 1000 Ext 3436
3) Purpose of the processing
Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for processing
|The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1) (e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
Article 9(2) (h) ‘…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|5) Recipient or categories of recipients of the processed data
|The data will be shared with Health and Social care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care and with Social Care Providers For example:
Sunderland Royal Hospital
Queen Elizabeth Hospital
Royal Victoria Infirmary
James Cook Hospital
All other Clinics used for the purpose of a referral to Secondary Care
|6) Rights to object
|You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection; that is not the same as having an absolute right to have your wishes granted in every circumstance.
|7) Right to access and correct
|You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|8) Retention period
|The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the Practice.
|9) Right to Complain
|You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Statement of Purpose
Your Data and How you can Control its use
How data in your GP record is used and how you can control the use (opt-out)
You have the right to opt-out at any time from data being shared.
Your data is used in broadly two different ways:
- To provide you with care. This is called “Primary Use“
- To allow for planning and research to be done. This is called “Secondary Use“
Both uses will only be made where it is considered secure and appropriate to use patient data.
Opting-out of data sharing is an option for all patients, however it is not without potential downsides. For Primary Use data, if you opt-out and need care in a local hospital, for example, it may be much harder for the staff to access important medical information about you needed to provide safe and effective care. For Secondary Use, the downsides are more indirect. If everyone in the country were to opt-out, it would make it much harder to ensure funding is used in the NHS to develop services where they are needed. It would also be harder to develop new treatments.
It is possible to opt-out of specific parts of data sharing, while keeping some elements of data sharing in place. It is very common, for example, for people who have privacy concerns about Secondary Use, to be happy to continue sharing data for Primary Use/Direct Care.
The below table summarises what opt-outs are possible, and how to request them:
How data in your GP record is used, and how you can control the use
Primary Use – sharing your data for your direct care
|Who it is shared with
|How it is used
|How to opt out
|Summary Care Record
|These are used by NHS hospitals and other providers (e.g. midwives) to ensure they have the data needed to provide you with the right care.
|Opt out through your GP practice – contact the surgery reception to speak to the practice manager/deputy practice manager to discuss this and we will be able to apply the opt-out
|Great North Care Record
Secondary Use – Using your data to design health services and do health research
|Who it is shared with
|How it is used
|How to opt out
|Local NHS Organisations (such as Clinical Commissioning Groups)
|Using data to plan how to design local services around the needs of the population
|Use a ‘type-1 opt out’ – Please send this form to the practice by emailing to (add surgery email address) nhs.net
|Using data to plan and design national services around the needs of the population
|External research organisations
|Using data for various research purposes
|Use the National Data Opt-out – Visit the NHS website, use the NHS App or call 0300 3035678
How to manage your sharing preferences using the NHS App
You can view or change your current preference at any time.
To view and change your preference in the NHS App:
- Go to Your health
- Select Choose if data from your health and care records is shared for planning and research.
- Select Make your choice.
- Review the information on the page, then select Start now.
- View your preference, then select Change if you want to change it.
- Update your choice, then select Submit.
You can also visit www.nhs.uk/your-nhs-data-matters.