Coronavirus (COVID-19) pandemic and your information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
The ICO also recognise that 'Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.'
The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be communicated via an update to this Privacy Notice.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.
In response to receiving a completed Processing Activities Log which Little St John’s Surgery has confirmed is an accurate and complete record of processing carried out by the practice, the following suggested Privacy / Transparency Notice has been drafted.
Privacy Notice (Word Document)
Covid-19 and your information (Word Document)
Covid-19 Clinical Risk Assessment Tool GP Privacy Notice (Word Document)
Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.
This work is aimed at improving the health of both local and national populations.
It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.
Population Health Management requires health and social care organisations to work together with communities and partner agencies. The organisations will share de-identified information (where information about you has been removed) with each other in order to get a view of health and services for the population in a particular area.
Across Ipswich and East Suffolk and North East Essex a population health management programme has been introduced. The programme will combine this de-identified information from GP practices, community service providers, hospitals and other health and care providers to allow a comprehensive picture of health and care needs to be identified and services planned according to need.
The information needed for this Programme will include information about your health and social care. Information about you and your care will be used in the programme, but in a format that does not directly identify you which we refer to within this privacy notice as pseudonymised.
The information will be used for a number of health and social care related activities such as:
Your GP will send the information they hold on their systems to the NHS North of England Commissioning Support Unit (NECS), who are part of NHS England. NHS Digital who already holds information about other health and care attendances, will send the information they hold to NHS North of England Commissioning Support Unit (NECS).
NECS will make the GP data linkable with other local and national data sources to understand the population health more effectively. This process is called Pseudonymisation and any information that identifies you has been removed and replaced with a pseudonym (Unique Code).
The pseudonym will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.
The pseudonymised data will be sent to a company called Optum. Optum have been commissioned by NHS England to provide specialist analysis of the data to support improvements to the local populations health and to target health and social care resources effectively.
Both NECS and Optum are required to protect your information and maintain confidentiality at all times.
For the NHS England and Improvement/Optum programme, data will be processed only for the duration of the 20-week programme. Once the 20-week programme has completed the information will be securely destroyed from Optum systems.
NECS working on behalf of the practice will retain the practice data as agreed for a maximum of 14 days to ensure that they successfully remove any identifiable data once this is accomplished the identifiable practice data will be securely destroyed. The remaining de-identified data will be used by analysts to provide health and social care statistics for PHM projects for the length of each project as agreed with the practice.
Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally.
Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in the majority of cases, anonymised data is used so that you cannot be identified.
Under data protection law, we can only share patient data if we have a legal basis under Articles 6 and 9 of the UK GDPR.
Our legal basis for sharing patient data is Article 6(1)(c) - legal obligation, as we are required under the Health and Social Care 2012 Act.
When we are sharing patient data about health we also need a legal basis under Article 9 of the UK GDPR.
Article 9(2)(h) – as we are sharing patient data for the purposes of providing care and managing health and social care systems and services. This is permitted under paragraph 2 of Schedule 1 of the DPA.
Article 9(2)(i) - as patient data will also be used for public health purposes. This is permitted under paragraphs 3 of Schedule 1 of the DPA.
Article 9(2)(j) - as patient data will also be used for the purposes of scientific research and for statistical purposes. This is permitted under paragraph 4 of Schedule 1 of the DPA.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.
This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care - either GP data, or other data it holds, such as hospital data - you can register a National Data Opt-out.
If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.
From 1 October 2021, the National Data Opt-out will also apply to any confidential patient information shared by the GP practice with other organisations for purposes except your individual care. It won’t apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for us to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.
You can find out more about and register a National Data Opt-out, or change your choice on NHS.uk - Your NHS Data Matters or by calling 0300 3035678.
We are committed to protecting the privacy of all individuals using this website.
This policy explains how we use any personal information we collect from you through this website.
You can access most of the pages on our website without giving us your personal information. However, you may choose to provide us with your personal information on some pages of the website by completing an on-line form.
We shall use any personal information you give to us, in accordance with this policy, and with any additional statements appearing on forms used for submitting your personal information. We shall not disclose your personal information to any third parties without obtaining your prior consent unless we are required by law to do so. In particular:
We shall use your personal information to administer, and may respond to, your request.
We shall securely store the information you supply together with any response we may provide.
If you contact us regarding the website we may use your details to reply to you. If you make a comment or complaint about other aspects of the service we may use your details to investigate your comments.
This website uses https to ensure data is encrypted in transmission. This encryption, known as TLS encryption protocol, allows us to protect your privacy. You can usually verify that the page is encrypted by seeing a small lock symbol in the upper left corner of your browser and the website address is prefixed with https://.
All data obtained by us is held and used in compliance with the Data Protection Act 2018.
This website contains links to other sites. We are not responsible for the privacy practices of third parties that run any other websites. Please refer to their own privacy policies for more information.
You have a right under the Data Protection Act 2018 to ask us to provide you with the information we hold about you and to have any inaccuracies corrected. If you would like to access a copy of your information, please contact the Practice Manager using the following contact details in the heading above.
111 is the NHS non-emergency number. It's fast, easy and free. Call 111 and speak to a highly trained adviser, supported by healthcare professionals.
How likely are you to recommend this Surgery to friends and family if they needed similar care or treatment? Please spend 2 minutes to take the Friends and Family Test.
The NHS website. Take control of your health and wellbeing. Get medical advice, information about healthcare services and support for a healthy life.
Patient is one of the most trusted medical resources online, supplying evidence based information on a wide range of medical and health topics to patients and health professionals.