Symonds Green Health Centre
We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.
Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.
A Poster of how we handle your data is attached in the Appendix
Children accessing our services (Children’s Privacy Notice) is attached in the Appendix
- About us, and why we are providing this Privacy Notice
We, at the SYMONDS GREEN HEALTH CENTRE situated at Filey Close Stevenage Herts SG1 2JW, are a Data Controller of your information. This means we are responsible for determining the purpose for collecting, storing and handling your personal and healthcare information when you are registered with us as a patient.
Our aim is to provide you with the highest quality healthcare. To do this we must keep information about you, your health, and the care that is provided, or is planned to be provided, to you. This information is collectively known as your ‘health record’. The purposes for which we use the information held in your health record are set out in this Privacy Notice.
It is important to us that you are informed about how we use the information we hold about you. If you have any questions about this Privacy Notice or any other concern regarding how your personal and healthcare information is used, then please contact us.
- Contact Us
- Data Controller
The contact detail of the named, responsible Data Controller at the practice is Alison Clarke.
You can contact at/on 01438 364488 if:
- You have any questions about your information being held.
- You require access to your information or if you wish to make a change to your information.
- Any other query in relation to this Privacy Notice and your rights as a patient.
- Subject Access Requests (SARs)
If you have a concern or complaint about the way we handle your personal data or how we have used or handled your personal and/or healthcare information, please contact the Data Controller on the contact information provided, so we can review your concern in accordance with our internal policy.
In the event that your concern was not resolved by your contact with our named Data Controller, then please contact our Data Protection Officer on the details below.
You also have the right to raise any concern or complaint with the UK supervisory authority, at the Information Commissioner’s Office (ICO): https://ico.org.uk/ or telephone: 0303 123 1113.
- Data Protection Officer (DPO) function for this practice is provided by Hertfordshire, Bedfordshire and Luton ICT services, hosted by ENHCCG. If you wish to contact the DPO for further information on how we use your data, or if you have a concern about anything to do with the personal and healthcare information we hold about you that was not resolved by your enquiry with the practice, please contact the DPO at HBL ICT hosted by ENHCCG at: firstname.lastname@example.org
- Information We Collect About You and Why
In order to provide healthcare services we collect personal information from you, such as: -
- Your contact details: your name, address, telephone number(s), email address, date of birth, ethnicity, and gender.
- NHS Number.
- Contact number(s) and details of your next of kin, or carers as applicable.
- The reason for your visit to the Surgery
- Medical and other health related information from Consultations with our GP’s, and other healthcare professionals
- Notes and reports about your health
- Details and records about your treatment and care
- Results of x-rays, and laboratory tests
- Information we collect about you from others and Why
We also collect personal information about you when it is sent to us from the following: -
- A hospital, a Consultant and any other medical, or healthcare professional, or any other person involved with your general healthcare.
- Information that may be sent at your request by Insurance Companies acting on your behalf
- Information that may be received from the Police e.g. Firearms applications.
- Information that may be received from the Courts e.g. Court orders, Medical Information Requests’, and Immigration matters
- Purpose of the processing
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in proving better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.
We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:
- Hospital professionals (such as doctors, consultants, nurses, etc.);
- Other GPs/Doctors;
- Nurses and other healthcare professionals;
- Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
- Direct Care Services and Who We May Provide Your Information to and Why
Safe and effective care is dependent upon relevant information being shared between all those involved in caring for a patient. When an individual agrees to being treated by the wider care team, it creates a direct care relationship between the individual patient, the health and social care professional, and their team. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the Common Law Duty of Confidentiality and the GDPR and Data Protection Act 2018.
Your personal information will only be shared in accordance with your rights under the General Data Protection Regulation, Data Protection Act 2018, the Common Law Duty of Confidentiality, the NHS Constitution, and in keeping with professional and NHS Codes of Practice.
For further information on the use and sharing of confidential information, please follow the NHS Digital link https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/a-guide-to-confidentiality-in-health-and-social-care
You have the right to object to your information being shared for direct care, but in some circumstances this may delay or affect the care you receive. Always consult your GP or relevant health professional before deciding to opt out of sharing your information, as they will be able to advise you on the possible outcomes of this decision. Please see Section 7E for further information on the right to object.
- Case Findings and Risk Stratification
Sometimes your information will be used to identify whether you may benefit from a new or existing service; based on case findings. To do this, we may use automated technology to help us identify people that might require support or benefit from services, but ultimately, the decision is made by those involved in your care. Those involved in your care might look at particular ‘indicators’ (such as particular conditions) and contact you or take action for healthcare purposes. For example, this might be to prevent you from having to visit accident and emergency by supporting you in your own home or in the community.
The automated review may be completed at the practice or in conjunction with Clinical Commissioning Group’s (CCG) Risk Stratification processes. The information we pass to the CCG is via our computer systems and cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This protects you from being identified by anyone not involved in your care that may have access to this information.
Please follow this link to see how the CCG use information to provide services and improve care:
We may provide your information to the following people or organisations, where there is a legitimate reason to do so i.e.: they require your information to assist them in the effective provision of your direct healthcare needs:
- People and Organisations involved in your care: Health and Social Care Professionals, including support personnel who have, or will have a direct care relationship with you to meet your healthcare needs:
- Diagnostic Organisations: Diagnostic testing organisations are provided with relevant information to allow contact with you and to book a test/procedure to assist in your direct healthcare needs.
- Pharmacies: Pharmacists are provided with relevant information to allow contact with you and to provide relevant prescriptions and supporting advice, assisting in your direct healthcare needs.
- Referrals such as Hospital Appointments/Specialists/Dentists/Continuing Health Care Services, Community Services (including Mental Health), and CCG approvals for certain NHS health services: When referrals are made for patients to an NHS or private healthcare provider, a summary of the patient’s health history is typically included to assist the receiving healthcare professional to make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant may affect the outcome of referrals and treatment. If there are areas of your healthcare history that you do not want shared, please raise this with your GP or healthcare professional.
- National Screening Programmes: The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes currently include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: https://www.gov.uk/topic/population-screening-programmes
For national screening programmes, you can opt out so that you no longer receive an invitation to a screening programme. See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes or speak to your practice.
- Record Sharing Programmes
- My Care Record
- This is a local record sharing initiative that promotes the safe, transparent sharing of your healthcare records for the purpose of your direct care needs. The My Care Record currently allows the sharing of patient records with local partner organisations. To ensure that those partner organisations comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those intended purposes only.
For more information of the My Care Record initiative and a list of the organisations who have signed data sharing agreements to promote this integrated care model, please follow the link: https://www.enhertsccg.nhs.uk/mcr
- Extended Access
Extended Access – we provide extended access services to our patients which mean you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have access to your medical record to be able to offer you the service.
Robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.
The key Hub practices are as follows:
- Stevenage Health Ltd: Stevenage Health Ltd is the collaborative company formed by the Stevenage GP Practices (Bedwell & Roebuck Surgery, The Chells Surgery, King George Surgery, Manor House Surgery, Shephall Way Surgery, Stanmore Medical Group & Symonds Green Surgery).
- Your Summary Care Record and Summary Care Record with Additional Information
Summary Care Record (SCR)
Your summary care record is an electronic record held on a national healthcare records database provided and facilitated by NHS Digital. This allows other healthcare professionals who we do not have data sharing agreements with, but who you have a direct care relationship with, to access your electronic record when they are providing you with direct care services. This is particularly helpful if you are visiting another part of the country and require healthcare services.
At a minimum, the SCR holds important information about;
- current medication
- allergies and details of any previous bad reactions to medicines
- the name, address, date of birth and NHS number of the patient
This record may be accessed with your permission by relevant healthcare professionals involved in your direct healthcare. If you do not wish to have your SCR available to be shared, please contact the practice so we can update your records. https://digital.nhs.uk/summary-care-records
- Summary Care Record with Additional information
The inclusion of additional information on a SCR is particularly useful for people with complex or long term conditions. Due to the sensitivity of more detailed information being accessible on your SCR, you will be asked for your permission to allow additional information to be added to, and accessible on, your SCR.
- Clinical Commissioning Group (CCG)
The CCG manages the majority of contracts for primary care, in order for us to deliver healthcare services to you. At times, they may assist us in the administration of our direct care services through coordination or follow up with organisations about matters relating to your direct healthcare needs. This may include such functions as coordinating community pharmacy services, arranging continuing health care services, contacting a hospital about important discharge information, a diagnostic organisation about a test result, or other health or social care services involved in your care.
We have contracts in place with the CCG. This means that they cannot do anything with your personal information unless we have instructed them to. They will only share information about you that is relevant and necessary to fulfil the requirement of a particular service to you. Information about you is only shared with organisations that have a relationship with you or will have a relationship through a referral. They will hold your information securely and retain it for only as long as necessary. If you require further information please contact the practice or the DPO.
- Third Party Technical Support Processors
We use data processors who are third parties, who provide technical administration services for us to deliver health care services to you. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. If you require further information please contact the practice or the DPO.
- Non Direct Care Services Where Your Information May Be Used:
Whenever you use a health or care service, such as attending GP appointments, Accident & Emergency, admission to hospital, or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. In addition, this information may also be used by other approved organisations for non-direct care purposes, where there is a lawful basis to help with: planning services, improving care, research into developing new treatments, and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. However, as explained in this Privacy Notice, confidential information about your health and care is only used in this way where the law allows and would never be used for any other purpose without your permission.
You have the right to object/opt out to your record being shared with anyone who is not involved in the provision of your direct healthcare. However, if there is an overriding legal obligation to share information, we must do so (See Section 4D i.e.: court order, safeguarding etc.). If you wish to enquire further, please contact the practice.
If you do choose to opt out, you can still agree to your data being used for specific purposes that you have agreed to. You can change your mind at any time by contacting the practice.
Non-Direct Care services include organisations such as:
- Clinical Commissioning Group East and North Hertfordshire Clinical Commissioning Group (CCG) is the organisation responsible for commissioning (planning, designing and paying for) your NHS services. The CCG is made up of local GPs, health professionals and commissioners, working together with other clinicians and patients to decide how the local NHS budget should be spent. Information provided to the CCG is pseudo-anonymised, meaning the CCG cannot identify the individual. For more information on how the CCG uses your information:
- NHS Digital Your health records contain confidential patient information, which can be used to help with research and planning. NHS Digital takes the protection of your confidential patient information very seriously and puts measures in place to ensure it is looked after in accordance with good practice and the law. Whenever possible, information is anonymised. For further information on your choices, including opting out, please see:
- Care Quality Commission Access to Health Records
CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator.
This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.
- Research Organisations
Health and social care research may be conducted by organisations commissioned by the NHS, other health and social care organisations, universities, or commercial research partners for such purposes as developing new treatments and improving healthcare outcomes. If through Case Findings (see section 5A), and where you have not previously objected, we would contact you to determine if you would like to participate with a research project. We would always ensure that data protection laws were followed to protect your data, and information about you would never be shared with these organisations without your expressed permission.
- For the purposes of complying with the law as explained in section 4C.
- Anyone you have given your consent to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we may need to contact you to verify/clarify your consent before we release the record. It is important to us that you are clear and understand how much information and what aspects of your record will be released.
The information collected from you and others is collectively known as your ‘health record’. Your health record may be held in hand written format (manual record) or on a computer system (electronic). Information held within your health record is used for your direct care purposes and to check and review the quality of care you have received. (This is called audit and clinical governance).
We may contact you using SMS messaging for appointment and other services on the mobile number you have provided and where you have given us permission to do so. If you no longer wish to receive messages via SMS, please contact the practice to let us know.
Your care providers will endeavour to ensure that your health record is kept up-to-date, accurate, secure and appropriately accessible to those providing your care and treatment. Please ensure you update us on any changes to your contact information or any other relevant details. You have the right to access information held about you. For details on access requests, please see Section 7A of this Privacy Notice.
- Lawful Basis Relied on for Processing Information About You
- The primary lawful basis that we rely on to collect, store, use, and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment), and the planning of healthcare services under Data Protection Legislation are as follows:
- For processing personal data: The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e) ‘
- For Personal data concerning health or special categories of personal data:
Article 9(2) (h) ‘…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
- Vital Interests:
There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.
- Legal Obligation:
Sometimes we are required by law to share your information. Examples of this may include such reasons as: to safeguard children or vulnerable adults, where it is in the wider public interest (public health), detection or prevention of crime, to defend a legal claim, reporting to DVLA, or where required by court order. In these instances, the lawful basis for sharing information is Legal Obligation.
Your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information (see Section 4A-C). For example, if you wish to sign up to our practice newsletter or to release your information to a third party who we do not have a lawful basis to share your information with, your consent will be required. When consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.
We will never sell or share your information for direct marketing
- Organisational Security
CCTV is currently not in place at the Symonds Green Health Centre.
- Telephone Recordings
None of our telephone calls (incoming or outgoing) are recorded.
- Lawful Basis
The purpose for processing the information is for quality, security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1) (f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.
- How Long Do We Keep Your Information
In line with the most current NHS Digital Records Management Code of Practice for Health and Social Care, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice.
If you move away and register with another practice, we will send your records to the new practice in accordance with NHS guidelines.
For further information, please contact the practice.
- Individual Rights
The Law gives you certain rights about your personal and healthcare information that we hold.
We have one calendar month to reply to you and give you the information that you require or explain why we are unable to fulfil your request. We would ask, therefore, that any requests you make is in writing or verbal requests followed up in writing, so it is as clear as possible what you are requesting. This will prevent unnecessary delays in getting a response to you.
Subject Access Requests (SAR)
You have the right to see what information we hold about you and to request a copy of this information. Under special circumstances, which have an overriding legal basis, some information may be withheld.
Sometimes information about third parties mentioned by you or others may be recorded on your records. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include, but not limited to: spouses, partners, and other family members.
A subject access request can be made in writing or verbally but we will need to verify who you are. Please use the following contact at the GP Practice to make your request: Alison Clarke, Data Controller.
We will provide this information free of charge however, we may in some limited and exceptional circumstances have to apply a reasonable administrative charge for any extra copies or repetitive requests. If applicable, we will discuss this with you at the time of your request.
If you have consented to a third party to request a SAR on your behalf, we require the third party to supply us with your consent. Due to the confidentiality and sensitivity of health records, if we are unsure about the consent provided or think you may not be aware of the extent of what would be disclosed in the request, we may contact to review and confirm the request with you before the SAR is processed.
If online access is a service available at the practice, there are robust protocols necessary for security of this information. When we give you online access or provide you with a SAR via another means, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access to it.
Access Requests for Deceased Patient Records: This is not managed under the data protection legislation. The Access to Health Records Act 1990 includes this access. Requests to access should be made to the Primary Care Services England. https://pcse.england.nhs.uk/services/gp-records/accessing-medical-records/
Right to Restriction of Processing
You have the right to request we restrict processing your information while the accuracy, lawful basis, or the legitimate use of the information is being reviewed.
Right to Rectification/Correction
We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details or any of your dependant’s contact details, including your mobile phone number has changed.
You have the right to have any mistakes or errors corrected. However, we are not aware of any circumstances in which you will have the right to delete information from your health record that is deemed accurate at the time of entry. Please contact us if you hold a different view.
Right to be forgotten
The right is typically not available because the primary conditions we rely upon for processing your information for services are: for the performance of a task carried out in the public interest, or for reasons of public health in accordance with Art. 9(2) (h) or (i).
If there are instances of a specific processing activity where you believe the lawful basis allows the right to be forgotten, please contact the practice to review your request.
Right to Objection
You have the right to object to your information being shared outside of the practice; however you are not able to object to your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.
If you do not want your personal information to be shared and used for purposes other than your direct care and treatment, then you should contact the practice and ask for further information about how to register your objections. This should not affect the care and treatment you receive.
You can object to processing of your information at the practice; however this would prevent us for providing you with any further healthcare services.
Please note that there may be times where there are legitimate legal grounds that override the objection of an individual i.e.: a legal obligation that the data controller must comply with or for the establishment, exercise or defence of legal claims.
Right to Portability
The right to request portability is only available where the processing is based on Data Protection legislation lawful basis of consent or contract and the processing is automated. These are typically not the lawful bases relied on in primary care services and are not the lawful bases used by this practice. If there are instances of a specific processing activity where you believe the lawful basis allows the right to portability, please contact the practice to review your request.
- Our Website
The only website this Privacy Notice applies to is the GP practice’s website. If you use a link to any other website from the Practices’ website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
Wi-Fi is available on site for the use of our visitors via a third party provider as part of an NHS initiative. The practice has no access to the data held or control over Wi-Fi usage.
You will be provided with the access name and password if you wish to access the Wi-Fi, where terms and conditions of use will be available.
- Data Security
We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure.
We regularly update our processes and systems and we also ensure that our staff members complete regular training on data protection. We also carry out assessments and audits of the information that we hold about you, and we make sure that if we are considering providing new services, we carry out security assessments to ensure measures are put in place to protect your data.
- Where to find our Privacy Notice
You may find a copy of this Privacy Notice in our Surgery waiting room, on our website, or a copy may be provided on request.
- Changes to our Privacy Notice
We regularly review and update our Privacy Notice. This Privacy Notice was last updated on 24/04/19.
Please note: If English is not your first language, you may be able to request a translation of this Privacy Notice from the practice.