Confidentiality & Medical Records
The practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:
- To provide further medical treatment for you e.g. from district nurses and hospital services.
- To help you get other services e.g. from the social work department. This requires your consent.
- When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.
If you do not wish anonymous information about you to be used in such a way, please let us know.
Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.
Freedom of Information
Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.
Access to Records
In accordance with the Data Protection Act 1998 and Access to Health Records Act, patients may request to see their medical records. Such requests should be made through the practice manager and may be subject to an administration charge. No information will be released without the patient consent unless we are legally obliged to do so.
We make every effort to give the best service possible to everyone who attends our practice.
However, we are aware that things can go wrong resulting in a patient feeling that they have a genuine cause for complaint. If this is so, we would wish for the matter to be settled as quickly, and as amicably, as possible.
To pursue a complaint please contact the practice manager who will deal with your concerns appropriately. Further written information is available regarding the complaints procedure from reception.
Complaints Procedure 2016 (not changed 2019)
The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.
Data Protection Policy
Symonds Green Health Centre
DATA PROTECTION POLICY
The Data Protection Act 1998 (DPA) requires a clear direction on policy for security of information held within the practice and provides individuals with a right of access to a copy of information held about them.
The practice needs to collect personal information about people with whom it deals in order to carry out its business and provide its services. Such people include patients, employees (present, past and prospective), suppliers and other business contacts. The information we hold will include personal, sensitive and corporate information. In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 1998.
The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees. We ensure that the practice treats personal information lawfully and correctly.
This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.
See also: Access to Medical Records policy [*], which covers Subject Access Requests under the Data Protection Act.
1.0 Data Protection Principles
We support fully and comply with the eight principles of the Act which are summarised below:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained/processed for specific lawful purposes.
- Personal data held must be adequate, relevant and not excessive.
- Personal data must be accurate and kept up to date.
- Personal data shall not be kept for longer than necessary.
- Personal data shall be processed in accordance with rights of data subjects.
- Personal data must be kept secure.
- Personal data shall not be transferred outside the European Economic Area (EEA) unless there is adequate protection.
- Employee Responsibilities
All employees will, through appropriate training and responsible management:
- comply at all times with the above Data Protection Act principles
- observe all forms of guidance, codes of practice and procedures about the collection and use of personal information
- understand fully the purposes for which the practice uses personal information
- collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the practice to meet its service needs or legal requirements
- ensure the information is correctly input into the practice’s systems
- ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required
- on receipt of a request from an individual for information held about them by or on behalf of immediately notify the practice manager
- not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian / IG Lead
- understand that breaches of this Policy may result in disciplinary action, including dismissal
- Practice Responsibilities
The practice will:
- Ensure that there is always one person with overall responsibility for data protection.
- Maintain its registration with the Information Commissioner’s Office
- Ensure that all subject access requests are dealt with as per our Access to Medical Records policy
- Provide training for all staff members who handle personal information
- Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting
- Carry out regular checks to monitor and assess new processing of personal data and to ensure the practice’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data
- Develop and maintain DPA procedures to include: roles and responsibilities, notification, subject access, training and compliance testing
- Display a poster in the waiting room explaining to patients the practice policy (see below) plus a copy of the Information Commissioners certificate
- Make available a leaflet and or a poster in reception on Access to Medical Records [*] for the information of patients. Also display the certificate of registration with the Information Commissioners office.
- Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, DPA principles, working security procedures, and the application of best practice in the workplace.
- Undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
- Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.
- Include DPA issues as part of the practice general procedures for the management of risk.
- Ensure confidentiality clauses are included in all contracts of employment.
- Ensure that all aspects of confidentiality and information security are promoted to all staff.
- Remain committed to the security of patient and staff records.
- Ensure that any personal staff data requested by the CCG or NHS, i.e. age, sexual orientation and religion etc., is not released without the written consent of the staff member
DATA PROTECTION ACT – PATIENT INFORMATION
We need to hold personal information about you on our
computer system and in paper records to help us to look after your health needs, and your doctor is responsible for their accuracy and safe-keeping. Please help to keep your record up to date by informing us of any changes to your circumstances.
Doctors and staff in the practice have access to your medical records to enable them to do their jobs. From time to time information may be shared with others involved in your care if it is necessary. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private.
All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.
In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.
To ensure your privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you. Information will not be disclosed to family, friends, or spouses unless we have prior written consent, and we do not leave messages with others.
You have a right to see your records if you wish. Please ask at reception if you would like further details and our patient information leaflet. An appointment will be required. In some circumstances a fee may be payable.