Home GDPR: Privacy Notice

General Data Protection Regulation Privacy Notice

Privacy Notice

The following privacy notice concerns practices which are members of the Croydon General Practice Collaborative (CGPC). The Croydon Collaborative supports your GP Practice to deliver services as well as operate our own services. We use this page to display your Practices Privacy Notice as we are tasked with keeping this updated on their behalf.

Additionally, Croydon GP Collaborative (CGPC) also run our own services and handles medical records according to the laws on data protection and confidentiality. We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.

Details of our services can be found on the website homepage

Practices have asked us to maintain their Privacy Notices are as follows:

Direct Patient Care
Sharing my information for my regulatory purposes with the CQC
Sharing my information with NHS England
Sharing my information for the purpose of Connecting Your Care
Sharing your information with Public Health
Sharing information in support of Safeguarding
Telephone recording
Primary Care Networks (PCNs)
GP Connect

1. Direct Patient Care

Privacy Notice – Direct Care, (routine care and referrals)

Plain English explanation As your GP Practice we keep data on your related to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals who are appropriately involved in your health care. When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS England, a national organisation which has legal responsibilities to collect NHS data. If your health needs require care from others elsewhere outside the Practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice, but within the NHS, it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case. Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law. People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record. You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below. We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Protection Officer contact details	Mr Umar Sabat, Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
3) Lawful basis for processing	The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”^*
4) Recipient or categories of recipients of the processed data	The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
5) Rights to object	You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or CGPC. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.
6) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
7) Retention period	The data will be retained in line with the law and national guidance. Please see the NHSx Records Management Code of Practice.
8) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

2. Sharing information for Regulatory purposes

Privacy Notice – Care Quality Commission

Plain English explanation The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practice activities in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring us to share certain types of data with them in certain circumstances, for instance following a significant safety incident. CQC WEBSITE
1) Data Protection Officer contact details	Mr Umar Sabat Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS.
3) Lawful basis for processing	The legal basis is: Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And for Special Category Data Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
4) Recipient or categories of recipients of the shared data	The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
5) Rights to object	You have the right to object to some or all of the information being shared. Please contact our Data Protection Officer.
6) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
7) Retention period	The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
8) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

3. Sharing my information with NHS England

Privacy Notice – NHS England

NHS England is the secure haven* for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS England provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS England with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. MORE INFO and NHS DATASHARING
1) Data Protection Officer contact details	Mr Umar Sabat Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on identified
3) Lawful basis for processing	The legal basis will be Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
4) Recipient or categories of recipients of the shared data	The data will be shared with NHS England according to directions More Information
5) Rights to object	You have the right to object to some or all of the information being shared with NHS England. Contact the Data Controller or Practice.
6) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
7) Retention period	The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
8) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

4. Sharing my information for the purpose of Connecting Your Care

Privacy Notice – Connecting your care

This privacy notice explains why health and care organisations share information about you and how that information may be used in the Connecting your Care programme. You can find out more about the organisations within South West London who are part of Connecting your Care, along with the answers to some Frequently Asked Questions. The health and care professionals who look after you keep their own records in different specialist systems that contain details of any treatment or care you have received or are receiving from them. These records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure. Connecting your Care provides health and care professionals within South West London with a ‘’secure” electronic summary view of the information that organisations want to share about you. This provides the people looking after you with important information from other services that you use, so that they can quickly assess you and make the best decision or plans about your care. The information which health and care organisations can share about you might include the following information: Details about you, such as address, contact details and next of kin Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc. Notes/reports and assessments about your health and care Details about your planned treatment and care Results of investigations, such as blood tests, scans, x-rays, etc. Relevant information from other health and care professionals, relatives or those who care for you Care and support you may be receiving from Social Care services Urgent care and NHS 111 visits/calls London Ambulance Service calls.
1) Data Protection Officer contact details	Mr Umar Sabat Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	Information will be shared in order to facilitate “direct care” that is delivered to the individual – that is, where a health or care Organisation has direct contact with a patient or service user in order to provide them with immediate care, treatment or services. Direct Patient Care is defined as: “a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care”. Information: To Share or Not To Share? - Dame Fiona Caldicott, April 2013
3) Lawful basis for processing	The processing (sharing) of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” Health and social care services have a legal obligation to share information about you from their records if it is seen to be in your best interests for the purposes of your direct care. We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”. “Common Law Duty of Confidentiality” Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. Page 3 of 4 The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent or, in the absence of consent, a legitimising purpose
4) Recipient or categories of recipients of the shared data	Data sources Information is shared between all the health and care organisations that are part of the Connecting your Care programme. For the full list of organisations that are part of Connecting your Care please see our website Categories of recipients Only health and care professionals in each of the defined organisations who are providing you directly with care or services can see your information. This Privacy Notice will be reviewed and updated annually, as required, or in the event of significant change. The list of organisations that are part of Connecting your Care will be updated each time new partners join the programme.
5) Rights to object	You have the right to object to some or all your information being processed (shared) under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018). You are advised that whilst under this legislation you have the right to raise an objection, this right is not absolute in relation to health and care data being shared for the purposes of direct care under the lawful bases for sharing as described in section 4 of this Privacy Notice. All objections will be considered on an individual basis by the Data Controller. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website.
6) Right to access and correct	Access You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider. If your health or care provider holds information about you, and you make a subject access request they will: Give you a description of it Tell you why it is being held Tell you who it could be shared with Let you have a copy of the information in an intelligible form. To make a Subject Access Request , you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. Rectification You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice. Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible. All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed. There is no right to have accurate medical records deleted except when ordered by a Court of Law
7) Retention period	Information held about you by each Data Controller will be retained in line with the law and national guidance. Please see attached the latest Records Management Code of Practice.
8) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

5. Sharing your information with Public Health

Public Health Privacy Notice

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever. This will necessarily mean the subjects personal and health information being shared with the Public Health organisations. Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002
1) Data Protection Officer contact details	Mr Umar Sabat Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.
4) Lawful basis for processing	The legal basis will be Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”
5) Recipient or categories of recipients of the shared data	The data will be shared with Public Health England and equivalents in the devolved nations.
6) Rights to object	You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or CGPC.
7) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period	The data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data Personal Information Charter.
9) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

6. Sharing information in support of Safeguarding

Privacy Notice - Safeguarding

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”. Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are: Section 47 of The Children Act 1989 Section 29 of Data Protection Act (prevention of crime) Section 45 of the Care Act 2014. In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989
1) Data Protection Officer contact details	Mr Umar Sabat Data Protection Officer, Dpo.swl@nhs.net
2) Purpose of the processing	The purpose of the processing is to protect the child or vulnerable adult.
3) Lawful basis for processing	The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply: For consented processing; 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes For unconsented processing; 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject and: 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’ We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”^*
4) Recipient or categories of recipients of the shared data	The data will be shared with [insert local safeguarding services names and contact details
5) Rights to object	This sharing is a legal and professional requirement and therefore there is no right to object. GMC Guidance
6) Right to access and correct	The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
7) Retention period	The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.
8) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

where the individual to whom the information relates has consented;
where disclosure is in the public interest; and
where there is a legal duty to do so, for example a court order.

7. Telephone Recording

Privacy Notice – Telephone Recording

The surgery has the ability to record telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse. The surgery does not record all conversations but if a decision is made in the future to record all calls, then patients will be informed. We also occasionally use recordings for staff training and quality control. When you register with us we will make this clear to you and we will also make this clear to you each time you contact us and via our web site and other sources of information Calls that contain only administrative information, such as enquiries about appointments, are only retained for 4 weeks and are then will be routinely deleted. Calls, or transcripts of calls, audio or audio-visual recordings or elements of the discussion you have with the clinicians that contain clinical information may be added to your medical records, but this will be clarified with you at the time. The recordings are stored on the surgery telephone system
2) Data Protection Officer contact details	Umar Sabat Data Protection Officer Dpo.swl@nhs.net
3) Purpose of the processing	To facilitate your access to care and in the case of telephone or other audio visual consultations for your direct care.
4) Lawful basis for processing	The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *
5) Recipient or categories of recipients of the shared data	Necessary data will be shared with Health and care professionals and support staff in this surgery. Clinical data or records of consultations may be transcribed or appended to the records we hold on you and may thence be shared at hospitals, diagnostic and treatment centres who contribute to your personal care. Actual recordings will not be shared with anyone outside the practice. Please see our Privacy Notice for Direct Care. The actual recordings are stored on the telephone system and after a designated period of time will be either deleted or saved, onto the surgery Shared Drive if it is deemed necessary. You will be informed if the recording is to be stored for longer than is set out in this Privacy Notice and you will informed the reasons.
6) Rights to object	You have the right to object to some or all your information being processed (shared) under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).
7) Right to access and correct	You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider. If your health or care provider holds information about you, and you make a subject access request they will: Give you a description of it Tell you why it is being held Tell you who it could be shared with Let you have a copy of the information in an intelligible form. To make a Subject Access Request , you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. Rectification You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice. Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible. All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed. There is no right to have accurate medical records deleted except when ordered by a Court of Law
8) Retention period	We will keep recordings up to 4 weeks. Clinical data transcribed from your telephone or other electronic consultations may become part of your clinical record and is retained according to relevant rules and regulations, see Privacy Notice on Direct Care.
9) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

8. Primary Care Networks

Primary Care Networks (PCNs): All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients. PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care. This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security. Further information about Primary Care Networks The above link also shows you which Primary Care Network we are part of.
2) Data Protection Officer contact details	Umar Sabat Data Protection Officer Dpo.swl@nhs.net
3) Purpose of the processing	To facilitate and provide you with direct patient care.
4) Lawful basis for processing	The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *
5) Recipient or categories of recipients of the shared data	Necessary data will be shared with Health and care professionals and support staff in this surgery. Clinical data or records of consultations may be transcribed or appended to the records we hold on you and may thence be shared at hospitals, diagnostic and treatment centres who contribute to your personal care.
6) Rights to object	You have the right to object to some or all your information being processed (shared) under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).
7) Right to access and correct	You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider. If your health or care provider holds information about you, and you make a subject access request they will: Give you a description of it Tell you why it is being held Tell you who it could be shared with Let you have a copy of the information in an intelligible form. To make a Subject Access Request , you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. Rectification You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice. Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible. All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed. There is no right to have accurate medical records deleted except when ordered by a Court of Law
8) Retention period	We will keep recordings up to 4 weeks. Clinical data transcribed from your telephone or other electronic consultations may become part of your clinical record and is retained according to relevant rules and regulations, see Privacy Notice on Direct Care.
9) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

8. GP Connect

GP Connect is a platform which allows different systems to communicate so that clinicians in different care setting can view a patients GP record. This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and outside the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care. If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. People who have access to your information will only normally have access to that which they need to fulfil their roles. Yours consent to this sharing of data for the purpose of direct care with those outside the practice is assumed and allowed by the Law. Users accessing the information must have the right level of security clearance and have a special account set up or a special access card. Each time anyone accesses your medical record, this information is logged. When you contact healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services, but this is not always the case. You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests. Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future; these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the paragraph above. GP Connect also provides the ability of your medical records being transferred to your new registered practice electronically without the delay. This enables continuity of your care by different providers. We are required by Articles in the UK GDPR to provide you with the information in the following 9 subsections:
2) Data Protection Officer contact details	Umar Sabat Data Protection Officer Dpo.swl@nhs.net
3) Purpose of the processing	The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and/or care.
4) Lawful basis for processing	The processing of personal data in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the UK GDPR: Article 6(1)(d) ‘processing is necessary to protect the vital interests of the data subject or of another natural person’. Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(c) ‘processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...’. We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*.
5) Recipient or categories of recipients of the shared data	The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
6) Rights to object	You have the right to object to some or all of the information being shared. Please contact our Data Protection Officer.
7) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period	The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.	You have the right to complain to the Information Commissioner’s Office CONTACT ICO or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Hear More From Our Data Protection Officer, Umar Sabat

You can contact Umar Sabat at DPO.swl@nhs.net

If you have any questions about the Croydon GP Collaborative, or you would like to know more about the services we offer, how to make a compliment or complaint, then you can do so via our contact us page.

GET IN TOUCH

We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device.