Data Protection

Updated: 7 May 2021

Data Protection

Chatfield Health Care takes our responsibilities associated with Data Protection seriously. Please find below a copy of our General Practice Privacy Notice, which tells you how we handle and use your personal information. In addition to this, please also find below our Privacy Policy Information document.

Our ICO Registration Number is: Z5502819.

Our Data Protection Officer is Umar Sabat. He can be contacted at dpo.swl@nhs.net

Privacy Notice

Privacy Notice Easy Read Version 1

Privacy Notice Easy Read Version 2

Privacy Policy: Information for Patients

Should you require access to your information we would appreciate if you could complete a copy of Chatfield Health Care's application form to access your records and follow the instructions on the form.

Application Form to Access Your Records


General Practice Data for Planning & Research

Chatfield Health Care is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.

The data held in your GP medical record is used every day to support health and care planning and research in England, helping to find better treatments, improve patient outcomes and inform national health policies. 

You can access our Privacy Notice here

What is the change?

It is important to note that patient data from GP surgeries is already collected (where a patient has not opted-out) via the General Practice Extraction Service (GPES). This has been running for over 10 years , currently undertaking over 350 extracts each year. In 2014, a National Audit Office review of GPES found that the service was inefficient and costly but fulfilled a neccessary requirement and should be replaced and improved. NHS Digital has developed a new way to collect this data; the General Practice Data for Planning and Research data collection will replace GPES.

What is secondary use of data?

Secondary use of data is where data is used for the purposes of planning and research for a cohort of patients and does not affect an individual's direct care.

To give context, this usage has supported the NHS COVID-19 response in the creation of vaccination at pace and to undertake vital research, to enable organisations to plan their local responses, e.g. targeting specific communities that were more likely to be adversely affected by the pandemic.

What is opt-out?

The national data opt-out is a service that allows patients to opt-out of their confidential patient information being used for research and planning.

Type 1 opt-out: prevents information being shared outside of Chatfield Health Care for purposes other that direct care Once the completed form has been received we will add the relevant type 1 opt out code to your medical record. We will also inform you when we have done so. If you think you have previously opted out of this service you may wish to clarify this with us via email (swlccg.chatfield-health@nhs.net) Alternatively, you can also fill in the type 1 opt-out form below again.

Type 1 Opt-out Form

National data opt-out: a service that allows patients to opt-out of their patient data being used for research and planning.

Find out more in formation by visiting https://www.nhs.uk/your-nhs-data-matters/. If you wish to stop NHS Digital using any historical confidential patient information about you being used for research and planning you must also make your choice online here or via the following form:

National Data Opt-out Form


Updated: 3 May 2021

NHS Transparency Notice

How the NHS and Care Services Use Your Information

Data Security & Protection Framework

Data Protection Policy

Data Protection Impact Assessments:

DPIA Care Home Proxy Ordering (George Potter House)


Connecting Your Care Privacy Notice

Updated October 2020

The information we hold on you

This privacy notice explains why health and care organisations share information about you and how that information may be used  in the Connecting your Care programme.

You can find out more about the organisations that are part of Connecting your Care on our website, along with the answers to some Frequently Asked Questions at: www.swlondon.nhs.uk/connectingyourcare.

The health and care professionals who look after you keep their own records in different specialist systems that contain details of any treatment or care you have received or are receiving from them. These records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure.

Connecting your Care provides health and care professionals with a secure” electronic summary view of the information that organisations want to share about you. This provides the people looking after you with important information from other services that you use, so that they can quickly assess you and make the best decision or plans about your care.

The information which health and care organisations can share about you might include the following information:

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, scans, x-rays, etc.
  • Relevant information from other health and care professionals, relatives or those who care for you
  • Care and support you may be receiving from Social Care services
  • Urgent care and NHS 111 visits/calls
  • London Ambulance Service calls.

As part of this Privacy Notice we are required by law to provide you with the following  information. To help in understanding the terms of this Notice we have provided definitions where indicated.

1) Controller contact details

 

 

Chatfield Health Care

50 Chatfield Road

London SW11 3UJ

Tel: 020 3764 0822

Email: swlccg.chatfield-health@nhs.net

2) Data Protection Officer contact details

 

Mr Umar Sabat (Dir. IG Health)

Email: dpo.swl@nhs.net

3) Purpose of the processing (sharing)

Information will be shared in order to facilitate “direct care” that is delivered to the individual – that is, where a health or care Organisation has direct contact with a patient or service user in order to provide them with immediate care, treatment or services.

Direct Patient Care is defined as:

“ a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care”.

[Information: To Share or Not To Share? Dame Fiona Caldicott,  April 2013  https://www.gov.uk/government/publications/the-information-governance-review].

4) Lawful basis for processing (sharing)

"Processing involves any operation performed on personal data, whether or not by automated means. This includes collection, use, recording, feeding it to machine learning algorithms." 

The processing (sharing) of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h)necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

Health and social care services have a  legal obligation to share information about you from their records if it is seen to be in your best interests for the purposes of your direct care.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.*

5) The Sources of the Data and the Recipient or categories of recipients of the processed data

Data sources

Information is shared between all the health and care organisations that are part of the Connecting your Care programme.

For the full list of organisations that are part of Connecting your Care please see our website: www.swlondon.nhs.uk/connectingyourcare.

Categories of recipients

Only health and care professionals in each of the defined organisations who are providing you directly with care or services can see your information.

This Privacy Notice will be reviewed and updated annually, as required, or in the event of significant change. The list of organisations that are part of Connecting your Care will be updated each time new partners join the programme.

7) Rights to object

You have the right to object to some or all your information being processed (shared)  under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).

You are advised that whilst under this legislation you have the right to raise an objection, this right is not absolute in relation to health and care data being shared for for the purposes of direct care under the lawful bases for sharing as described in section 4 of this Privacy Notice.

All objections will be considered on an individual basis by the Data Controller.

The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. 

8) Right to access and rectification

Access

You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.

If your health or care provider holds information about you, and you make a subject access request they will:

  • Give you a description of it
  • Tell you why it is being held
  • Tell you who it could be shared with
  • Let you have a copy of the information in an intelligible form.

To make a Subject Access Request  you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. Rectification

You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be  made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice.

Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible.

All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed.

There is no right to have accurate medical records deleted except when ordered by a Court of Law.

8) Retention period

Information held about you by each Data Controller will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.

9)  Right to Complain.

You have the right to complain about the way in which your information is used or shared,  if you think the information has been shared inappropriately. Each provider will have their own complaints process and you will need to contact them directly to register a complaint.

You can find the contact details and information about how to register a complaint on each individual organisation’s website.

You can also contact the Information Commissioner’s Office via the following link https://ico.org.uk/global/contact-us/ or call their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent or, in the absence of consent, a legitimising purpose".


Updated: 11th November 2019

General Practice You & Type 2 Privacy Notice - Direct Care, (routine care and referrals)

Plain English explanation

The purpose of the You & Type 2 project is to allow people with Type 2 Diabetes to co-create care plans with their health care professional. Patients will also be given access to an app which will allow the patient to manage care plans and keep them informed between appointments.

The app will take your latest results and allow the setting of goals with your healthcare professional and display this back to you in a user-friendly format.

The app will also provide access to the education, digital tools and real-world social prescribing resources to enable you, the patient, to better plan and meet goals set. This should enable you to lead a healthier life.

The use of personalised video messaging will further aid you to better manage your symptoms and prevent deterioration of the disease.

There are a number of organisations involved in this project. Organisations that will have access to Personal confidential data are:

  • Chatfield Health Care - Controller
  • Oviva - Controller
  • Wandsworth CCG - Processor
  • NEL CSU - Processor
  • EMIS - Sub Processor
  • Healum - Sub Processor
  • Citizen Comms - Sub Processor

Chatfield Healthcare keeps data on you relating to: who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations. If your health needs require care from others, elsewhere outside this practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services but this is not always the case.

Your consent to this sharing of data, within Chatfield Health Care and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see: your name, address, contact details, appointment history and registration details in order to book appointments. The practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

 

Controller contact details

 

Chatfield Health Care

50 Chatfield Road

London

SW11 3UJ

 

Data Protection Officer

 

Mr Tim Hodgson

Tel: 020 7350 5222 Email: tim.hodgson1@nhs.net

Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the surgery.

After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.

The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Lawful Basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.*

Recipient or categories of recipients of the processed data

The data will be shared specifically for the Diabetes Test Bed Project with Health and care professionals employed by the following organisations:

 

·         Oviva – Controller

·         Wandsworth CCG – Processor

·         NEL CSU – Processor

·         EMIS – Sub Processor

·         Healum – Sub Processor

·         Citizen Comms – Sub Processor

 

Your right to object

You have the right to object to some or all the information being processed, which is detailed under Article 21.

Please contact the Data Controller or the practice manager.

You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

Your right to access and correction

You have the right to access the data that is being shared and have any inaccuracies corrected.

There is no right to have accurate medical records deleted except when ordered by a court of Law.

How long do we hold your personal data for?

We retain your personal data in line with both national guidance and law, which can be found here:

https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

or speak to your GP practice.

Your right to complain

You have to complain to the Information Commissioner’s Office, you can use this link:

https://ico.org.uk/global/contact-us/  

Or you can also call their helpline

Tel: 0303 123 1113 (local rate)

01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.


Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website