Direct Care and Human Resources Privacy Notices

Data Controller contact details

Faversham Medical Practice

Faversham Health Centre

Bank Street

Faversham

Kent

ME13 8QR

Purpose of the processing

To give direct health or social care to individual patients.

For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.

A list of Practice processing activities can be found here 

Information we collect and use

·          Special data information including racial or ethnic origin; religious or philosophical beliefs; genetic data;

       biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.

·          Demographics: name, address, date of birth, postcode, and NHS number

·          Medical history

·          Adult and Children safeguarding information

·          Third party identifying data: basic details about other individuals that may be involved in providing your care and support services, e.g. emergency contacts, relatives, mobility services providers, home care support

Lawful basis for processing

These purposes are supported under the following sections of the UK General Data Protection Regulations:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  

Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018

The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’). 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.

Recipient or categories of recipients of the processed data

Please see our main privacy notice for a full list of organisation we share information with

The Practice may also receive information about your health from these organisations who are involved in providing you with health and social care. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

NHS Summary Care Record

The Summary Care Record is an electronic record of important patient information created from GP Medical Records.  They can be seen and used by authorized staff in other areas of the health and social care system involved in a patient’s direct care.

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Information regarding screening programmes can be found here.

Kent and Medway Care Record (KMCR)

[Organisation Name] are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data. 

For further information about the Kent and Medway Care Record and the ways in which your data is used for this system please click here.

Population Health Management

Your information is passed, with all identifiers removed to NHS Kent and Medway for public health management.  This enables the Practice to identify the appropriate level of care and services for distinct groups of patients.  It is the process of assigning a risk status to patients, then using this information to direct care and improve overall health outcomes. 

National Data Opt-out

The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.

The National Data opt-out can be applied here.

It is worth noting that in a small number of exceptional circumstances, where senior health care professionals can decide to share information based on public interest, and in these cases the National Data Opt-out does not apply.

The Confidentiality Advisory Group (CAG) considers applications for the use of patient data without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:

Regulation 2 – for diagnosis and treatment of cancer

Regulation 5 – for general medical and research purpose

Specific exemptions to the national data opt-out policy have been made for disclosure of data for:

·         Public Health England National Disease Registers

·         Assuring Transformation

·         National patient experience surveys

There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012.

For details on your rights and who to complain please see the main privacy notice

Data Controller contact details

Faversham Medical Practice

Faversham Health Centre

Bank Street

Faversham

Kent

ME13 8QR

Purpose of the processing

Reasons for processing your personal data include:

• Staff administration and management (including payroll and performance)
• Pensions administration
• Business management and planning
• Accounting and Auditing
• Accounts and records
• Education
• Health administration and services
• Information and databank administration
• Crime prevention and prosecution of offenders
• Sharing and matching of personal information for national fraud initiative

A list of Practice processing activities can be found here 

Information we collect and use

Personal Information

• your name, photograph, contact details including address, email address and telephone number, date of birth, National Insurance (NI) Number and driving licence (if relevant to the role), information about your nationality and entitlement to work in the UK

Job Information

• the terms and conditions of your employment
• details of your working arrangements (days of work and working hours) and attendance at work
• details of your qualifications, skills, experience, and employment history, including start and end dates, and dates of continuous service
• information about your remuneration, including entitlement to benefits such as pensions or insurance cover
• details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave
• details of vaccinations if relevant to your post
• details of your bank account for pay and expenses purposes

Performance Information

• details of any disciplinary, performance, absence, or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
• assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence

Information about your family

• information about your spouse, partner or civil partner or other individuals when names as an emergency contact
• information on dependants where required for pension purposes or childcare vouchers or benefits

Special Category Data

• information about medical or health conditions, including whether you have a disability for which the Practice needs to make reasonable adjustments

·         equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief

·         Trade union affiliations, where applicable

·         Information about past criminal convictions (Disclosure and Barring Service), and or your fitness to practise in certain regulated professions

Lawful basis for processing

Article 6(1)(b)…‘necessary for the performance of a contract with employee’

Article 6(1)(c)…’necessary for compliance with a legal obligation’

Article 6(1)(f)…’in the Practice’s legitimate interests, which are not outweighed by the fundamental rights and freedoms of the data subject’

Article 9(2)(b) Employment, social security, and social protection

Article 9(2)(g) Reasons of substantial public interest

Schedule 1, Part 1(1) Data Protection Act 2018 - Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security, or social protection.

Schedule 1, Part 2(8) Data Protection Act 2018 - necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

Schedule 1, Part 2(14) Data Protection Act - is necessary for the purposes of preventing fraud or a particular kind of fraud

Recipient or categories of recipients of the processed data

Professional Bodies (ie GMC, RCN, etc.)

Payroll Provider Fairway Training Ltd

Pension Provider  NHS Pension Scheme

Occupational Health Provider Preventative Healthcare Company Ltd.

HM Revenue and Customs

Education Establishments

Police & Judicial Services

CQC

NHS Jobs

BMJ

Pulse

New Hayesbank Surgery as lead for shared Mid Kent PCN  Payroll services

Retention Data for NHS

Solicitors appointed to work in association with incident claims. Outsourced HR function From time to time we may seek advice from a third party legal advice provider.

Disclosure and Barring Service (DBS)

Your previous or prospective employer

The Practice may also receive information about you from these organisations.

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable.

Rights to object to or restrict our data processing

Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.

This right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

We may not be able to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

How to exercise your rights

To exercise your rights, please contact kmicb.fmp@nhs.net

Retention period

Your personnel records are kept in compliance with law and national guidance.  Details on how long records are kept are set out in the NHS England, Record Management Code of Practice 2021.

Right to complain

If you are unhappy with how your personal data is processed, you have the right to complain to the Information Commissioners Office (ICO). Their helpline number is 0303 123 1113.

We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please do contact us (kmicb.fmp@nhs.net) in the first instance.

Data Protection Officer contact details

A. Ervine GP Data Protection Officer

NHS Kent and Medway

Kmicb.gpdpoteam@nhs.net

Same Day Access Hub (SDAH) - to support the winter pressures and increase capacity within primary care enabling more face to face appointments to be made available to meet demand.

Same Day Access Hub (SDAH) – the purpose of SDAH is to support the winter pressures and increase capacity within primary care enabling more face to face appointments to be made available to meet demand.

The source of the information shared in this way is your electronic GP record that is accessed at a central or hub level. A constituent GP practice completes a cross organisational appointment booking from their clinical system within which the patient is registered to the central Clinical Service appointment book. Although this central clinical system will not hold patients’ healthcare information, it will contain the appointment booking itself which will include the patient’s full name, date of birth, age, NHS number and the reason for the appointment booking.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Any data (booking information) held by the hub will also be retained for the duration specified in the Records Management Codes of Practice for Health and Social Care.

The processing of personal data is permitted under the following UK GDPR and DPA conditions:

GDPR Article 6(1) (e) - public interest or in the exercise of official authority;

DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;

The processing of special categories of personal data concerning health is permitted under the following UK GDPR and DPA conditions:

GDPR Article 9 (2) (h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services;

DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;

In accordance with DPA Schedule 1, Part 1, (2) -health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.

Related Legislations:

Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share);

You have the right to:

·      To access, view or request copies of your personal information;

·      request rectification of any inaccuracy in your personal information;

·      restrict the processing of your personal information where:

ü  accuracy of the data is contested,

ü  the processing is unlawful or,

ü  where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way your GP Practice process your data, please contact your GP practice directly in the first instance via the ‘Contact Us’ section on our website.

You can also contact the Ashford GP Federation via kmicb.ashford.clinicalproviders@nhs.net for strictly Federation related enquiries.

You also have the right to appeal/complain to the Information Commissioner’s Office (IC0). The IC0 can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Email: https://ico.org.uk/global/contact-us/