Trosnant Lodge

01495 762709

Privacy Notice

The Privacy Notice explains why the GP practice collects information about you and how that information may be used.

Health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in Clinic, etc.) These records are used to help to provide you with the best possible healthcare.

NHS health care records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records this GP Practice hold about you may include the following information;

  • Details about you, such as your name, address, carers, legal representatives and emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits. emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re) admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by our Local Health Board and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided to practices within Aneurin Bevan University Health Board by the Health Board.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

Data Protection Act 2018 and General Data Protection Regulation 2016

Human Rights Act 1998

Common Law Duty of Confidentiality

NHS Codes of Confidentiality, Information Security and Records Management

Information: To share or not to share review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (information to share to not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality”. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out be the Caldicott principles. They should be supported by the polices of their employers, regulators and professional bodies.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • Local Health Boards
  • Digital Healthcare Wales
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Social Care Services
  • Health and Social Care
  • Local Authorities
  • Fire and Rescue Services
  • Police and Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Education providers
  • Legal and Risk Services
  • Public Health Wales
  • NHS Shared Services
  • Other “data processors” which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

The Practice will only use and share your information where there is a legal basis to do so.

The legal bases for most of our processing relates to your direct care and treatment:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller/

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special category data, for example data concerning health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:

  • Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service; or
  • Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

The Practice may also process your personal data for the purposes of research, in such circumstances our legal basis for doing so will be:

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we process special category person data for research purposes the legal basis for doing so is:

  • Article 9 (2)(a) – you have provided your explicit consent
  • Article 9 (2)(j) – processing is necessary for scientific or historical research purposes or statistical purposes.

The Practice may also process personal data for the purpose of, or in connect with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes the legal basis for doing so is:

  • Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Article 6 (1)(c) – processing is necessary for compliance with a legal obligation to which the controller is a subject; or
  • Article 6 (1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special category of personal data for these purposes, the legal basis for doing so is:

  • Article 9 (2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
  • Article 9 (2)(g) – processing is necessary for reasons of substantial public interest.

In rare circumstances we may need to share information with law enforcement agencies or to protect the wellbeing of others, for example to safeguard children or vulnerable adults. In such circumstances our legal basis for sharing information is:

  • Article 6 (1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6 (1)(d) – processing is necessary to protect the vital interest of the data subject or another natural person; or
  • Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we share special categories of personal data for the purposes of safeguarding, the legal basis for doing so is:

  • Article 9 (2)(g) – processing is necessary for reasons of substantial public interest; Data Protection Act 2018 S10 and Schedule 1, Paragraph 18 ‘Safeguarding of children and individuals and children at risk’.

Retention of your personal information / storing your information

We are required by UK law to keep your information and data for a defined period, often referred to as a retention period. The Practice will keep your information in line with national guidance which can be found here: https://www.bma.org.uk/advice-and-support/ethics/confidentiality-and-health-records/retention-of-health-records

Access to personal information

You have to right under the Data Protection Act 2018 to request access to view or to obtain copies of what information the surgery holds about you and have it amended should it be inaccurate. In order to request this, you need to do the following:

Your request must be made in writing to the GP – for information from the hospital you should write direct to them

There may be a charge to have a printed copy of the information held about you

We are required to respond to you within 30 days

You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located

Objections / Complaints

Should you have concerns about how your information is managed at the GP, please contact the GP Practice Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the practice.

Change of details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as sate of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

Notification

The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purpose for which they process personal and sensitive information.

This information is publicly available on the information commissioner’s office website www.ico.org.uk

The practice is registered with the information commissioner’s office (ICO).

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is:

Trosnant Lodge Medical Practice

Contact details of our Data Protection Officer

The Practice is required to appoint a Data Protection Officer (DPO). This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.

Our Data Protection Officer is:

Digital Health and Care Wales

Information Governance, Data Protection Officer Support Service

4th Floor Ty Glan-yr-Afon, 21 Cowbridge Road East, Cardiff CF11 9AD

Email: DHCWGMPDPO@wales.nhs.uk

Your Rights

The General Data Protection Regulation (GDPR) includes a number of rights. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.

The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below:

  • Right to be informed – Your right to be informed is met by the provision of this privacy notice, and similar information when we communication with you directly at the point of contact.
  • Right of access – you have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.
  • Right to rectification – you have the right to ask us to rectify any inaccurate data that we hold about you.
  • Right to erasure (‘right to be forgotten’) – you have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
  • Right to restriction of processing – you have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this, for example where you contest the accuracy of the data.
  • Right to data portability – this right is only available where the legal basis for processing under GDPR is consent, or for the purposes of a contact between you and the Practice. For this to apply the data must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
  • Right to object – you have the right to object to processing of personal data out you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing.
  • Rights in relation to automated individual decision-making including profiling – you have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform an y automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.
  • Right to complain to the Information Commissioner – you have the right to complain to the Information Commissioner if you are not happy with any aspect of Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details of the Information Commissioner are:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF

Website: www.ico.org.uk

Tel: 0303 123 1113

Complaints

Should you have any concerns about how your information is managed by the Practice please contact the Practice Manager at the following address:

Sophie Tonks

Practice Manager

Trosnant Lodge Medical Practice

Trosnant Street

Pontypool

NP4 8AT

Or by email to practice.manager.w93055@wales.nhs.uk

If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk, casework@ico.org.uk, telephone: 0303 123 1113 (local rate) or 01625 545 745

Date published: 15th June, 2022
Date last updated: 21st June, 2022