How we use your information
This privacy notice explains why the Tregenna Group Practice collects personal information about you, and how that information may be used. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
As data controllers, GPs have responsibilities under the Data Protection Act 2018 (DPA18). This means ensuring that your personal data is handled in ways that are safe, transparent and what you would reasonably expect.
We respect your trust in us to use, store and share your information. In this notice we explain how we collect personal information about you, how we use it and how you can interact with us about it.
We try to keep this notice as simple as possible but if you are unfamiliar with our terms, or want more detail on any of the information here, please contact us on 0161 499 3777.
Capturing images – CCTV
Visiting our premises
Our premises are monitored by CCTV so your image may be captured whenever you enter our site boundary and within our premises. We use CCTV for maintaining public safety, the protection and security of our property and our staff and for the detection, prevention and investigating of crime. It may also be used to monitor staff when carrying out work duties.
For these reasons, the information processed may include visual images, including personal appearance and behaviour of those displayed and recorded on the system.
Where the CCTV is located on our premises but near a public space, it may also record these images even if you have not directly visited our premises.
There are signs to show you when you are entering an area monitored by our CCTV. CCTV images are normally held for 30 days and then deleted unless we require to retain them for investigative or policing enquiries.
Capturing images received by SMS message from patients
We currently use AccuRx which is a SMS text messaging system. This allows GPs to request a photo to be sent in to support a patient consultation. All patients are informed that when sending a picture this photo will be added to their medical record. AccuRx also stores the image as part of the process of transferring to the practice.
The stored photos are on UK servers which are fully encrypted to NHS standards, and are inaccessible by any AccuRx staff. They are stored for the period of time recommended by the NHS Records Management Code of Practice.
AccuRx data (including photos) is hosted on Microsoft Azure servers in their London Data Centre. All data sent is encrypted when in transit (when it is sent) and at rest (when it is stored). AccuRx follows the Microsoft Azure NHS Blueprint for Platform-as-a-Service web applications, specifically designed for NHS services.
Meeting our legal and regulatory obligations
To use your information lawfully, we rely on one or more of the following legal bases:
- For the performance of a task carried out in the public interest or where it is necessary in the exercise of official authority vested in us
- The performance of a contract
- Where the processing is necessary for compliance with our legal obligations
- Protecting the vital interests of you or others
- For our organisational legitimate interests; e.g. for incidental and ancillary data processing, for example the management of non-patient or medical databases used for our internal administrative purposes
- Where appropriate with your consent
- Where necessary for the purposes of preventative or occupational medicine, for the assessment of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
We also respect the common law duty of confidentiality and to satisfy the common law we may rely on implied consent to share confidential health data for the provision of direct care; for example, when a patient agrees to a referral from one healthcare professional to another.
Health care professionals are required to maintain records about your health including any treatment or care you have received within the NHS (e.g. NHS hospital trust, GP surgery, walk-in clinic, etc.). Using these records helps us to provide the best possible healthcare for our patients.
NHS health records may be processed electronically or on paper or a mixture of both and a combination of working practices and technology are used to ensure that your information is kept confidential and secure.
Records used and stored by this GP practice may include the following information:
- Any contact we have with you, such as appointments, clinic visits, emergency appointments, telephone triage etc.
- Notes and reports about your health
- Details about your treatment and care
- Details about you, including your date of birth, NHS number, address and next of kin etc.
- Results of investigations about you such as laboratory tests, x- rays, etc.
- Relevant information from other health professionals, agencies, relatives or those who care for you
This practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that such sensitive information is kept confidential.
However, we may disclose your personal information if:
- It is required by law
- You consent to do so – either implicitly (e.g. for your own treatment and care) or explicitly for other purposes (e.g. sending you newsletters etc.)
- It is justified in the public interest
Some of your personal data will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.
Sometimes information about you may be requested to be used for research purposes. Tregenna Group Practice will always endeavour to gain your consent before releasing such information.
Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request personal data from GP practices without seeking the patient’s consent.
Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.
Any patient can choose to withdraw their consent to their data being used in this way. When Tregenna Group Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website, at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.
A patient can object to their personal information being shared with other health care providers, however if this limits the treatment that you can receive then the doctor will explain this to you at the time.
Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Normally, this is because patients have a long-term condition such as chronic obstructive pulmonary disease (COPD) or some cancers. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.
In order to achieve this, information about you is collated from several sources, including this GP practice and from NHS Trusts etc. A risk score is then produced through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form.
Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.
You have the right to opt out of Risk Stratification.
Should you have any concerns about how your information is managed or wish to opt out of any data collection at Tregenna Group Practice, please contact Jennifer Barrett on 0161 499 3777 or your healthcare professional to discuss how the disclosure of your personal information can be restricted.
All our patients have the right to change their minds and reverse a previous decision. Please contact 0161 499 3777 if you change your mind regarding any previous decision.
If you have received treatment within the NHS, access to your personal information may be required to determine which Clinical Commissioning Group should pay for the treatment or procedure that you have received.
This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further purposes.
Personal data about any hospital attendance is obtained from the Health and Social Care Information Centre (HSCIC) and matched to NHS data to create a risk profile about you.
NHS Health Checks
All our patients aged 40-74, not previously diagnosed with cardiovascular disease, are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at Tregenna Group Practice will see confidential information about you during the invitation process. Your details will be securely transferred to a third-party data processor (if appropriate). You may be offered the chance to attend your health check either within Tregenna Group Practice or at a local community venue. If your health check is at a community venue, all data collected will be securely transferred back into the Tregenna Group Practice system and nobody outside the healthcare team at Tregenna Group Practice will see any confidential information about you during this process.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the DPA18 and DPA 18, the Human Rights Act, the Common Law Duty of Confidentiality, the Health and Social Care Act 2012 and the NHS Codes of Confidentiality and Security.
All our staff, contractors and professional members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. They also have employment contractual obligations to uphold your confidentiality, which are enforceable through disciplinary procedures. Your information may be shared internally, including with members of the practice team but only a limited number of authorised staff have access to your personal information (where it is appropriate to their role) and access is only allowed on a strict ‘need-to-know’ basis.
We strive to maintain our duty of confidentiality to you at all times. We will only ever use or pass on personal identifiable information about you if others involved in your care have a genuine need to have it. We will not disclose your information to any third-party without your permission, unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
We are mindful of the UK information sharing principle following Dame Fiona Caldicott’s information sharing review amongst health professionals. We recognise that our duty to share information can be as important as the duty to protect patient confidentiality. Therefore, we encourage our health and social care professionals to have the confidence to share information in the best interests of our patients within the framework set out by the Caldicott principles; ‘To share or not to share – the Information Governance Review’.
Who do we share your information with?
We may also share your information, subject to strict agreements on how it will be used, with other care providers and agencies. These could include:
- NHS and specialist hospitals, trusts
- Other GPs
- Independent contractors such as dentists, opticians, pharmacists
- Private and voluntary sector providers
- GP practice federations
- Ambulance trusts
- Clinical Commissioning Groups and NHS England
- NHS digital
- National institute for health and care excellence
- Care Quality Commission
- NHS improvement
- NHS shared business services
- Social care services and local authorities
- Education services
- Police and fire and rescue services
- Other ‘data processors’ during specific project work e.g. diabetes UK
Health and Safety requirements
If you have an accident whilst you are on any of our premises, this must be reported and will be recorded and kept for the purposes of health and safety and insurance requirements.
How do we protect your data?
We take the security of your data very seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where we engage with third parties to process personal data on our behalf, we stipulate our privacy expectations in written instructions. They are under a strict duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Access to personal information
We aim to be as open as we can regarding access to personal information.
Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the DPA 18. You also have the right to require it to be amended or removed should it be inaccurate.
If we do hold information about you, we will:
- Give you a description of it
- Tell you why we are holding it
- Tell you who it could be disclosed to
- Let you have a copy of the information in an intelligible form provided it is lawful to do so
To make a request to Tregenna Group Practice for any of your personal information we may hold, you need to contact Jennifer Barrett our Data Protection officer on the data controller address given in this document.
You have the right to complain to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the DPA18 regarding your personal data.
How the NHS and care services use your information
Tregenna Group Practice is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending accident and emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at: www.hra.nhs.uk/information-about-patients (which covers health and care research); and www.understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.
We do not transfer or store your personal information outside the EEA.
How long we’ll keep your information
We only keep your information for as long as we need it. We’ll retain certain information (e.g. contact information and bank details) for as long as you have a relationship with us. The length of time depends on the purpose of the processing.
Complaints or queries
Tregenna Group Practice tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. We are happy to provide any additional information or explanation needed. Any queries you have should be addressed to: email@example.com or telephone us on 0161 499 3777.
You can also contact the Information Commissioner’s Office at www.ico.org.uk or write to
or 0303 123 1113 for information, advice or to make a complaint.
Any changes to this notice will be published on our website and on Tregenna Group Practice notice board.