This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

General Data Protection Regulations (GDPR)

Updated: 16th May 2018

General Practice Privacy Notice

The information we hold on you

Our practice keeps data on you relating to who you are, where you live, contact details, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, if you have a carer, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.

Identifying patients who might be at risk of certain diseases

  • Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
  • This means we can offer patients additional care or support as early as possible.
  • This process will involve linking information from your GP record with information from other health or social care services you have used.
  • Information which identifies you will only be seen by this practice.

If you would like more information, please speak with the practice manager.

Who we share information with

As GPs, we cannot handle all your information ourselves, so we need to delegate this responsibility to others within the practice and sometimes with other organisations.

If your care requires treatment outside the practice, we will exchange with those providing such care and treatment whatever information may be necessary to provide safe, high quality care.

Once you have seen the care provider, they will normally send us details of the care they have provided you with, so that we can understand your health better.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law, however we will gladly discuss this with you in more detail if you would like to know more.

The Practice team (clinicians, administration and reception staff) only access the information they need to allow them to perform their function and fulfil their roles.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

Data Controller

Chatfield Health Care

Data Protection Officer

Mr Tim Hodgson

Purpose of Processing your personal information

 

Direct Care is care delivered to the individual alone, most of which is provided in the surgery.

After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.

The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Lawful Basis for Processing your personal information

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

Recipient or categories of recipients of your personal data

The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.

In addition, personal data may be shared which is sent to or may be received from providers such as our 8to8 hubs (who provide some evening and weekend appointments on behalf of the practice), 111, out of hours services, local social services and care services, or other services the Wandsworth clinical commissioning group has commissioned.

In all cases, we ensure the data is supplied is appropriate and within the law.

Your right to object

You have the right to object to some or all the information being processed, which is detailed under Article 21.

Please contact the Data Controller or the practice manager.

You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

Your right to access and correction

You have the right to access the data that is being shared and have any inaccuracies corrected.

There is no right to have accurate medical records deleted except when ordered by a court of Law.

How long do we hold your personal data for?

We retain your personal data in line with both national guidance and law, which can be found here:

https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

Your right to complain

Use of personal data is overseen by the Information Commissioners Office, often known as the ICO.

You have to complain or raise concerns with the ICO and they can be contacted via their website:

https://ico.org.uk/global/contact-us/  

Or you can also call their helpline

Tel: 0303 123 1113 (local rate)

01625 545 745 (national rate)

Updated: 25th May 2018

NHS Transparency Notice

How the NHS and Care Services Use Your Information

Data Security & Protection Policy

Updated: 22nd March 2019

Connecting Your Care Privacy Notice

The information we hold on you

This privacy notice explains why health and care providers collect information about you and how that information may be used. For additional information about our ‘Connecting Your Care’ programme please also see ‘Connecting Your Care’ leaflet and Frequently Asked Question or visit: www.swlondon.nhs.uk/connectingyourcare. 

The health and care professionals who look after you maintain health and care records that contain details of any treatment or care you have received previously or are receiving. These records help to provide you with the best possible care. 

NHS patient health and care records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure. Records which health and care providers hold about you may include the following information: 

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health and social care professionals, relatives or those who care for you
  • If you have had a social care assessment, the type of assessment and the date of the next planned review.

The information shared about you is used by the health and social care professionals looking after you to make sure they have the most up to date information available to them so that they can quickly assess you and make the best decisions or plans about your care. At the moment, each care organisation has a different system for managing your records, and there is no way for the information held in these records to be shared electronically in “real time”, i.e. immediately. This means that when a health or social care professional needs to know more about you, they must ask for this information by old fashioned methods, such as telephoning, faxing, or requesting paper copies of your records, all of which can take time, lead to losses of data, or gaps in what is provided. 

Connecting your Care will introduce a new system that will provide a “connected” electronic view between each of these different systems so that the people looking after you can immediately see important information from each of the services that you use, to help them make the best decisions about your care. 

We are required by law to provide you with the information in the following 9 subsections. We have also set out a list of definitions below.  

1) Controller contact details

 

 

Chatfield Health Care

50 Chatfield Road

London SW11 3UJ

Tel: 020 3764 0822 Email: WACCG.chatfield-health@nhs.net

2) Data Protection Officer contact details

 

 

Mr Tim Hodgson (Deputy Practice Manager

Tel: 020 3764 0822

3) Purpose of the processing

Information will be shared in order to facilitate “Direct Care” that is delivered to the individual – that is, where a health or care organisation has direct contact with a patient or service user in order to provide them with immediate care or treatment.

Direct Patient Care is defined by the Caldicott Review in 2013 as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

 

Health and social care services are under legal obligations to share information for the purposes of direct care.

 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” * 

5) The Sources of the Data and the Recipient or categories of recipients of the processed data

For the first part of this programme we will be connecting your GP system with the local hospital, so your GP can see your hospital record and health professionals in hospitals can see your GP record. In some areas, where other services are already sharing more information than this, then these services will also be included in the first phase. 

When other organisations are joining or there is substantial change to the system you and the general public will be informed or you can visit our website for an update: www.swlondon.nhs.uk/connectingyourcare.

Organisations in the first phase are

  • SWL GP Practices (GPs in Croydon, Merton, Kingston, Richmond, Sutton and Wandsworth boroughs)
  • Croydon Health Services NHS Trust
  • St George’s Healthcare NHS Trust
  • Kingston Hospital NHS Foundation Trust
  • South West London and St George’s Mental Health Trust
  • Your Healthcare Community Interest Company
  • Royal Borough of Kingston Adult Social Care
  • Epsom & St Helier University Hospitals
  • London Borough of Sutton Adult Social Care
  • London Borough of Sutton Children’s Community Services
  • Epsom and St Helier University Hospitals Adult Community Services.

After this first phase, we will move into Phase 2 to gradually bring other care organisations on board, so your health and care record will be available wherever you go in London.

6) Right to Opt Out

You have the right at any time to opt out of electronic information sharing. If you decide to opt out, then no information will be shared about you via this system.

If you would prefer your information not be shared, you will need to submit an opt out form. These are available from your GP Practice, the Patient Advice and Liaison Office at your local hospital and can be downloaded from: www.swlondon.nhs.uk/connectingyourcare.

Opting out of the connected-care record view will not mean that your information will not be shared between the people looking after you, just that it will continue to be shared as it is now – via phone, email, fax and letter. Therefore, your care will be no different to how it is now - you will just not be able to take advantage of the benefits that sharing your important information quickly and “in real time” could bring you – especially in emergency situations. 

You will need to tell each health and care professional looking after you about your medical history, your treatment, allergies and medications at every appointment or hospital visit. Decisions about your care may take longer and appointments and tests may be repeated.

If you have any questions or concerns regarding the information held about you or the use of your information, please visit:

www.swlondon.nhs.uk/connectingyourcare or contact us at:

Email: connectingyourcare@swlondon.nhs.uk.

Phone:  020 3688 3100  

7) Rights to object

You have the right to object to some or all the information being processed under Article 21 GDPR. Please see section 6 of this privacy notice or alternatively, contact the Data Protection Officer at your care provider for more information. You should be aware that this is a right to raise an objection which will be considered; this is not the same as having an absolute right to have your wishes granted in every circumstance. 

8) Right to access and correct

You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.

If your health or care provider holds information about you, and you make a subject access request they will:

  • Give you a description of it
  • Tell you why it is being held
  • Tell you who it could be shared with
  • Let you have a copy of the information in an intelligible form.

 

If you would like to make a ‘subject access request’, you will need to contact your health or care provider’s Data Protection Officer in writing.

There is no right to have accurate medical records deleted except when ordered by a Court of Law.

 

8) Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.

9)  Right to Complain.

You have the right to complain regarding the use and sharing of your data, if you think the information has been shared inappropriately. Each provider will have their own complaints process and you will need to contact them directly.

 

You can also contact the Information Commissioner’s Office via the following link https://ico.org.uk/global/contact-us/ 

 

or call their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent or, in the absence of consent, a legitimising purpose.

Updated: 11th November 2019

General Practice You & Type 2 Privacy Notice - Direct Care, (routine care and referrals)

Plain English explanation

The purpose of the You & Type 2 project is to allow people with Type 2 Diabetes to co-create care plans with their health care professional. Patients will also be given access to an app which will allow the patient to manage care plans and keep them informed between appointments.

The app will take your latest results and allow the setting of goals with your healthcare professional and display this back to you in a user-friendly format.

The app will also provide access to the education, digital tools and real-world social prescribing resources to enable you, the patient, to better plan and meet goals set. This should enable you to lead a healthier life.

The use of personalised video messaging will further aid you to better manage your symptoms and prevent deterioration of the disease.

There are a number of organisations involved in this project. Organisations that will have access to Personal confidential data are:

  • Chatfield Health Care - Controller
  • Oviva - Controller
  • Wandsworth CCG - Processor
  • NEL CSU - Processor
  • EMIS - Sub Processor
  • Healum - Sub Processor
  • Citizen Comms - Sub Processor

Chatfield Healthcare keeps data on you relating to: who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations. If your health needs require care from others, elsewhere outside this practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services but this is not always the case.

Your consent to this sharing of data, within Chatfield Health Care and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see: your name, address, contact details, appointment history and registration details in order to book appointments. The practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

 

Controller contact details

 

Chatfield Health Care

50 Chatfield Road

London

SW11 3UJ

 

Data Protection Officer

 

Mr Tim Hodgson

Tel: 020 7350 5222 Email: tim.hodgson1@nhs.net

Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the surgery.

After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.

The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Lawful Basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.*

Recipient or categories of recipients of the processed data

The data will be shared specifically for the Diabetes Test Bed Project with Health and care professionals employed by the following organisations:

 

·         Oviva – Controller

·         Wandsworth CCG – Processor

·         NEL CSU – Processor

·         EMIS – Sub Processor

·         Healum – Sub Processor

·         Citizen Comms – Sub Processor

 

Your right to object

You have the right to object to some or all the information being processed, which is detailed under Article 21.

Please contact the Data Controller or the practice manager.

You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

Your right to access and correction

You have the right to access the data that is being shared and have any inaccuracies corrected.

There is no right to have accurate medical records deleted except when ordered by a court of Law.

How long do we hold your personal data for?

We retain your personal data in line with both national guidance and law, which can be found here:

https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

or speak to your GP practice.

Your right to complain

You have to complain to the Information Commissioner’s Office, you can use this link:

https://ico.org.uk/global/contact-us/  

Or you can also call their helpline

Tel: 0303 123 1113 (local rate)

01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.


Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website