This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus) outbreak. It supplements our main Privacy Notice which is available on our website.
In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.
Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data.
During the COVID-19 outbreak London Clinical Commissioning Groups will not process any new requests to opt-out of local data sharing arrangements such as the One London Health and Care Record exemplar, Connecting your Care or The National Data Opt-Out.
All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed.
It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
Primary Care Partners Limited is the data controller for any personal data that we hold about you.
Data Protection Officer
The Practice Data Protection Officer is Hasib Aftab of Primary Care Partners Limited. Any queries regarding Data Protection issues should be addressed to him at:
Primary Care Partners Limited
26-28 Streatham Place
Purpose of the processing of your data
The purpose of the envisaged temporary Covid-19 data flows is to effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.
Lawful basis for processing your data
Under the General Data Protection Regulation (EU GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes:
- Public Health (Control of Disease) Act 1984
- The Health and Social Care Act 2008 (by virtue of The Care Act 2014)
The relevant basis in UK law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes:
- preventive or occupational medicine;
- the assessment of an employee’s working capacity;
- medical diagnosis;
- the provision of health care or treatment;
- the provision of social care (this is likely to include social work, personal care and social support services); or
- the management of health care systems or services or social care systems or services.
Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:
- a health professional or a social work professional; or
- another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data, Part 1 – Conditions relating to employment, health and research etc, paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.
Recipient or categories of recipients of the processed data
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.
Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulation (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.
All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Primary Care Partners, an appropriate contract (art 24-28) will be established for the processing of your information.
In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.
Right to access and correct
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the South West London CCG.
Right to Complain
You have the right to complain to the practice, to the Data Protection Officer (details above) or the Information Commissioner’s Office (ICO), you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Note: This Privacy Notice issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.