1. Being transparent
Procare Health Limited [Procare] is committed to being transparent and providing accessible information to patients and the public about how we will use personal data. This is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).
The following notice reminds you of your rights in respect of the above legislation and how Procare will use your information to deliver your care and support the effective management of the local health and social care system.
This notice reflects how we use information for:
- The management of patient records;
- Communication concerning Procare’s activities, and your clinical, social and supported care;
- Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
- Participation in health and social care research; and
- The management and clinical planning of services to ensure that appropriate care is in place for people today and in the future.
2. Who we are
Who are we:
Procare Health Limited, c/o room 67, Haslemere Hospital, Church Lane, Haslemere, Surrey, GU27 2BJ
Main office phone: 01483 782329
What are we:
The GP Federation for GP practices in Guildford and Waverley, Surrey
Data Protection and Subject Access Contact:
Debbie Sampson: Debbie.email@example.com
3. What information do we collect and use?
We will collect information from you directly and from other organisations engaged in the delivery of your care. This information will include:
- ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to, name, date of birth, full postcode, address, next of kin and NHS Number; and
- ‘Special category data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
Procare records all information about patients they care for within an electronic healthcare record. This may also contain information patients provide to us about their health and any treatment or care they have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.
When a patient attends an Extended Access appointment, Procare is also able to access the medical records held by your GP Practice to enable our clinicians to see the most up to date care records and provide you with safe and effective care.
3. Why do we collect this information?
Procare has been commissioned to provide Extended Access Services within the Guildford and Waverley area under the NHS Act 2006 and the Health and Social Care Act 2012. Procare therefore has a statutory function to promote and provide the health service in England. To do this we need to process personal data in accordance with current data protection legislation to:
- Provide health care and treatment, including the delivery of preventative medicine and medical diagnosis;
- Perform tasks in the public’s interest;
- Protect your vital interests;
- Support the management of the health and social care system and services; and
- Pursue our legitimate interests as a provider of medical care.
4. How do we use this information?
To ensure that you receive the best possible care, your records will be used to facilitate the care you receive. Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided.
5. Who will we share your information with?
In order to deliver and coordinate your health and social care, we may share information with the following organisations:
- GP Practices supporting the delivery of the Extended Access Service;
- Your GP Practice to inform them of any care or treatment provided to you;
- Our pathology provider (Frimley Park Hospital) to enable tests to be carried our (e.g. blood tests);
- Other providers of health and social care that we may refer you to.
Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.
Your information will not be transferred outside of the European Union.
6. Who do we receive information from?
When a patient is booked in to an Extended Access appointment, Procare will obtain the most up to date information about you from the national electronic database of NHS patient details - The Personal Demographics Service (PDS). When a patient attends an Extended Access appointment, Procare is able to access the medical records held by your GP Practice to enable our clinicians to see the most up to date care records and provide you with safe and effective care.
7. How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and confidentiality and will only use information that has been collected lawfully. Every member of staff who works for an NHS provider has a legal obligation to keep information about you confidential, either as part of their professional registration as a healthcare professional or within their contracts of employment.
Only authorised Health and Social Care professionals will be permitted to access the records held by or accessible to Procare. Those involved in your care with a legitimate reason to access your information (such as your consent) will be able to see the information needed to help with your treatment, which will include the records held by your GP Practice which have been shared with Procare. In most circumstances, professionals will inform you before they access your full GP record to ensure you are happy for this to happen.
All access to confidential information is audited to protect against unauthorised or inappropriate access. We conduct annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.
8. Keeping your information secure
Procare stores all patient data within the NHS network, so it is secure. Patient information is encrypted so that only those people authorised to view the information can do so.
The legal basis for processing
The use and sharing of personal data within the UK is governed by the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.
9. The Statutory ‘Duty to Share’
All providers of health and social care services, including Procare have a statutory duty placed on them by the Health and Social Care (Safety and Quality) Act 2015 requiring them to share information where this will facilitate care for an individual. This ‘duty to share’ provides a statutory gateway enabling providers of health and social care services to share information where this supports direct care. Procare therefore relies on this statutory duty to support the sharing of, and access to, personal data when providing healthcare services.
The Lawful Basis under the General Data Protection Regulation (GDPR)
The GDPR permits personal data to be shared where this is necessary for the performance of a public task:
Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GDPR also allows special categories of personal data such as health information to be shared for medical purposes:
Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
10. Consent and Objections
10.1. Do I need to give my consent for data sharing?
Data Protection law sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps to build trust between individuals and organisations which use personal data. However, consent is only one potential lawful basis for processing information. Therefore, Procare may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. We will contact you if we are required to share your information for any other purpose which is not mentioned within this notice. Where your consent is requested, this will be documented within your electronic patient record.
10.2. What will happen if I withhold my consent or raise an objection?
If you are asked for your consent and you choose to withhold this, or if you provide consent and later decide to withdraw this, your decision will be respected. If the processing of your data relies on a legal basis other than consent, you can raise an objection to this which will be considered. You can raise an objection by contacting Debbie Sampson, Procare’s Data Protection Administrator – Debbie.firstname.lastname@example.org
11. Sharing of Electronic Patient Records within the NHS
Electronic patient records are kept by most providers of healthcare. Procare use an electronic system, EMIS, which enables your records to be shared between the Extended Access Service and your GP Practice.
Record sharing will be automatically set up between your GP Practice and the Extended Access Service if you book to attend an Extended Access appointment. You have the right to ask your GP Practice to disable this function or restrict access to specific elements of your record. NOTE This will mean that the information recorded by your GP will not be visible at any other care setting. You can revise and amend your preferences at any time by giving your permission to override your previous preference.
12. Your Rights
Procare ensures the rights of individuals are respected and upheld.
Everyone has the right to access their personal data. The Data Protection Act 2018 and General Data Protection Regulations (GDPR) allow you to find out what information is held about you, including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to access all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, Procare, or another provider that has delivered your treatment and care in the past. You should be aware that some details within your health records may be exempt from disclosure, however this will be in the interests of your wellbeing or to protect the identity of a third party.
If you would like access to the information which Procare holds about you, please submit your request in writing to:
Subject Access Contact:
Procare is responsible for ensuring the information we hold and share is accurate and up to date. You should ensure you inform us, and others who may be providing you with care such as your GP Practice, of anything which may have changed since your last interaction to ensure accurate records can be maintained.
Should you identify that any information we hold is inaccurate you should inform us. This will enable us to amend the information we hold. You can inform any member of Procare staff when attending an appointment, or contact Debbie Sampson, Debbie.email@example.com
Organisations are only permitted to keep information for as long as necessary. When information is no longer required it should be erased or destroyed. All information held by Procare is retained in line with the Records Management Code of Practice for Health and Social Care 2016.
Further rights to erasure do not apply to the care records held by Procare as these are considered a medico-legal record. If you have any questions or concerns about the content of your records you should speak to a member of Procare staff when attending an appointment, or contact Debbie Sampson, Debbie.firstname.lastname@example.org
16. Restrictions and Objections
You have the right to object to the way in which your data is held and used by Procare. If your objection relates to any direct marketing which Procare is conducting, your objection will be upheld. If your objection related to any other processing activity, you should provide specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. Procare will consider your objection and provide you with a response, either confirming that your objection has been upheld, or detailing the compelling legitimate grounds for the processing.
If you would like to register an objection to the processing of your personal data you should speak to a member of Procare staff when attending an appointment, or contact Debbie Sampson, Debbie.email@example.com
You have a right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO). Should you have a concern about Procare information rights practices you should first contact Procare’s Data Protection contact Debbie Sampson, Debbie.firstname.lastname@example.org. Should you remain dissatisfied you can find details of how to contact the Information Commissioner’s Office at https://ico.org.uk/.