Quantock Medical Centre
01278 732 696

Dispensary
01278 733385

Fair Processing

Fair Processing notice and is published to ensure transparency. This list is not exhaustive.  Where the offering of a service to a patient will inform them about the sharing of their data, eg support from smoking cessation services, it is not necessarily included here.  This list does not set out uses of anonymous data where identity has been completely removed (such as anonymised data to the Department for Work and Pensions on provision of ‘fit notes’).

Shared Care Records – Somerset Integrated Digital electronic Record (SIDeR)

Purpose

To ensure you receive effective, safe care, we will, through digital means enable your record to be available to those providing your care in whichever care setting you are seen, such as an A&E attendance, a physiotherapy appointment, a social care needs assessment.

In order to achieve this, the aim of Shared Care Records is to enable health and care staff to view your information, to save valuable time in getting you the right treatment. Your information will only be available to the staff involved in your direct care, and not at any other time, or for any other reason.

Further information can be found on the SIDer website.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Processor – Black Pear

Summary Care Record

Purpose

The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Further information can be found on the Summary Care Records website
  • Controller of summary care record dataNHS Digital

Test requests and results

Purpose

Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken. The laboratory will also hold the details of the request and the result.  The result/report will be sent electronically to the practice who will hold it in the patient’s record.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Controller of test dataThe laboratory that process the request and result are a controller of the data generated by the test process

Research

Purpose

We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose then it will not be used. Details on how to opt out are on the NHS data matters website

  • Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales
  • The organisation leading the research will be the controller of data disclosed to them

Individual Funding Requests

Purpose

We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available.

  • Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time. If you are happy for the request to be made, the basis for processing your data is:  Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process

Child health information service

Purpose

We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Controller to which data is disclosed: Health Intelligence Ltd

Risk stratification – preventative care

Purpose

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

  • Controller to which data is disclosed: Somerset CCG
  • please note that identifiable data is not disclosed to other controllers

Public Health

  • Screening programmes (identifiable)
  • Notifiable disease information (identifiable)
  • Smoking cessation (anonymous)
  • Sexual health (anonymous)

Purpose

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Personal identifiable and anonymous data is shared.  More information can be found at NHS population screening explained website or speak to the practice.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
  • Controller to which data is disclosed: Public Health Services (England), and Somerset County Council (ie Council)

NHS Trusts

Purpose

Personal information is shared with Hospitals, Community Services, Mental Health Services and others in order to provide you with care services. This could be for a range of services, including treatment, operations, physio, and community nursing, ambulance service.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
  • Controller to which data is disclosed: Somerset Foundation Trust

Care Quality Commission

Purpose

The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data but only where it is needed to conduct their services.

More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on the Care Quality Commission website.

  • Legal Basis – Article 6(1)c “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)h ‘management of health and care services’
  • Controller data is disclosed to – Care Quality Commission

Payments

Purpose

Payments to the practice come in many different forms. Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws.

  • Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated
  • Controllers that data is disclosed to – NHS England, CCG, Public Health

Patient Record data base support

Purpose

The practice uses electronic patient records. Our supplier of the electronic patient record system is EMIS Ltd

Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’

Medicines optimisation

Purpose

We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective. We do not share your identifiable data with the companies that provide these packages

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Multi-disciplinary teams

Purpose

We work closely with a range of other care providers to deliver the best care possible for you. Multi-disciplinary teams are our way of bringing together care providers for conversations in a confidential environment about care arrangements for you where this is appropriate. For example, if you have a number of long term conditions and would benefit from additional support. Where possible, we will inform you that your care will be discussed in this type of forum. However, if this may not always be possible and in these circumstances, we will consider your best interests and will share information on this basis.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Clinical Audit

Purpose

Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.

  • Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.
  • ControllerSomerset Clinical Commissioning Group

National Fraud Initiative – Cabinet Office

Purpose

The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information go to the Code of Data Matching Practice website.

NFI activities vary each year, so data would only be disclosed if required by the focus of their activities

  • Legal BasisPart 6 of the Local Audit and Accountability Act 2014
  • Controller Cabinet Office

National Registries

Purpose

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

  • Legal BasisSection 251 of the NHS Act 2006

Police

Purpose

The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

Legal Basis

  • Article 6(1)e – task carried out in the public interest
  • Article 9(2)c – Vital Interests
  • Article 9(2)f – Legal claims or judicial acts
  • Article 9(2)g – Reasons of substantial public interest

Controller disclosed to – Police

Date published: 5 August 2021
Date last updated: 5 August 2021