Annex A – Practice privacy notice
Upper Nithsdale Group Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient at the practice. Staff at this practice maintains records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Information Services Division Scotland (ISD Scotland) or others when the law allows.
In order to comply with its legal obligations, this practice may send data to ISD Scotland when directed by the Secretary of State for Health under the The Public Health (Scotland) Act 2008. Additionally, this practice contributes to national clinical audits and will send the data that is required by ISD Scotland when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euro’s
What is ‘patient data’?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
- Explicit consent under GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality. Where there is a request for personal confidential data from an insurance company, solicitor or employer, that lawful basis and lawful condition for processing will be via explicit consent from the patient
- Where there is the requirement to disclose under Legislation, the lawful basis to disclose would be for compliance with legal obligation.
- GDPR creates a lawful basis for processing Special Category health data when it is for the provision of direct care that does not require explicit consent
- Special Category condition for processing for direct care is that processing is “necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care systems and services”.
Person to contact regarding Data Protection matters
Practice Contact Details:
Upper Nithsdale Group Practice
Station Road, Sanquhar, Dumfriesshire, DG4 6BT
Telephone: 01659 50221
Email: [email protected]