Summary
Keeping your personal data safe is very important to us. This privacy notice will inform you of how we look after your personal data, and tell you about your privacy rights and how to exercise your rights under legislation.
Your personal data is stored securely at all times, in our clinical systems. Only authorised individuals who need access for the legal circumstances set out in the sections below can access your personal data and this is nothing related to the public website.
We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services, and NHS commissioning organisations who are directly involved in providing or funding your care needs or for the purpose of indirect care (see secondary uses below). Your data will not be shared with anyone who is not listed in this privacy notice unless we are obliged by law.
We do not share your personal information with marketing and advertising companies, and we do not share your data with anyone who would take your data outside of the UK (GDPR) jurisdiction.
We will only share personal information about you with medical research organisations with your consent or as described in the section below, and you have the right withdraw your consent at any time by contacting the Practice/Service you are registered with. The national data opt-out allows people to opt out of their confidential information being used for research and planning. You can read more about it on the NHS.uk website.
A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.
What is this Privacy Notice About?
A privacy notice is a statement that describes how an organisation collects, use, retain and disclose personal data, or special categories of personal data. Different organisations
sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.
Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently we are required by law to provide
you with the following information:
• What information we collect and process about you
• How we process your personal data
• The purpose of processing
• Recipients or categories recipients of your personal data
• The identity of our Data Protection Officer
• How long we retain personal information about you
• The lawful bases for processing
• Your rights – to view, request access copies of your personal information, or object to the processing of your personal information.
sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.
Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently we are required by law to provide
you with the following information:
• What information we collect and process about you
• How we process your personal data
• The purpose of processing
• Recipients or categories recipients of your personal data
• The identity of our Data Protection Officer
• How long we retain personal information about you
• The lawful bases for processing
• Your rights – to view, request access copies of your personal information, or object to the processing of your personal information.
Who we are
Prime Practice Partnership is the brand name for a number of surgeries that provide primary healthcare services across England.
Sharing your personal infroamtion
This privacy notice explains why we collect information about you, how that information will be used, how we keep it safe and confidential and what your rights are in relation to this.
Types of personal information we proccess
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received. These records help to provide you with the best possible healthcare and help us to protect your safety.
We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form
We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form
Our Commitment to Data Privacy and Confidentiality Issues
As a GP practice, all of our GPs, staff and associated practitioners are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time. The legislation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive)
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive)
Our identity and contact details
Broad Street Medical Centre, Morland Rd, Dagenham RM10 9HU / Tel : 02085964400 / Email: e.broadstreet@nhs.net
Our Data Protection Officer
Sohifa Kadir
Interim IG Lead – GP DPO
NHS North East London
Interim IG Lead – GP DPO
NHS North East London
Organisations we share your personal infromation with
Organisations we share information about you for the purposes of direct and indirect care, split into the few categories:
a. Direct Medical Care and Administration
b. Other primary care services delivered for the purposes of direct care
c. Statutory disclosures of Information
d. Processing for the purposes of Commissioning, Planning, Research and Risk
Stratification
e. Data sharing databases
a. Direct Medical Care and Administration
b. Other primary care services delivered for the purposes of direct care
c. Statutory disclosures of Information
d. Processing for the purposes of Commissioning, Planning, Research and Risk
Stratification
e. Data sharing databases
Details of data linage with other datsets
Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for statistical purposes,
stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
Integrated Care Boards within our geographical areas are responsible for processing deidentified and linked data under this category, on our behalf. We ensure that the Processor is
legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
Integrated Care Boards within our geographical areas are responsible for processing deidentified and linked data under this category, on our behalf. We ensure that the Processor is
legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Data retention period
All records held by Operose Health will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care 2021 and supplemented by our Records Management Standards.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.
The details of transfers of the personal data to any third countries or international orgnasations
We do not transfer your personal data to any third countries or international organisations.
What safeguards are in place to ensure data that identifies you is secure
We only use information that may identify you in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These legislations
require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held
on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
Our appropriate technical and security measures include:
The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems
The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.
require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held
on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
Our appropriate technical and security measures include:
The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems
The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.
Cookies
Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when
you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our websites.
We use the following cookies:
• Strictly necessary cookies: These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas
of our websites.
• Analytical/performance cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies: These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember
your preferences (for example, your choice of language or region).
• Targeting cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site
more relevant to your interests. We may also share this information with third parties for this purpose.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies
(including essential cookies) you may not be able to access all or parts of our site.
Except for essential cookies, all cookies will expire after 12 months.
you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our websites.
We use the following cookies:
• Strictly necessary cookies: These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas
of our websites.
• Analytical/performance cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies: These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember
your preferences (for example, your choice of language or region).
• Targeting cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site
more relevant to your interests. We may also share this information with third parties for this purpose.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies
(including essential cookies) you may not be able to access all or parts of our site.
Except for essential cookies, all cookies will expire after 12 months.
What are your general rights
Where information from which you can be identified is held, you have the:
• Right of access to view or request copies of the record
• Right to rectification of inaccurate personal data or special categories of personal data
• Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
• Right not to be subject to any automated individual decision-making
• Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
• data is processed by automated means, and
• you provided consent to the processing or,
• the processing is necessary for the fulfilment of a contract
• Right of access to view or request copies of the record
• Right to rectification of inaccurate personal data or special categories of personal data
• Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
• Right not to be subject to any automated individual decision-making
• Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
• data is processed by automated means, and
• you provided consent to the processing or,
• the processing is necessary for the fulfilment of a contract
Right to object
In line with the Data Protection Legislation, you do not have the right to object to the processing of your personal information where:
• The purpose of the processing is for direct provision of care or safeguarding concerns. As a primary care and community health provider, we have legitimate compelling grounds under the Health and Social Care Act 2012 to process your personal information for the purposes of direct care delivery, and to prevent an individual from harm, or to prevent a serious crime. This include personal information concerning your health which we share with other GP Practices, NHS acute or mental health Trusts, social services, community health providers and pharmacists who are also involved in your care.
• The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police, Courts of Justice, HMRC and DVLA.
You do not have the right to object to the processing of your personal information for risk stratification for indirect care purpose such as understanding the local population needs and
plan for future requirement in line with Section 251 NHS Act 2006.
You have the right to opt-out of: Summary Care Record, NHS Digital – National Data Opt-Out.
• The purpose of the processing is for direct provision of care or safeguarding concerns. As a primary care and community health provider, we have legitimate compelling grounds under the Health and Social Care Act 2012 to process your personal information for the purposes of direct care delivery, and to prevent an individual from harm, or to prevent a serious crime. This include personal information concerning your health which we share with other GP Practices, NHS acute or mental health Trusts, social services, community health providers and pharmacists who are also involved in your care.
• The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police, Courts of Justice, HMRC and DVLA.
You do not have the right to object to the processing of your personal information for risk stratification for indirect care purpose such as understanding the local population needs and
plan for future requirement in line with Section 251 NHS Act 2006.
You have the right to opt-out of: Summary Care Record, NHS Digital – National Data Opt-Out.
Right to erasure (right to be forgotten)
Your right to erasure (right to be forgotten) applies where you had given ‘consent’ to process your personal data and later withdrew the consent. Right to erasure does not apply to the
extent where the processing of your personal health data is necessary for:
• Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of
official authority vested on us;
• Medical purposes and/or for reasons of public interest in the area of public health; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
the establishment, exercise or defense of legal claims.
extent where the processing of your personal health data is necessary for:
• Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of
official authority vested on us;
• Medical purposes and/or for reasons of public interest in the area of public health; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
the establishment, exercise or defense of legal claims.
Exercising your right or gaining access to the data we hold about you
By contacting your registered practice, you can exercise your rights at any time, or request to see or have copies of personal information we hold about you.
Right to complain
If you are dissatisfied with the way we process your data, please contact us and we will try to resolve your complaint.