Introduction

The Law states that NHS organisations must consider a person’s request for access to their personal health information when it is requested. Therefore, a practice must have procedures in place to make access to the information easy and accessible.

There are several areas of legislation that allow the right of the individual to request such personal information are:

• The Access to Medical Reports Act 1988
• The Access to Health Records Act 1990
• The UK General Data Protection Regulation 2021 (UK GDPR)
• The Data Protection Act 2018 (DPA)

Patients requesting their own personal medical records will have their request dealt with under the provisions of the Data Protection Act 2018 and UK GDPR 2021.

Online patient access to services does not change the right that patients can request access to their medical records provided by the provisions of the Data Protection Act (DPA) and UK GDPR.  The DPA principles and confidentiality requirements apply in the same way for online access as they do for paper copies of the record.

1.    The Health Record

A health record is any record which consists of information relating to the physical and/or mental health or condition of an individual made by a health professional in connection with the care of the individual. It can be recorded in a computerised form, in a manual form or a mixture of both.

Information covers expression of opinion about individuals as well as fact. Health records may include notes made during consultations and correspondence between health professionals, such as referral and discharge letters, results of tests and their interpretation, X-ray films, photographs, and tissue samples taken for diagnostic purposes.  They may also include reports written for third parties, such as insurance companies.

2.    Detailed Patient record Access includes:

The minimum specification described by NHS England in the patient online support and resources guide is:

• Demographic data ie name, address, age
• Allergies and adverse reactions
• Medication
• Immunisations
• Investigation results, including numerical values and normal ranges
• Problems/diagnoses
• Procedure codes (medical and surgical) and codes in consultations (symptoms and signs)
• Biological values (eg BP)
• Codes showing referrals made or letters received
• Other codes (ethnicity, QOF)

Prospective Detailed Coded Record will also include consultation free text and access to letters.

3.    Medical Records Access – Staff Responsibility

Practice Manager and Caldicott Guardians

For the purposes of reviewing requests, the Practice Manager and a named Caldicott Guardian should ensure current data protection requirements are followed, (the DPO can offer advice and support, if required)

The main duties of these roles are explained below:

Practice Manager or Deputy

• Verify of identity the patient
• Process and co-ordinate the application
• Contact the patient to explain the process
• Review the medical records for third party information and redact information where consent has not been given

Caldicott Guardian

• Responsibility for reviewing the medical record and limiting or redacting sensitive and/or harmful information.
• Overall responsibility for decision to allow access
• The Caldicott Guardian will review the content of the medical record and ensure that sensitive or harmful data are not made available to the patient
• The Caldicott Guardian can refuse the request for the reasons given below
• The Caldicott Guardian will also check the record for quality, clarity of presentation, completeness, and accuracy.

4.    Requests under the Data Protection Legislation

The scope of the Data Protection law includes the right of patients to request information on their own medical records. Requests for information under this legislation can be:

• In writing, this includes a letter or email
• Verbal requests can be accepted where the individual is unable to put the request in writing or chooses not to. A record of what is requested should be recorded and a letter for approval by the patient sent out (this must be noted on the patient record)
• SARs can also be submitted via the Organisation’s social media platforms
• Be accompanied with appropriate proof of identity (verification documents)

The Organisation can ask a patient to complete an application form to support the Subject Access Request, although this is not a requirement.  Suitably trained and authorised reception staff should ensure the application form has been completed correctly and verify identity.  If an application form is used this must be completed and signed by the patient.

Where an information request has been previously fulfilled, the Organisation does not have to provide the same request again unless a reasonable time-period has elapsed. It is up to the administrative/Caldicott Guardians to ascertain what constitutes a ‘reasonable time-period’.

5.    Detailed Coded Records Access – Application

Patients will be given a leaflet on the benefits and risks to Detailed Coded Access to Records (promotional links to leaflets can be found below)

On completion of an application form, the administrative lead will review the application form and invite the patient into the Organisation to complete the following:

• Identity Verification
• Inform the patient of the benefits and potential risks to detailed coded access to records
• Advice leaflet will be given to the patient and application process and timescales will be discussed.

The administrative lead will check the records for third party information and redact information where appropriate. If it is not possible to remove information the Caldicott Guardian should be consulted.

The Caldicott Guardian will review the content of the medical record and ensure that sensitive or harmful data are not made available to the patient. The Caldicott Guardian may redact sensitive or harmful data if they consider it to be in the patients’ best interest.

The Caldicott Guardian can refuse the request for the reasons set out below.

The Caldicott Guardian will also check the record for quality, clarity of presentation, completeness, and accuracy.

If approved, the administrative lead will place an alert on the system to notify other members of staff that the patient has Detailed Coded Record access.

The completed application form should be scanned and attached to the patient’s record. The administrative lead will contact the patient to inform them of the outcome of the application, explain the next steps and provide any further information.

6.    Identity Verification

Access to health records can only be granted when the patient’s identity has been verified.  There are three ways of confirming patient identity:

• Documentation (Forms of Identification)
• Vouching
• Vouching with confirmation of information held in the applicant’s records

All applications for access to health records will require formal identification through two forms of ID one of which must contain a photo. Acceptable documents include passports, photo driving licences and bank statements etc.

Where a patient may not have suitable photographic identification – vouching with confirmation of information held in the medical record can be considered.  This should take place discreetly and ideally in the context of a planned appointment.  It is extremely important that the questions posed do not incidentally disclose confidential information to the applicant before their identity is verified.

Adult proxy access verification – Before the Organisation provides proxy access to an individual or individuals on behalf of a patient further checks must be taken:

• There must be either the explicit informed consent of the patient, including their preference for the level of access to be given to the proxy, or some other legitimate justification for authorising proxy access without the patient’s consent
• The identity of the individual who is asking for proxy access must be verified
• The identity of the person giving consent for proxy access must also be verified. This will normally be the patient but may be someone else acting under a power of attorney or as a Court Appointed Deputy
• When someone is applying for proxy access based on an enduring power of attorney, lasting power of attorney, or as a Court Appointed Deputy, their status should be verified by making an online check of the registers held by the Office of the Public Guardian

Child proxy access verification – Before the Organisation provides parental proxy access to a child’s medical records the following checks must be made:

• The identity of the individual(s) requesting access
• That the identified person is named on the birth certificate of the child
• In the case of a child judged to have capacity to consent, there must be the explicit informed consent of the child, including their preference for the level of access to be given to their parent

Prospective access to patient records online

• Patients will now have access to their future full medical records, including free texts, letters, and documents once they have been reviewed and filed by the GP. This will not affect proxy access.

• There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding. If the release of information is likely to cause serious harm to the physical or mental health of the patient or another individual, the GP is allowed to refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary.  On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.

7.    Third Party Information

A Patient’s record may contain confidential information that relates to a third person. This may be information from or about another person. It may be entered in the record intentionally or by accident.  This does not include information about or provided by a third party that the patient would normally have access to, such as hospital letters.

All confidential third-party information must be removed or redacted. If this is not possible then access to the health records may be refused.

8.    Denial or Limitation of Information

Access to any health records can be denied or limited. This decision will be made by the Practice Manager and Caldicott Guardian for the Organisation.

Access will be denied or limited where, in the reasonable opinion of the Caldicott Guardian, access to such information would not be in the patient’s best interests because it is likely to cause serious harm to:

• The patient’s physical or mental health, or
• The physical or mental health of any other person
• The information includes a reference to any third party who has not consented to its disclosure.

A reason for denial of information must be recorded in the medical records and where possible an appropriate an appointment will be made with the patient to explain the decision.

When can a subject access request be refused?

The Organisation can refuse a request where the request is ‘manifestly unfounded or excessive ‘or ‘repetitive’.  The requester must be informed of the reason why within one month of the receipt of the request.  If the Organisation decides to apply this option advice MUST be sought from the Data Protection Officer at [email protected]

9.    Timeframe for responding to requests

The Statutory timeframe is currently one month of receipt of the request, and in any event without delay.  In Accordance with Article 12 of the UK GDPR 2021.

This can be extended by a further two months where requests are determined to be ‘complex’ or ‘numerous.

UK GDPR does not allow for a fee, so it must be provided free of charge.   However, some charges can be made in the following circumstances:

• where further copies are requested by the data subject,
• or the request is manifestly unfounded, or excessive (definitions still required by the ICO) a reasonable fee based on the organisations administration costs may be charged

10.         Proxy Access to Medical Records

Proxy access is when an individual other than the patient has access to an individual’s medical record on their behalf to assist in their care.  Proxy access arises in both adults and children and is dealt with differently according to whether the patient has capacity or not.

The patient’s proxy should have their own login details to the patient’s record.  If a patient wants to have more than one proxy, they should all have individual login details.  In the current version of our electronic records system (EMIS Web) login details will be shared between the patient and the individual with proxy access.

Proxy access should not be granted where:

• There is a risk to the security of the patient’s record by the person being considered for proxy access;
• The Organisation suspects coercive behavior;
• The patient has previously expressed the wish not to grant proxy access to specific individuals should they lose capacity, either permanently or temporarily, this should be recorded in the patient’s record;
• The Caldicott Guardian assesses that it is not in the best interests of the patient and/or that there are reasons as detailed in Denial or Limitation of Information

Proxy Access in Adults (including those over 13 years of age) with capacity

Patients over the age 13 (under UK DPA 2021) are assumed to have mental capacity to consent to proxy access.  Where a patient with capacity gives their consent, the application should be dealt with on the same basis as the patient.

In terms of online access, it may be possible to give the proxy different levels of access depending on the wishes of the patient and/or the views of the Caldicott Guardian, for example, some patients may want to allow a family member to have access only to book appointments and order repeat prescriptions without accessing the detailed care record.

Proxy Access in Adults (including those over 13 years of age) without capacity

Nursing/residential homes may be granted proxy access for patients under their care.

Proxy access without the consent of the patient may be granted in the following circumstances:

The patient has been assessed as lacking capacity to make a decision on granting proxy access and has registered the applicant as a lasting power of attorney for health and welfare with the Office of the Public Guardian.

The patient has been assessed as lacking capacity to make a decision on granting proxy access, and the applicant is acting as a Court Appointed Deputy on behalf of the patient

The patient has been assessed as lacking capacity to make a decision on granting proxy access, and in accordance with the Mental Capacity Act 2005 code of practice, the Caldicott Guardian considers it in the patient’s best interests to grant access to the applicant.

When an adult patient has been assessed as lacking capacity and access is to be granted to a proxy acting in their best interests, it is the responsibility of the Caldicott Guardian to ensure that the level of access enabled, or information provided is necessary for the performance of the applicant’s duties.

Proxy Access in Children under the age of 11

All children under the age of 11 are assumed to lack capacity to consent to proxy access. Those with parental responsibility for the child can apply for proxy access to their children’s medical records.

Parents will apply for access through the same process outlined in Sections 4 and 5. Additional identification of parental /guardian evidence will be required (see Section 6).

Proxy Access in Children above the age of 11 and under 13 years of age

Access to medical records will need to be assessed on a case-by-case basis.  Some children aged 11 to 13 have the capacity and understanding required for decision-making with regards to access to their medical records and should therefore be consulted and have their confidence respected.

Online proxy access will automatically be turned off when a child reaches the age of 11. Online proxy access to the Detailed Coded Record of children aged 11 to 13 will not normally be approved unless it is in the best interests of the child or is the express wishes of a competent child.

The Caldicott Guardian will invite the child for a confidential consultation to discuss the request for proxy access, whether this is for requests under the Data Protection Law or for online access.

The Caldicott Guardian should use their professional judgement in deciding whether to grant parental access and/or whether to withhold information.

If the Organisation suspects coercive behaviour access will be refused and documented in the medical notes.  The Caldicott Guardian will liaise with Child Safeguarding teams if appropriate

Online proxy access will also be turned off when a child turns 13. Access can be turned back on by following the processes set out above governing access to adults

11.         Coercion

Coercion is the act of governing the actions of another by force or by threat, to overwhelm and compel that individual to act against their will.

Online access to records and transactional services provides new opportunities for coercive behaviour.

If the Organisation suspects coercive behaviour for either an individual or proxy access application, then access will be refused and documented in the medical notes.  The Caldicott Guardian will liaise with CCG Safeguarding Team, if appropriate.

12.         Former NHS Patients Living Outside the UK

Patients no longer resident in the UK still have the same rights to access their information as those who still reside here and must make their request for information in the same manner.

Original health records should not be given to an individual to take abroad with them, however, the Organisation may be prepared to provide a summary of the treatment given whilst resident in the UK.

13.         Staff Training and Education

All staff at the Organisation will be required to read the policy and confirm their understanding.

The Data Security e-learning programme has been designed to support staff in health and social care Level 1 – Data security awareness:

This course is mandated for everyone working in health and care.  It has been designed to inform, educate and upskill staff in data security and information sharing.  It provides an understanding of the principles and importance of data security and information governance.  It looks at staff responsibilities when sharing information and includes a section on how to act to reduce the risk of breaches and incidents.

14.         Disputes Concerning Content of Records.

Once access to medical records has been granted patients often dispute their accuracy or lack understanding of the medical codes that are held in the records.

Patients notice and point out errors in their record these may be unexpected third-party references or entries they object to or want deleted.  The right of rectification and deletion are now a right under the UK GDPR.  Of note: facts and clinical opinions will not be deleted.

Reception staff will pass on any queries to the Practice Manager who will contact the patient and investigate to identify the source and extent of the problem.

The Practice Manager will then decide on the most appropriate action. Where the dispute concerns a medical entry the clinician who made the entry should be consulted. Consideration should be given as to whether it is appropriate to change or delete an entry. It is not always possible or practical to contact the clinician who made the entry and in this case the Organisation’s Caldicott Guardian should be consulted. Where a decision is taken not to amend the records an explanation should be given to the patient outlining the reasons why.

If a patient wishes to apply their UK GDPR 2021 rights of:

• Rectification (Article 16 UK GDPR)
• Erasure (Article 17 UK GDPR)
• Restriction of Processing (Article 18 UK GDPR)
• Data Portability (Article 20 UK GDPR)

Please contact the Data Protection Officer at [email protected]

If the patient further disputes the accuracy once a decision has been made, they will be referred to the complaints procedure and/or the Health Ombudsmen.

15.         Complaints

The Organisation has procedures in place to enable complaints about access to health records requests to be addressed.  Please refer to our Organisation’s complaints policy.

All complaints about Access to Records should be referred to the Practice Manager in the first instance, then the Data Protection Officer at [email protected].

If the patient wishes to make a further complaint, they have the right to do so and should be informed of the NHS complaints procedure.

https://www.gov.uk/government/publications/the-nhs-constitution-for-england/how-do-i-give-feedback-or-make-a-complaint-about-an-nhs-service#how-to-make-a-complaint, or

https://ico.org.uk/make-a-complaint/data-protection-complaints/, or sometimes the patient may wish to seek independent legal advice from a solicitor.

16.         Application Length

Requests for health records information should be fulfilled within one month (unless under exceptional circumstances – the applicant must be informed where a longer period is required – up to two months extension can be requested – but must be requested from the patient within the first month). Information given should be in a manner that is intelligible to the individual.

Due to the time required to process requests for Detailed Coded Records Access each Organisation will process applications within 28 working days from date of application. In some circumstances there may be a delay in access to records. Where a longer period is anticipated the patient should be informed.

FAQs

What format should the response be provided in?

Where a request is received by electronic means, unless otherwise stated by the data subject, the information must be provided in a commonly used electronic format.

What are the penalties for non-compliance with the statutory timeframe?

The penalties are still at the discretion of the ICO.  However, for non-compliance the financial penalties are now much greater.

What should you do if you identify that you have received a SAR?

Incoming SARs should be passed on immediately to the Secretaries, where they will be logged, acknowledged, and processed.

If you receive a Subject Access Request, and records are altered with intent to prevent disclosure, this will be committing a criminal offence, and punishable by a fine.

AIS applies to people who use a service and have information or communication needs because of a:

·         Disability

·         Impairment

·         Sensory Loss

It covers the needs of people who are deaf/Deaf, blind, or deafblind, or who have a learning disability. This includes interpretation or translation for people whose first language is British Sign Language.

It does not cover these needs for other languages.

It can also be used to support people who have aphasia, autism or a mental health condition which affects their ability to communicate.

It is important to the practice that we meet the individual needs of our patients and establish if information from us needs to be delivered in a different way.

We may know that a patient is deaf, but what we don’t know is how this patient communicates; do they use British Sign Language (BSL); do they need an interpreter present; do they prefer to lip read; do they use a notebook?  We cannot make assumptions about the needs of our patients.

We ask all of our new patients to inform us of any communication needs when they register with us, but our existing patients also need to be aware of this information.  Therefore, we ask our existing patients to let us know if there is any particular information about your communication needs you think we should be aware of.

If you, or someone you know who is a patient, feels there is a need we need to know about, please complete this Accessible Information Standards form and either bring it in to the surgery, or email it to the practice at [email protected]

This practice is committed to providing a safe and comfortable environment and strives to achieve good practice at all times.

All patients are entitled to have a chaperone present during any consultation, examination or procedure. Clinicians at this practice will advise patients that a chaperone is necessary during any intimate examination. This is to safeguard both the clinician and you, the patient.

Where a chaperone is not available, the clinician will ask you to make an appointment and request the presence of a chaperone
at the time of booking.

We will use trained staff as chaperones as they have had the appropriate training and have knowledge of the examination or procedure you may be undergoing.

Family and friends are not permitted to act as chaperones as they are not deemed impartial, do not have the knowledge required and nor do they have the necessary training. Should you wish to see the full chaperone policy, please ask to speak to the practice manager.

If you have any questions, please speak to the reception staff who will direct you to an appropriate member of the team.

HOW CAN PATIENTS COMPLAIN?

Trent Meadows Medical Practice always aims to deliver a safe, caring and efficient service to all of our patients; but if you feel that this has not happened, then we would want to know about it, so that we can address the area causing concern and put things right.

We take complaints very seriously and want to hear if patients have concerns regarding their care.  Patients may make a complaint or comment on the provision of our services verbally or in writing to the Practice Manager Mrs Dianne Gotheridge you can telephone 01283 845555 to arrange to speak with her or can email her at trent.meadows@staffs.nhs.uk

Please see below our procedure for the investigation of complaints

Your complaint should be raised as soon as possible after the event giving rise to your concerns, either verbally or in writing. Your complaint will be investigated by the Practice Manager or the Partners of the Practice.

When your complaint is received we will aim for it to be acknowledged verbally or in writing within three working days and a report on the investigation will be sent to you within thirty working days. If the investigation is to take longer than thirty working days, you will be informed together with the reasons for the delay. On completion of the investigation you will be given a full explanation.

Your complaint will in no way have any impact on the treatment you receive from clinicians and administrative staff at the Practice. You can be assured that YOUR care is our priority

You can make your complaint to the practice or directly to NHS England (but not to both) should your complaint not be resolved to your satisfaction you can then contact the Parliamentary & Health Service Ombudsman (PHSO) contact details below.

NHS Primary Care Complaints

You can contact the Customer Contact Centre:

Post:
NHS England
PO Box 16738
Redditch
B97 9PT

Email:          [email protected]

Telephone:    0300 311 22 33

If patients are not satisfied with the way their complaint has been dealt with by the provider or commissioner, they can contact the Parliamentary and Health Service Ombudsman (PHSO)

Post:
The Parliamentary and Health Service Ombudsman
Millbank Tower
Millbank
London
SW1P 4QP

Telephone:    0345 015 4033

Email:           [email protected]            

The practice complies with Data Protection and Access to Medical Records legislation. Identifiable information about you will be shared with others in the following circumstances:

• To provide further medical treatment for you e.g. from district nurses and hospital services.
• To help you get other services e.g. from the social work department. This requires your consent.
• When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Trent Meadows Medical Practice believes that people living with dementia should have the opportunity to live a good quality, active and healthy lifestyle for as long as possible. Our clinical team will discuss the individual needs of patients and listen to their wishes when formulating their care plan. We will treat our patients and their carers with understanding, dignity and respect.

Our aim is that our staff and partners with whom we work to deliver care in our community are well informed and share an ambition to deliver the highest standards of care for our patients. Patients and their carers feel able to approach the practice to ask for help and support when they need it, so that they enjoy the best quality of life possible. We will plan ahead to minimise the impact of a deterioration in a patient’s condition. We will strive continuously to provide outstanding care and service and will share best practice at every opportunity.

We are making adjustments throughout the practice to ensure our surgery is comfortable, welcoming and accessible for our patients and visitors that would benefit from these changes.

Please click here to view the freedom of information leaflet. 

The General Data Protection Regulation (GDPR) came into force on 25^th May 2018. This is a new regulation about the protection of any confidential and sensitive information.

Please see our Privacy Notice Booklet that explains how we collect and process your personal data and how we meet our obligations to you.

Download our Patient Privacy Notice for Children

General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

• diagnoses and findings
• medications and other prescribed items
• investigations, tests and results
• treatments and outcomes
• vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

• the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19) Transparency Notice
• the NHS Digital Coronavirus (COVID-19) Response Transparency Notice
• the NHS Digital General Transparency Notice

All GP Practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in Trent Meadows Medical Practice in the last financial year was £92,495 before tax and National Insurance.  This is for 3 full time GPs and 3 part time GPs who worked in the practice for more than six months.

Download a copy of our How we use your information leaflet.

The core information security principles are to protect the following information/data asset properties:

Confidentiality C Protect data from breaches, unauthorised disclosures, loss and unauthorised viewing

Integrity I Retain the integrity of data by not permitting it to be modified without consent

Availability A Maintain the availability of data by protecting it from disruption and denial of service attacks

In addition to the core principles of C, I and A, information security also relates to the protection of reputation; reputational loss can occur when any of the C, I or A properties are breached. The aggregation effect, by association or volume of data, can also impact upon the Confidentiality property.

For the NHS, the core principles are impacted, and the effect aggregated, when any data breach relates to patient medical data.

Terminology

Term Meaning/Application

SHALL This term is used to state a Mandatory requirement of this policy

SHOULD This term is used to state a Recommended requirement of this policy

MAY This term is used to state an Optional requirement

Governance – Roles and Responsibilities

All Staff

Information Security and the appropriate protection of information assets is the responsibility of all users. Individuals are always expected to act in a professional and responsible manner whilst conducting the Organisation’s business. All staff are responsible for information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. Staff shall ensure that they understand their role and responsibilities, and that failure to comply with this policy may result in disciplinary action. This will be reinforced by yearly mandatory training.

Senior Information Risk Owner

The Senior Information Risk Owner (SIRO) is accountable for information risk within the Organisation and advises on the effectiveness of information risk management across the organisation. All

Information Security risks shall be managed in accordance with the Organisation’s Risk Management Policy.

Information Governance Lead

The Information Governance Lead (IG Lead) is responsible for the day-to-day operational effectiveness of the Information Security Policy and its associated policies and processes. The IG Lead shall:

• Lead on the provision of advice to the organisation on all matters concerning information security, compliance with policies, setting standards and ensuring best practice
• Provide a central point of contact for information security
• Ensure the operational effectiveness of security controls and processes
• Monitor and co-ordinate the operation of the Information Security Management System.
• Be accountable to the SIRO and other bodies for Information Security across the Organisation
• Monitor potential and actual security breaches with appropriate expert security resource.

Caldicott Guardian

The Caldicott Guardian is responsible for ensuring implementation of the Caldicott Principles and Data Security Standards with respect to patient confidential data.

Caldicott Principles

Principle 1 Justify the purpose(s) for using confidential information

Principle 2 Do not use personal confidential data unless it is necessary

Principle 3 Use the minimum necessary personal confidential data

Principle 4 Access to personal confidential data should be on a strict need-to-know basis

Principle 5 Everyone with access to personal confidential data should be aware of their responsibilities

Principle 6 Comply with the law

Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality

Principle 8 Inform patients and service users about how their confidential information is used

Data Protection Officer

The Appointed Data Protection Officer (DPO), as defined in the GDPR 2016 and UK GDPR 2021.

The Data Protection Officer is responsible for ensuring that the Organisation and its constituent business areas always remain compliant with Data Protection, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall:

• Lead on the provision of expert advice to the organisation on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards
• Provide a central point of contact for both internally and with external stakeholders, including the ICO
• Communicate and promote awareness of the Act across the Organisation
• Lead on matters concerning individuals right to access information held by the Organisation and the transparency agenda

Information Asset Owners

The Information Asset Owners are senior/responsible individuals involved with the running the business area and shall be responsible for:

• Understanding what information is held
• Knowing what is added and what is removed
• Understanding how information is moved
• Knowing who has access and why

Supporting Policies

The Information Security Policy has further policies, standards and guides which support this policy. The supporting policies are grouped into 3 areas: Technical Security, Operational Security and Security Management. The Information Security Policy supports the Organisation’s Physical and Personnel Security policies.

Technical Security

The technical security policies detail and explain how information security is to be implemented. These policies cover the security methodologies and approaches for elements such as: network security, patching, protective monitoring, secure configuration and legacy IT hardware & software.

Operational Security

The operational security policies detail how the security requirements are to be achieved. These policies explain how security Organisations are to be achieved for matters such as: data handling, mobile and remote working, disaster recovery and use of social media.

Security Management

The security management Organisations detail how the security requirements are to be managed and checked. These policies describe how information security is to be managed and assured for processes such as: information security incident response, asset management and auditing.

Legislation

The Organisation is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Organisation who may be held personally accountable for any breaches of information security for which they may be held responsible.

The Organisation shall comply with all relevant legislation appropriate and this includes but is not limited to:

• Data Protection Act 2018
• Freedom of Information Act 2000
• Health & Social Care (Safety & Quality) Act 2015
• Computer Misuse Act 1990
• General Data Protection Regulation (GDPR) 2016 & UK GDPR 2021

Audit

Audits will be performed as part of the Organisation’s ongoing Audit Programme. The Information Governance Lead shall ensure appropriate evidence and records are provided to support these activities at least on an annual basis

This is one of the major non-clinical activities of the Practice.

We take medical students, usually from the University of Keele undergraduate Medical School. The students may sit in with surgeries from time to time. If you prefer not to have a student present, please mention this either at reception or when you enter the consulting room. This will not affect the care you will be given.

There may be doctors in their second Foundation Year – the second year since qualification. They are gaining experience in a range of specialities before moving into their specialised training years.

Registrars. The Practice usually has one or two General Practitioner Registrars working with us – they are qualified doctors undergoing further training to specialise in general practice. They may be with us for up to 12 months. You may make appointments to see them just as you would any other doctors.

Video work. As part of training medical students and registrars, as well as occasional personal development work for the established GPs, we may ask you for permission to videotape a consultation.  No intimate examinations would be recorded. The videotape may be used for examination purposes or assessment of the doctor’s ability. You can decline to be videotaped and this will not affect the care you will be given.

From 1st April 2015 GP practices were required to allocate all patients including children, with a named accountable GP who has overall responsibility for their care.

If you wish to know who your named GP is please contact the surgery and we will be happy to inform you.

N.B. This does not stop you from seeing any GP at the Practice

The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled and pledges which the NHS is committed to achieve, together with responsibilities which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.

All NHS bodies and private and third sector providers supplying the NHS services are required by law to take account of the Constitution in their decisions and actions.

A copy of the Constitution is available from the practice by request.

We will:

• Deliver a prompt and efficient service
• Be pleasant and courteous at all times
• Respect your confidentiality

We ask that you – the patient:

• Arrive in time for your appointment
• If unable to keep your appointment contact us to cancel.
• Behave responsibly in a courteous and pleasant manner
• If you bring children to the Health Centre ensure they are under your control at all times.
• Ensure you keep the Health Centre informed of change of address/name.
• Allow 48hrs between request and pick up of medicines.

At Trent Meadows Medical Practice, we have a Facebook group which provides a range of useful information for our patient population.

Trent Meadows Medical Practice has a duty to maintain patient confidentiality and to safeguard vulnerable patients. You can help us to achieve this by adhering to the code of conduct outlined in this policy.

Patients at Trent Meadows Medical Practice are expected to adhere to the following code of conduct at all times:

1. The organisation requires all users of portable devices to use them in a courteous and considerate manner, respecting their fellow patients. Portable devices are not to be used during consultations, except when agreed with your clinician.

2. Patients are not permitted to disclose any patient-identifiable information about other patients, unless they have the express consent of that patient.

3. Whilst not encouraged, patients may record their consultation but this should be agreed with your clinician. This recording will solely be for your own purpose.

4. Patients must not post any material that is inaccurate, fraudulent, harassing, embarrassing, obscene, defamatory or unlawful. Any such posts on the organisation Facebook group will be deleted and the post reported.

5. Patients are not permitted to take photographs in the waiting room or areas where other patients are present, nor are photographs of staff permitted to be taken.

6. Patients must not post comments on social media that identify any staff.

7. Patients are able to leave a review about Trent Meadows Medical Practice. The following link can enable the practice manager to respond appropriately. https://www.nhs.uk/services/gp-surgery/trent-meadows-medical-practice/M83027

8. Defamatory comments about our team are not to be shared on any social media platform. Legal advice will be sought and the appropriate action taken against any patient who posts defamatory comments.

Patient complaints on social media

We have a separate complaints policy which patients are to use should they wish to make a complaint. We will only respond to complaints made to the organisation in accordance with the organisation’s policy.

Practice Charter

• Members of staff will act courteously towards you and treat you with respect.
• We offer an appointment system. Our aim is to see each patient at the time designated. You will not be kept waiting for more than 20 minutes after your appointment time without an explanation from the staff.
• You are entitled to complete confidentiality.
• Constructive criticism will be welcomed in an effort to improve our service.
• You have the right to see your patient records, subject to legal limitations, by appointment only.
• Members of staff will wear a uniform and name badge in order to identify themselves to you.

Patients Responsibilities

• Be courteous and polite to staff at all times
• Arrive on time for all appointments
• Cancel appointments as soon as possible
• Book one appointment for each patient who wishes to be seen.
• Let the Practice know of any changes in personal details, ie telephone number/address.
• Telephone for results between 12.30 pm and 3.00 pm only.
• Do not ask for information about anyone other than yourself.

Physical violence and verbal abuse are a growing concern. GPs, Practice Nurses and other practice staff have the right to care for others without fear of being attacked or abused. We ask that you treat your GP and Practice staff properly — without violence or abuse.

Violent and abusive patients will be reported to the Police and removed from the surgery’s list.

This practice is part of the local Primary Care Research Network , Central England (PCRN CE). The Network is funded by the Department of Health to undertake research to improve healthcare.

What does this mean for you?

You may be invited to take part in a research study. Whether or not you take part is entirely up to you, and the decision you take will not affect any of your medical care.

Your medical records and how they are used

We may be asked to share information we hold in medical records as part of the research.

We always do this in a way that protects your privacy and gives you the option to opt out of research.

There are strict measures in place at the practice and with the researchers to keep your records confidential. The way in which we do this is set out in the leaflet “Use of your medical records”, please ask for a copy.

If you have any questions we would be happy to answer them.

The Practice will undertake an access audit on an annual basis in order to determine that our services for the disabled remain current and appropriate.

Patient facilities include:-

• easy, level access and dedicated toilet facilities for the disabled at both sites
• large font Practice Leaflet is available
• clear signage
• portable induction loops are available at all surgeries for patients who are hard of hearing
• access for guide dogs and others assisting special needs

Disabled patients are able to make appointments using the email system as well as the telephone service and face to face access at reception.

If you feel you need extra help when visiting one of our sites, please phone ahead to advise and we will do our utmost to assist you.

Anyone requiring further information regarding our facilities and access can contact the Practice Liaison Officer on 01283 845555.

If you require any information in an accessible format, such as large print, Easy Read or Braille, please contact us on 01283 845555, in writing, or ask at the reception desk.

Download our Statement of Purpose

If you decide to have an SCR, it will contain important information about any medicines you are taking, allergies you suffer from and any bad reactions to medicines that you have had and it will also include basic information about your current diagnoses. Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed. Your Summary Care Record will also include your name, address, date of birth and your unique NHS Number to help identify you correctly. If you and your GP decide to include more information it can be added, but only with your express permission.

• Summary Care Record
• SCR patient Consent Preference Form