GDPR, Data Protection & Security
There is a requirement for every NHS organisation and provider to publish a Practice Privacy Notice on their Web sites which sets out why the General Practice collects information about each patient and how the information is used.
Please see the attached for the 'Practice Fair Processing & Privacy Notice' for Whitewater Health.
The document below gives further details on 'Who we share your information with & why'
This document gives details on the management of the practice website
This document allows you to request data that the practice may hold relating to your medical record
This document advises patients that we utilise a text messaging service for matters directly related to their care, this can include but is not limited to: appointment booking confirmation, appointment booking reminders, flu program reminders, medication review reminders, links to support self help (NHS A-Z), results from tests. For more information on the text messages please see click here
We use a third party provider for this which has been commissioned by North Hants CCG, and that has completed all NHSx and NHS Improvements data / cyber security assurance. They have direct API into Emis Web, which is the practice Clinical System. As per the ICO recommendations and Data protection, we do not use SMS for e-marketing or Spam messaging patients.
Update from Information Commissioners Office (ICO) in relation to Managing care during COVID-19.
Date: 12 March 2020
We all share the same concerns about the spread of the COVID-19 virus. The need for public bodies and health practitioners to be able to communicate directly with people when dealing with this type of health emergency has never been greater.
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop them using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
The ICO is a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, we will take into account the compelling public interest in the current health emergency.
Control of Patient Information (COPI) Update
The Health Service (Control of Patient Information) Regulations 2002 allow the processing of Confidential Patient Information (CPI) for specific purposes. Regulation 3 provides for the processing of CPI in relation to communicable diseases and other threats to public health and in particular allows the Secretary of State to require organisations to process CPI for purposes related to communicable diseases.
The Secretary of State has issued four of these notices requiring NHS Digital, NHS England & Improvement, all healthcare organisations, Arms Length Bodies, Local Authorities and GPs (including a specific requirement related to the UK Biobank project) to process CPI for the purposes related to communicable diseases.
What does processing mean?
Under COPI Regulations 2002, processing means:
- the use, dissemination and obtaining of information;
- the recording and holding of information;
- the retrieval, alignment and combination of information;
- the organisation, adaption or alteration of information;
- the blocking, erasure and destruction of information.
What purposes are covered?
The COPI notices cover a range of purposes related to diagnosing, managing, and controlling the spread of communicable diseases. For COVID-19 purposes this could include but is not limited to:
- understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks;
- identifying and understanding information about patients or potential patients with or at risk of COVID-19;
- delivering services to patients, clinicians, the health services;
- research and planning in relation to COVID-19.
What type of data is covered?
The notice covers confidential patient information so any data regardless of its identifiability, which is being used for the purposes set out above is covered. It will all be treated in line with the principles of GDPR i.e. fairly, lawfully and securely.
How long will the notices be in place?
COPI notices have now been extended until the end of March 2022 to help give healthcare organisations and Local Authorities the confidence to share the data needed to respond to Covid-19. The notices will be reviewed on or before 31 March 2022 or may be extended. If no further notices are issued, the notices will expire on 31 March 2022.