How we use your information
For information on how we use your data please see our leaflet Information we hold about you – a guide for patients.
Devon Doctors recognise how important it is that you are aware of the information we collect and hold about you as well as how we share that information.
We use three different types of information:
1) Person identifiable - information which on its own or with other information can identify you.
2) Anonymised data - where unique identifiers such as your name, full address or date of birth have been removed so the information is no longer ‘person identifiable’.
3) Pseudonymised data - where personal information about you is replaced with a code. We retain the key to the code so could know which person this information related to, but a third party who we shared this information with could not. This is often used when information is needed for research purposes or when we create our patient surveys.
To ensure that your information is kept confidential and that our data is kept safe and secure, all our staff receive training in data protection and information governance before they start work with us. Current staff also have to undertake regular refresher training courses tailored to their individual roles.
Who we are and what we do
Our registered address is:
Unit 8 Manaton Court
Telephone: 01392 822 345.
Devon Doctors Group is made up of all [the partly and wholly owned companies] owned by Devon Doctors Limited, who are a not for profit social enterprise, owned by the GP practices of Devon. The group hold contracts for healthcare services including:
Devon Doctors Limited: providing the GP out of hours services in Devon, as part of the integrated urgent care service for the county. Other contracts include district nurse message handling in Devon and end of life and palliative care services such as the EpPaCCS ‘end of life’ register.
Cornwall Health Limited: providing the GP out of hours services and appointments for the Acute GP service in Cornwall.
Access Dental: providing out of hours and prison dental care and treatment in Devon and Cornwall, including emergency dental helplines and waiting list support.
Access Health Care: provide primary care services including:
• Clock Tower Surgery Exeter
• Cranbrook Medical Centre Exeter
• Physiotherapy and Chime Audiology appointment and booking services in Devon
• The Violent Patient Scheme service for Devon, Cornwall and Somerset
Our partners, Vocare Ltd, provide NHS 111 services across the South West. For more information please see http://www.vocare.org.uk/services.php
To help you to understand what information we collect and how we use it please see our leaflet Information we hold about you - a guide for patients.
This is available on our website in standard text, large print, video format, British Sign Language, audio and easy read versions:
Hard copies are also available at our treatment centres and headquarters at Manaton Court, Marsh Barton (and can be posted on request).
Our patient announcement is received by all callers accessing our service via our patient lines to inform service users:
“All telephone calls to and from our organisation are recorded for your protection, and for monitoring purposes. They may be used for training and audit purposes to maintain our quality and high standards. Patient confidentiality is important however in certain circumstances, it may be necessary to share your details with third parties including health and social care professionals”.
Communications in alternative formats
We have a variety of leaflets to assist our service users. These include:
• Information we hold about you – a guide for patients
• How to receive urgent care when your GP surgery is closed
• Out-of-hours treatment for patients with palliative care needs
• Reporting a complaint or other feedback
On request we will supply all of these leaflets in alternative formats, for example:
• Audio MP3 file via email
• Audio compact disc sent via post
• Large print
• Alternative languages (translated via Language Line)
Spoken translation services are available through Language Line and Text Relay. These services can also be utilised in the event that an individual has difficulty conversing in English, are unable to read in their native language have difficulty hearing on the telephone.
Access to your information
Our staff will only have access to information that is necessary for them to complete the business activity they are involved in. This is reflected in Caldicott Principles that access to your information should be on a need to know basis only. Staff access of confidential information is monitored to ensure your confidentiality is maintained.
Where possible, we ensure your information is anonymised or pseudonymised (especially when using information for purposes other than for direct patient care). We have a small, restricted and specialised team who have been suitably trained to anonymise and pseudonymise information for us. All members of this team have been approved to carry out this work by our Caldicott Guardians.
Information we hold about you
a. Your name and date of birth
b. Caller/carer/next of kin and patient contact details, including full home address, telephone numbers and current location (note, If you provide us with your mobile phone number we may use this to send you reminders about your appointments or other health screening information).
c. Details of each contact we have with you. For example, speaking to a member of the dental team on the phone, when you write a letter to give feedback, when a doctor visits you at home.
d. Records of your health and wellbeing, including reports from other organisations providing health and social care.
e. Details of your care and treatment, including clinical notes, assessments, examinations, test results and care you have received.
f. Information shared in the public domain e.g. online. For example, comments made about services and staff on social media or mentioned in blog posts. This information is used to improve services and inform feedback, learning and training. It will not affect the care you receive in any way. There may be some circumstances where we share this information with others, for example, where it concerns another healthcare provider, to protect an individual or assist the police in the investigation of a serious crime.
g. Recordings of all telephone calls.
As we do not always have access to your full GP, dental or other health records, other health professionals may provide us with important information such as a special note to highlight any specific medical history and/or care plans. This will support our health professionals in their decision making in the event of contact from you.
We will also record and keep further information about you if you contact us for reasons not regarding your direct care (for example, to make a complaint, report a concern via our patient surveys or if you leave us feedback online or post on social media).
In some cases, we may need to obtain or provide information from another service provider (such as our commissioners) for example to fully investigate a complaint, enquiry or to assist with a Freedom of Information Act request.
How do we keep your records confidential and secure
Everyone working in the NHS has a legal and professional duty to ensure that all your information is safely and securely protected and kept confidential.
The sharing of your information is strictly controlled. We will not pass on information about you to third parties without your permission unless there are exceptional circumstances, for example, where we are required to by law.
In all cases, where personal information is shared, either with or without your consent, a record will be kept. Information that identifies you will only be used for the purposes it was provided for or where there is a clear legal basis for that information to be used. We adhere to the Caldicott Principles to ensure information is accessed and held securely and appropriately.
Our staff are required to protect your information, inform you of how your information will be used and allow you to decide how it can be shared. Our secure networks, internal and external IT safeguards, use of the national NHS smartcard system and audits all ensure we protect your right to privacy and confidentiality.
We only keep hold of any of our records as long as we need to and are required to manage our records in accordance with national guidance such as the NHS Records Management Code of Practice. After they are no longer needed, these records will be confidentially and securely destroyed.
How your records are used
Your records are used to guide healthcare professionals in the care you receive. Your records:
a. Inform the decisions made about your care.
b. Ensure your treatment and advice, and the treatment of others, is safe and effective.
c. Help us work effectively with other organisations and healthcare professionals who may also be involved in your care.
d. Are sent to your GP practice the next working day. This helps your GP, nurse or other medical professionals involved in your care to assess your health and assess any care you may need.
e. Are pseudonymised and shared with our commissioners and commissioning support units to enable them to conduct risk stratification, ensure services are funded appropriately, review care pathways and ensure patients receive appropriate packages of care and support.
They also receive this information, along with your NHS Number to monitor how services are being managed and commissioned. This enables them to monitor how funding is spent across services and assist them in planning future service development, making sure funding flows correctly across the healthcare system.
f. Help us to thoroughly investigate any feedback or concerns you may have about contact with our service.
g. Can be available if you see another doctor, or are referred to a specialist or another part of the NHS or health care system for the purposes of direct care.
h. Help us to investigate complaints, legal claims and untoward events.
i. Help us prepare statistics on NHS performance and assist with health research and development.
j. Help us to teach, train and monitor staff and their work (including providing staff and clinicians with anonymised feedback from patient surveys) to audit and improve our services and ensure they meet your needs.
k. Help us conduct clinical audit to ensure we are providing a safe, high quality service and support the provision of care by other healthcare professionals
There are circumstances where we need to share information without your consent. For example, when the health and safety of others, including members of staff, is at risk, to ensure we provide you with the correct care, to protect public health or when the law requires information to be passed on (for example in the prevention of serious crime or under a court order).
You may be receiving care from other non-NHS organisations such as Social Services and we may need to share information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.
Information may be withheld if it is believed it may cause serious harm or distress to yourself or another person.
We will not transfer or process your information outside of the European Economic Area except in rare circumstances where there is a legal basis, for example, we have your consent. In the event that this occurs, we will take all reasonable steps to ensure the security and safety of the information being sent.
How you can access your records
The Data Protection Act allows you to find out what information about you is held on computer and in certain paper records. This is known as a ‘right of subject access’.
If you would like to see your records you can make a written request to us (which must include your authorising signature).
You are entitled to receive a copy of your records and do not have to give a reason for the request however, there may be a charge. Consent will be required when requesting information relating to someone else. Requests can be made in writing to the address in this guide.
Using information for purposes other than direct healthcare
We will use your personal information for the purposes of providing you with direct care and to locally audit our services to ensure our organisation meets your needs and maintains our high standards.
Direct Care: is when information is used for healthcare and medical purposes. For example, directly contributing to your treatment, diagnosis, referral and care. This also includes any relevant supporting administrative processes and audit/assurance of the quality of the healthcare service provided such as appointment bookings, management of waiting lists, inputting test results or sharing information regarding contacts with the patient’s registered GP practice.
We will also use your personal information when required to by the law (for example following a court order to release documentation) and, in exceptional circumstances, where the use of your personal information is justified in the public interest.
For all other uses of your personal information we will either directly ask for your consent or use information that does not identify you. For example, it may be that we use anonymised and/or pseudonymised data for:
• Processing information – taking your information and changing it so it does not identify you so it can be used for secondary purposes such as research.
• Audits - including local clinical audit to provide quality assurance of the care received by our service users.
• Service management.
• Local and national benchmarking.
• Commissioning and commissioners reports e.g. risk stratification, service use, performance reports and contract monitoring.
• Reporting, including public health alerts, performance and board reports, capacity and demand planning. We may share anonymised and pseudonymised information with other organisations with a legitimate interest such as universities and research institutions. This data will be provided in a way that respects your right to confidentiality and does not identify individual patients.
• Teaching and training.
• Sharing best practice/serious case reviews/incident management of adverse events.
• Staff and patient surveys.
• Personal development/review (particularly for clinicians).
• Subject access requests.
If for any reason you do not wish for your information to be used in any of the ways described here please inform our clinician dealing with your care or alternatively, contact the governance team (details at the end of this leaflet).
Third parties we share information with
Sometimes we need to share your information with other organisations. For example, you may be receiving care from social services and we may need to share information about you so we can all work together for your benefit.
When assisting the police with the investigation of a serious crime, or if there are concerns regarding child protection/vulnerable adults, it may be necessary for us to share your personal information with external agencies without your consent.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
We may also share information with organisations such as:
• NHS Trusts
• Community/district nurses
• The ambulance or other emergency services
• General Practitioners
• Child and adult safeguarding services e.g. MASH
• Social Services
• Local Authorities
• NHS 111
• The Care Quality Commission, ICO and other regulated auditors
• Public Health England
• HSCIC (http://www.hscic.gov.uk) and the data services for commissioners programme
Note: Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request your information that identifies you from GP practices and other providers without seeking your consent.
Information/data sharing agreements
We are bound by data and information sharing agreements with our partner organisations. These sharing agreements ensure that we only share information in a way that complies with the law.
Regular information sharing is supported by information sharing agreements with our partner organisations to ensure all parties are clear on how this information may be used and their legal obligations to protect and keep your information safe and secure.
You have the right to confidentiality and for your information to be used fairly in a way that is safe and secure under the Data Protection Act 1998, common law duty of confidentiality and other relevant legislation. The Equality Act 2010 may also apply in certain circumstances. You have the right to know what information we hold about you, what we use it for and who we share it with.
You have the right to apply for access to you information (a Subject Access Request) and have a copy of that information in a permanent form, for example, on paper.
You also have the right to have that information explained to you in a way you can understand, explained where necessary. For example, if there are any codes or abbreviations you do not understand.
Comments, queries or objections
At any time, you have the right to object, refuse or withdraw consent to information sharing/processing and have your objections heard. We will comply with your request where we are able to do so in accordance with the law. The possible consequences of not sharing this data will be fully explained to you.
Should you have any queries or if you require this guide in an alternative format such as another language, please contact the Information Governance Lead via email@example.com or by writing to the address at the top of this guide.
To provide a safe, professional and efficient service, we need to keep information on record. Your personal details will be handled with sensitivity and confidentiality.
If you think any information we hold about you is not accurate, please let us know. You can write to us if you have any privacy concerns or queries, or if you wish to update your personal information.
Further information can also be obtained from legislation such as the Data Protection Act 1998, the Care Record Guarantee and the NHS Confidentiality Code of Conduct all of which can be accessed via the internet.
You have the right to access your records and to request corrections of errors, but not to change the content as this may be clinically unsafe.
The Data Protection Act 1998
The data protection act 1998 states:
Personal data shall be processed fairly and lawfully and in particular, shall not be processed unless:
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
This is the first data protection principle. In practice, it means that you must:
• have legitimate grounds for collecting and using the personal data;
• not use the data in ways that have unjustified adverse effects on the individuals concerned;
• be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
• handle people’s personal data only in ways they would reasonably expect; and
• make sure you do not do anything unlawful with the data.
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with us.
Once it has been established that a data controller does have the ‘lawful’ power to share personal data it would then need to satisfy a Schedule 2 condition for processing and where sensitive personal data is involved, a Schedule 3 condition. It should be remembered though that even where a condition or conditions for processing can be met this will not on its own ensure that the processing is fair or lawful.
These issues need to be considered separately. It is also worth briefly looking at the issue of ‘consent’. To the ICO “consent” means just that. For
Example, someone is asked if their information can be used in a certain way. If they agree the release of information can proceed, but if they refuse their consent, then in the view of the ICO, their wishes should be respected and the information should not be used.
In addition it needs to be remembered that in data protection terms ‘consent’ is but one condition that could be relied on to process personal and sensitive personal data. There are several other conditions that it may be possible to rely on depending on the purpose of the processing (and which are set out in Schedule 2 and in Schedule 3).
In terms of meeting a Schedule 2 condition there are two that could be relied on these are:
The processing is necessary:
(a) for the exercise of any other functions of a public nature exercised in the public interest by any person, or,
(b) the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Meeting a Schedule 3 condition is more difficult (and which is the way it should be). However in these circumstances the ICO considers that a condition provided for in SI 417 (2000)1 could be met, namely:
The processing –
(a) is in the substantial public interest;
(b) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and
(c) is carried out without the explicit consent of the data subject because the processing must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service.
The ICO stresses that where these conditions are being relied upon that there is the provision of fair processing information to the individuals involved, with more information being required where the data sharing is more extensive. Privacy notices should make it clear to individuals about how their information is being used and where they can find out more about the processing and/or object to the processing (s10 of the DPA).
As the conditions above require that the sharing is either in the substantial public interest or is for confidential counselling purposes added to the fact that public authorities must not act in any way that is incompatible with the Human Rights Act we will seek the explicit informed consent of the patient or individual.
It is also important to ensure that the other Data Protection principles are complied with e.g. the information shared needs to be relevant and not excessive, it must be accurate and kept up to date, not kept for longer than necessary and kept secure.
If individuals know at the outset what we propose to use their information for, they will be able to make an informed decision about whether to:
(a) enter into a relationship with us, or perhaps to try to renegotiate the terms of the relationship;
(b) consent or dissent to the use of their information.
If anyone is deceived or misled when the information is obtained, then this is likely to be unfair and will be a breach of the DPA.
The DPA says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised, or required, to provide it. The DPA does not define ‘lawfully’. However, ‘lawful’ refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation.