Privacy Notice-GDPR

To be able to be able to provide you with care and for our other purposes we need to collect information about you. This includes:

• Your contact details (such as your name, age, gender, ethnicity, address and email address)
• Details and contact numbers of your next of kin
• Details in relation to your medical history
• The reason for your visit to the organisation
• Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
• Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
• Details about the treatment and care received
• Results of investigations such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you
• Recordings of telephone conversations between yourself and the organisation
• The Practice also records CCTV images for the prevention and detection of crime

The main reason we collect information about you is for your direct care and treatment, this includes to ensure safe and high-quality care for all our patients. We also collect and use information for other purposes such as research.

Other reasons for collection of information may include:

• safety of patient and staff, prevention and detection of crime

Further details on why we collect personal data about you can be found further below under the section ‘Specific Privacy Notices’.

Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), The Data Protection Act 2018, Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their persona l responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for Blackheath Standard Surgery an appropriate contract (Article 24-28) will be established for the processing of your information.

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR), The Data Protection Act 2018and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

In order to comply with its legal obligations, this organisation may have to send data to NHS England when directed by the Secretary of State for Health under the Health and Social Care Act.

Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Under the UK General Data Protection Regulation, where we are providing direct care to you, or managing your direct care, we will be lawfully using your information in accordance with:

• Article 6, 1, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Article 9, 2, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

For the lawful bases for the processing and collection of your data outside of the above, you can locate these in the individual specific privacy notices linked on page 5.

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:

• Hospital professionals (such as doctors, consultants, nurses etc.)
• Other GPs/doctors
• Primary Care Networks
• NHS Trusts/Foundation Trusts/Specialist Trusts
• NHS Integrated Care Boards,
• NHS England (NHSE)
• Multi-agency Safeguarding Hub (MASH)
• Independent contractors such as dentists, opticians, pharmacists
• Any other person who is involved in providing services related to your general healthcare including mental health professionals
• Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
• Voluntary sector providers
• Ambulance Trusts
• Integrated Care Systems. Local authority, Social care services, Education services
• Information may also be shared with appropriate or authorised organisations like the police and the court for the purpose of investigation, court proceeding and prevention and detection of crime where we are required to
• Other ‘data processors’, e.g., Diabetes UK