Information about you and the care you receive is shared, in a secure system, by healthcare staff to support your treatment and care.
It is important that we, the NHS, can use this information to plan and improve services for all patients. We would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help us provide a full picture. This will allow us to compare the care you received in one area against the care you received in another, so we can see what has worked best.
Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone.
You have a choice. If you are happy for your information to be used in this way you do not have to do anything. If you have any concerns or wish to prevent this from happening, please speak to practice staff.
We need to make sure that you know this is happening and the choices you have.
Care Quality Commission
The Care Quality Commission (CQC) makes sure hospitals, care homes, dental and GP surgeries, and all other care services in England provide people with safe, effective, compassionate and high-quality care, and encourages them to make improvements where possible.
They do this by inspecting services and publishing the results on their website: www.cqc.org.uk
You can use the results to help you make better decisions about the care you, or someone you care for, receives.
Our CQC Inspection
Our practice is inspected by the Care Quality Commission (CQC) to ensure we are meeting essential standards of quality and safety.
This widget provides a summary of the results of the latest checks carried out by the CQC.
We have a legal duty to protect patients’ confidentiality at all times. This means that we cannot disclose any details of your treatment to anybody else without your written consent – even if you are under 16 years old.
However, one exception to this is that we are required to send patient specific information to the Primary Care Trust regarding screening information, as this is held on a central NHS database so that this data can be accessed even if you move GP practice. If you do not want data regarding your child’s immunizations, six week checks, cervical cytology results and mammography results held on this central computer please let us know.
To help us maintain confidentiality, please do not ask other people to ring us on your behalf, unless you are happy that they know about what treatment you are having.
You are entitled to see any records that we hold for you written after 1st November 1991, including any computer records.
If you are applying for life insurance, you will be asked for your consent for us to prepare a medical report for your insurer. If you have disclosed information to us, we are obliged to disclose this in turn to the insurer. If this information is considered to increase the risk to your health it may increase your premiums for life insurance. You may wish to consider this before taking part in any screening that we may offer you.
COVID-19 Privacy Notice
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. This transparency notice supplements our main practice privacy notice.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our Legal Basis for Sharing Data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The Type of Personal Data We Are Sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- Diagnoses and findings
- Medications and other prescribed items
- Investigations, tests and results
- Treatments and outcomes
- Vaccinations and immunisations
How NHS Digital Will Use and Share Your Data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your Rights Over Your Personal Data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
What information do we collect about you?
We only collect the information (“data”) that we need to help us keep you healthy – such as your name, address, next of kin, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
How do we use your information?
- We share your medical records with other health professionals who are involved in providing you with care and treatment. This is only ever on a need-to-know basis and event by event.
- Some of your data is automatically copied to the Shared Care Summary Record.
- We share some of your data with local out-of-hours provider
- Data about you is used to manage national screening campaigns such as flu, cervical cytology and diabetes prevention.
- Your data about you is used to manage the NHS and make payments.
- We share information when the law requires us to, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people
- Your data is used to check the quality of care provided by the NHS.
- We may also share medical records for medical research
Enhanced Access Privacy Notice
Streatham PCN is made up of a number of GP Practices and has been created for members practices to work collaboratively to deliver the requirements of the PCN Directed Enhanced Service Contract.
The following practices are part of Streatham PCN:
- Palace Road Surgery
- Streatham Hill Group Practice
- Valley Road Surgery
- The Exchange Surgery
- Streatham Common Practice
- The Vale Surgery
As part of the PCN DES service, we are required to provide Enhanced Access to patients registered with practices in the PCN. Enhanced Access is patient appointments outside core practice hours – that is between 6.30-8.00 pm on weekdays, and on Saturdays 9.00 am till 5.00pm. We have chosen to also offer some appointments between 7.00 am-8.00 am on weekdays. We have also chosen to subcontract some of the provision of these appointments to our local GP federation (Lambeth GP Federation), who have previously provided access hubs in the area.
The Enhanced Access service for our patients requires the following:
- An interoperable Clinical IT solution and
- Data Sharing between the PCN practices and the GP Federation
To enable us to provide our Enhanced Access Service to you, clinicians from other practices in our PCN and working for our local Federation will at times have access to your full GP record, but only when providing direct care to you.
People who have access to your information will only normally have access to information that they need to fulfil their roles. For example, admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments; the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst any GP you see or speak to will normally have access to everything in your record.
1. Controller Contact Details
The controller of your data when it is in your practice clinical record will be your registered GP practice. The Exchange Surgery, Lucie Lehane, Practice Manager/ IG Lead, email@example.com, 2-6 Gracefield Gardens, SW16 2ST, London.
The controller of your data when it is in the GP Federation clinical record system is Lambeth GP Federation, 1 Alleyn Park, London, SE21 8AU.
2. Data Protection Officer Contact Details
Danielle Gibbons, GP Data Protection Officer, firstname.lastname@example.org.
3. Purpose of the Processing
To provide our patients with direct care.
4. The Lawfulness Conditions and Special Categories
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.
5. Recipient or Categories of Recipients of the Shared Data
- Palace Road Surgery
- Streatham Hill Group Practice
- Valley Road Surgery
- The Exchange Surgery
- Streatham Common Practice
- The Vale Surgery
- Lambeth GP Federation
6. Rights to Object
You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.
GP Practices process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with:
- The General Data Protection Regulations (GDPR)
- The Freedom of Information Act
- The NHS Constitution
- The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009
By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.
7. Right to Access and Correct
Under GDPR and the Data Protection Act 2018, you have the right to see or be given a copy of any personal data we hold about you. To gain access to a copy of your information, you will need to make a Subject Access Request (SAR) to the Practice you are normally registered with.
You also have the right to have incorrect data held about you corrected.
8. Retention Period
The data will be retained for the period as specified in the national NHS records retention schedule.
9. Right to Complain
The NHS App
We use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS England.
Data Provision Notices
NHS Digital has powers, under sections 259(1)(a) and 259(1)(b) of the 2012 Health and Social Care Act 2012, which requires health and social care bodies in England to provide NHS England with certain datasets.
The DPN makes it clear whether an organisation is legally required to supply the data or is being requested to do so only.
In either case, when data is provided in response to a requirement or a request made under section 259, the data can be supplied without breaching the common law duty of confidentiality.
For more information about Dara Provision Notices, please see https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/data-provision-notices-dpns
COVID-19 Public Health Directions 2020
NHS England established the OpenSAFELY service Trusted Research Environment (TRE). It supports the use of data for COVID-19 purposes only including research, clinical audit, service evaluation and health surveillance.
NHS England has been directed by the Government to establish and operate the OpenSAFELY service. This service provides a Trusted Research Environment that supports COVID-19 research and analysis.
Each GP practice remains the controller of its own patient data but is required to let researchers run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym, through OpenSAFELY.
Only researchers approved by NHS England are allowed to run these queries and they will not be able to access information that directly or indirectly identifies individuals.
GP Connect Privacy Notice
We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
GP Connect is not used for any purpose other than direct care.
Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.
The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.
Legal basis for sharing this data
In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:
- for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
- for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.
Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.
London Care Record – One London
What is the London Care Record?
The London Care Record is a secure view of your health and care information.
It lets health and care professionals involved in your care see important details about your health when and where they need them.
It can show doctors, nurses and other care professionals any conditions you have, your test results, medicines you take, anything you’re allergic to and plans for your care.
Having a single, secure view of your information helps speed up communication between care professionals across London, and beyond
This helps to improve the safety of care and can save lives.
OneLondon is working to ensure as many health and care staff as possible can access the London Care Record and that it provides them with the information they need.
The SEL ICS Privacy Notice for the London Care Record has now been published on the ICS website: The London Care Record – South East London ICS (selondonics.org)
Find out more about the London Care Record see www.onelondon.online.
The Exchange Surgery is commissioned by South East London ICS. ICS collects, processes and protects the personal data of its service users.
For more information on the onelondon data sharing framework visit https://www.selondonics.org/who-we-are/our-work/digital-and-data/data-services/
How we use your Health and Care Data
Summary Care Record Supplementary Transparency Notice
During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.
These changes to the SCR will remain in place, unless you decide otherwise.
Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.
You can exercise these choices by doing the following:
- Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
- Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
- Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.
To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.
Legal basis for sharing this data
In order for your Personal Data to be shared or processed, an appropriate ‘legal basis’ needs to be in place and recorded. The legal bases for direct care via SCR is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:
- for the processing of personal data: Article 6.1 (e) of the UK GDPR: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
- for the processing of ‘Special Category Data’ (which includes your medical information): Article 9.2 (h) of the UK GDPR: ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.
Because the legal bases used for your care via SCR are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.
Don’t want to share?
All our patients can choose not to share their information. Should you wish to opt out of data collection, please contact a member of staff, alternatively,
Patients can set their opt-out preferences at www.nhs.uk/your-nhs-data-matters You will need their NHS number and a valid email address or telephone number which is on the GP record or on the Personal Demographics Service database to register their decision to opt out. Patients who are unable to use the online facility can use a phone helpline to manage their choice 0300 303 5678. A paper print-and-post form is also available at www.nhs.uk – Other ways to make a choice about sharing data.
Alternatively, please contact a member of staff for support.
Have a question?
If you have any questions, ask a member of the surgery team. You can:
Contact the practice’s data controller via email at email@example.com. GP practices are data controllers for the data they hold about their patients
Ask to speak to the practice manager Lucie Lehane who is also Data Protection Champion for The Exchange Surgery.
Data Protection Officer (DPO) contact for The Exchange Surgery: firstname.lastname@example.org
GP DPO Service Lead: Danielle Gibbons
If you’re not happy about how we manage your information
We really want to make sure you’re happy, but we understand that sometimes things can go wrong. If you are unhappy with any part of our data-processing methods, you can complain. For more information, visit ico.org.uk and select ‘Raising a concern’.
We always make sure the information we give you is up-to-date. Any updates will be published on our website, in our newsletter and leaflets, and on our posters. This policy will be reviewed in May 2019.
What Is A Privacy Notice?
A privacy notice is a statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.
What Is The GDPR?
The GDPR replaces the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.
What Information Do We Collect About You?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How Do We Use Your Information?
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research, however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO).
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Valley Road Surgery, this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment, to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially, it will not be used for any other purpose or shared with any third parties.
The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used for their individual care and treatment or also used for research and planning purposes. Patients who wish to opt out of data collection will be able to set their national data opt-out choice online at www.digital.nhs.uk/national-data-opt-out-programme. An alternative provision will be made for those patients who are unable to or do not want to use the online system.
Accessing Your Records
We encourage patients to sign up to our online services (Patient Access) where you can also access your medical records. You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
What To Do If You Have Any Questions
- Contact the practice’s data controller via email at email@example.com. GP practices are data controllers for the data they hold about their patients
- Ask to speak to the business manager – Kemi Olayiwola
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit www.ico.org.uk and select ‘raising a concern’.
All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice
The average pay for GPs working in Valley Road Surgery in the last financial year was £79,055 before tax and National Insurance.
This is for 1 full time GP and 4 part time GPs who worked in the practice for more than 6 months.
NHS England require that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown above. However it should be noted that the prescribed method for calculating earning is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.
Every patient has a named GP. This doctor has an important role to play in your healthcare. Some patients will already be aware of their named GP but if you would like to know, please just ask at reception by completing our Ask Reception a Question form.
Very little will change with your direct care. Your named GP does not have to be the doctor you see most recently, and you should continue to book appointments as usual.
The named GP is designed to reassure patients there is a doctor to provide an oversight into your care.
The responsibilities of your named GP will be to:
- Take the lead responsibility for ensuring that the surgery provides all the appropriate services you need
- Ensure health and social care professionals deliver a care package that meets your needs
- Ensure your physical and psychological needs are recognised and responded to by the relevant clinicians in the practice
- Ensure you have access to a health check if requested
It does not mean the named GP:
- Takes responsibility for the work of other doctors or health professionals. If you have concerns, you must raise it with them in the first instance
- Is available other than at their normal working hours
- Is personally available throughout the working week
- Be the only GP or clinician who will provide care to you
It does not mean that you can insist on appointment with your named GP unless one is available in the normal way.
You must continue to book appointments with the practice in the same way. If you require an appointment with a GP urgently and are unable to book it with your ‘named GP’ please book in with another available doctor.
Suggestions, Comments and Complaints
If you would like to give us any feedback or wish to make a complaint, please complete our Feedback and Complaints Triage.
If you have any suggestions about how we can improve our services please write a letter and place it in our suggestions box in the waiting room.
If you have any complaints either concerning our service or any member of our team, please ask to see our practice manager in the first instance. If the manager is not available, the receptionist can provide you with information on our complaints procedure. We would much prefer to deal with complaints in house but if you feel the need to go to an external board, the association to help you and give advice is PALS (Patient Advice Liason Service) – telephone 0800 456 1517.
Teaching and Research Practice
We are a training practice and are dedicated to the teaching of medical students. They are able to learn a great deal by sitting in on consultations and accompanying our clinical staff on home visits. We hope that you will co-operate with us in helping the students learn about general practice. You will be informed of their presence in advance. If you decline, your wishes will be respected and this will not affect your treatment in anyway.
The Valley Road Surgery is also involved in the education and training of GP registrars. They are fully qualified, senior doctors who have decided to pursue a career in general practice.
GP registrars and GP trainers are occasionally asked to video consultations in order to help improve their consultation skills. You will always be asked in advance if your consultation is scheduled for recording. If you decline, your consultation and treatment will not be affected.
The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons. Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety.
In this situation, we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.