Policies and Procedures

Introduction

In accordance with the General Data Protection Regulation, patients (data subjects) have the right to access their data and any supplementary information held by Thornbury Road Centre for Health; this is commonly known as a data subject access request (DSAR). Data subjects have a right to receive:

• Confirmation that their data is being processed
• Access to their personal data
• Access to any other supplementary information held about them

Options for access

As of April 2016, practices have been obliged to allow patients access to their health record online. This service will enable the patient to view coded information held in their health record. Prior to accessing this information, you will have to visit the practice and undertake an identity check before being granted access to your records.

In addition, you can make a request to be provided with copies of your health record. To do so, you must submit a Data Subject Access Request (DSAR) form; this can be submitted electronically and the DSAR form is available HERE. Once completed, please e-mail to [email protected]. Alternatively, a paper copy of the DSAR is available from reception. You will need to submit the form online or return the completed paper copy of the DSAR to the practice. Patients do not have to pay a fee for copies of their records.

Time frame

 Once the DSAR form is submitted, Thornbury Road Centre for Health will aim to process the request within 21 days; however, this may not always be possible. The maximum time permitted to process DSARs is one calendar month.

Exemptions

There may be occasions when the data controller will withhold information kept in the health record, particularly if the disclosure of such information is likely to cause undue stress or harm to you or any other person.

APPLICATION FORM FOR ACCESS TO HEALTH RECORDS – May 18

The Surgery prides itself in maintaining professional standards. For certain examinations during consultations an impartial observer (a “Chaperone”) will be required.

This impartial observer will be a practice Nurse or Health Care Assistant who is familiar with the procedure and be available to reassure and raise any concerns on your behalf. If a nurse in unavailable at the time of your consultation then your examination may be re-scheduled for another time.

You are free to decline any examination or chose an alternative examiner or chaperone. You may also request a chaperone for any examination or consultation if one is not offered to you. The GP may not undertake an examination if a chaperone is declined.

The role of a Chaperone:

• Maintains professional boundaries during intimate examinations.
• Acknowledges a patient’s vulnerability.
• Provides emotional comfort and reassurance.
• Assists in the examination..
• Assists with undressing patients, if required.

The practice complies with the Data Protection Act.  All information about patients is confidential: from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the Practice. All patients can expect that their personal information will not be disclosed without their permission except in the most exceptional of circumstances, when somebody is at grave risk of serious harm.

All members of the primary health care team (from reception to doctors) in the course of their duties will have access to your medical records. They all adhere to the highest standards of maintaining confidentiality.

As our reception area is a little public, if you wish to discuss something of a confidential nature please mention it to one of the receptionists who will make arrangements for you to have the necessary privacy.

Under 16s

The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person. Young people aged under 16 years can choose to see health professionals, without informing their parents or carers. If a GP considers that the young person is competent to make decisions about their health, then the GP can give advice, prescribe and treat the young person without seeking further consent.

However, in terms of good practice, health professionals will encourage young people to discuss issues with a parent or carer. As with older people, sometimes the law requires us to report information to appropriate authorities in order to protect young people or members of the public.

Useful Websites

• Confidentiality NHS Code of Practice
• Confidentiality and Mental Health
• Confidentiality Guidance

Please visit www.nhs.uk/conditions/coronavirus-covid-19/

If you have any special needs please let our staff know so that we can help and ensure you get the same support in the future.

Wheelchair access

The Surgery has been specially designed to make it easier for disabled patients to visit. There are no steps at the entrance of the building giving patients easy access. Due to fire regulations, we do have heavy fire doors, however if you have trouble opening these please ask Reception for assistance as they are always happy to help.

There are several dedicated disabled car parking spaces available immediately outside the front entrance of The Surgery.

We have a wheelchair for patient’s use, at their own risk, should you require one whilst visiting our premises.

We have two disabled toilets one on each floor.

Disabled Parking – Blue Badge Scheme

The Blue Badge scheme is for people with severe mobility problems. It allows Blue Badge holders to park close to where they need to go.

Loop System

We have a loop induction system at the reception desk to assist the hearing impaired. For more information on the loop hearing system visit Hearing Link website.

• British Deaf Association
• British Sign Language Healthy Mind
• Action Hearing Loss
• Royal Association for Deaf People
• National Deaf Children’s Society

Blind/Partially Sighted

If you or family members are blind or partially sighted we can give you a CD or large print of our practice leaflet upon request. Please ask Reception for further information.

For more advice and support for blind people please see the following websites:

• Royal National Institute of Blind People (RIND)
• Action for Blind People
• Blind.org.uk
• Blind in Business
• British Blind Sport

Guide Dogs

Guide dogs are welcome at the surgery but we ask that you be aware of other patients and staff who may have an allergy or fear of dogs.

Further Information:

• Guide Dogs

Other Disability Website

• BID Services
• Disability Go
• Disabled People, your Rights, Benefits, Carers and the Equality Act
• Disability Rights UK
• Living with a Disability NHS Choices
• Disability Now
• Disability Action
• Mencap
• Business Disability Forum

The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:

• Have a publication scheme in place
• Allow public access to information held by public authorities.

The Act covers any recorded organisational information such as reports, policies or strategies, that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland, however it does not cover personal information such as patient records which are covered by the Data Protection Act.

Public authorities include government departments, local authorities, the NHS, state schools and police forces.

The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act.

The Surgery publication scheme

A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:

• who we are and what we do
• what we spend and how we spend it
• what our priorities are and how we are doing it
• how we make decisions
• our policies and procedures
• lists and registers
• the services we offer

You can request our publication scheme leaflet at the surgery.

Who can request information?

Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use. 

How should requests be made?

Requests must:

• be made in writing (this can be electronically e.g. email/fax)
• state the name of the applicant and an address for correspondence
• describe the information requested.

What cannot be requested?

Personal data about staff and patients covered under Data Protection Act.

For more information see these websites:

• Legislation GOV.UK
• Information Commissioners Office

As a registered patient, Thornbury Road Centre for Health has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.

 Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information, or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Dr Ernest Norman-Williams at [email protected]

The main things the law says we must tell you about what we do with your personal data are:

• We must let you know why we collect personal and healthcare information about you
• We must let you know how we use any personal and/or healthcare information we hold about you
• We need to inform you in respect of what we do with it
• We need to tell you about who we share it with or pass it on to and why
• We need to let you know how long we can keep it for

What is a privacy notice?

A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the organisation must:

• Have lawful and appropriate reasons for the use or collection of personal data
• Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)
• Be open about how the data will be used and provide appropriate privacy notices when collecting personal data
• Handle personal data in line with the appropriate legislation and guidance
• Not use the collected data inappropriately or unlawfully

What is fair processing?

Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.

Thornbury Road Centre for Health manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• UK General Data Protection Regulations 2016
• Data Protection Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality and Information Security
• Information: To Share or Not to Share Review

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Hospital Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Who is the data controller?

Thornbury Road Centre for Health is registered as a data controller under the Data Protection Act 2018. Our registration number is Z9791943 and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.

We may Also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

 What type of information do we collect about you?

 Information held by this organisation may include the following:

• Your contact details (such as your name, address and email address)
• Details and contact numbers of your next of kin
• Your age range, gender, ethnicity
• Details in relation to your medical history
• The reason for your visit to the organisation
• Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
• Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
• Details about the treatment and care received
• Results of investigations such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you
• Recordings of telephone conversations between yourself and the organisation

Information collected about you from others

We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

• It is required by law
• You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes
• It is justified to be in the public interest

To ensure you receive the best possible care, your records are used to enable the care you receive. Information held about you may be used to help protect the health of the public and to help us to manage the NHS.

Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may used for statistical purposes. Where we do this, we ensure that patient records cannot be identified.

Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. When the organisation is about to participate in any new data-sharing scheme, we will make patients aware by displaying prominent notices and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

What is special category data?

The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information may be as follows:

The legal justification for collecting and using your information

The law says we need a legal basis to handle your personal and healthcare information.

How do we use your information?

 Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.

 In order to comply with its legal obligations, this organisation may have to send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Under the General Data Protection Regulation, we will be lawfully using your information in accordance with:

• Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Who can we provide your personal information to and why?

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:

• Hospital professionals (such as doctors, consultants, nurses etc.)
• Other GPs/doctors
• Primary Care Networks
• NHS Trusts/Foundation Trusts/Specialist Trusts
• NHS Commissioning Support Units
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi-agency Safeguarding Hub (MASH)
• Independent contractors such as dentists, opticians, pharmacists
• Any other person who is involved in providing services related to your general healthcare including mental health professionals
• Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
• Voluntary sector providers
• Ambulance Trusts
• Integrated Care Systems
• Clinical Commissioning Groups
• Local authority
• Social care services
• Education services
• Other ‘data processors’, e.g., Diabetes UK

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Who may we provide your information to:

• For the purposes of complying with the law, e.g., the police
• Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed
• Computer systems – we operate a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication. We will make information available to our partner organisations (above) unless you have declined data sharing to ensure you receive appropriate and safe care. Wherever possible, staff will ask your consent before your information is viewed.
• Extended access – we provide extended access services to our patients so that you can access medical services outside of our normal working hours. To provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group whereby certain key ‘hubs’ offer this service for you as a patient to access outside of our opening hours.

This means those key ‘hubs’ will have to have access to your medical record to be able to offer you the service. Please note to ensure that those hubs comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only

• Data extraction by the Clinical Commissioning Group – the Clinical Commissioning Group at times extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them

This information only refers to you by way of a code that only your own practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this

Your rights as a patient

 The law gives you certain rights to your personal and healthcare information that we hold as set out below:

How long do we keep your personal information?

 We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above.  We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.

Thornbury Road Centre for Health uses a clinical system provided by a data processor called SystmOne.

Maintaining your confidentiality and accessing your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for Thornbury Road Centre for Health, an appropriate contract (Article 24-28) will be established for the processing of your information.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent.  In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Sharing your information without consent

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

• Where there is a serious risk of harm or abuse to you or other people
• Safeguarding matters and investigations
• Where a serious crime, such as assault, is being investigated or where it could be prevented
• Notification of new births
• Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
• Where a formal court order has been issued
• Where there is a legal requirement, for example if you had committed a road traffic offence.

 Third party processors

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the organisation will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.
• Further details regarding specific third-party processors can be supplied on request to the data protection officer as below.

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Audit

 Auditing of clinical notes is done by Thornbury Road Centre for Health as part of their commitment to the effective management of healthcare whilst acting as a data processor.

Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’” No consent is required to audit clinical notes for this purpose.

Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.

Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary.

It is also prudent to audit under Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17: Good Governance.

GP connect service

The GP connect service allows authorised clinical staff at NHS 111 to seamlessly access our clinical system and book directly on behalf of a patient. This means that, should you call NHS 111 and the clinician believes you need an appointment, the clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the organisation directly for an appointment.

We will not be sharing any of your data and we will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us but you will be made aware of this. This will help in knowing what treatment/service/help you may require.

Invoice validation

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

CCTV Images

Closed circuit television (CCTV) is installed at the practice premises for the purposes of staff, patient and premises security. Cameras are located at various places on the premises, and images from the cameras are recorded.

Should you require more information about the type of images which are recorded and retained, the purposes for which the images are recorded and retained and information about the disclosure policy, please ask for the a copy of the CCTV Policy and Code of practice Leaflet.

Data subjects have a right of access to see images which have been recorded. Requests for access to images will be made using the ‘Application to access to CCTV images’ form.

OpenSAFELY COVID-19 Service

The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

NHS health checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check.  Nobody outside the healthcare team in Thornbury Road Centre for Health will see confidential information about you during the invitation process.

 Child Health Information

We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8-week new baby check and breast-feeding status with NHS HRCH health visitors and school nurses, and with North West London Child Health Information Service (CHIS), who provide the Child Health Information Service on behalf of NHS England.

Individual Funding Request

An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that CCG has agreed to commission for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Supporting Medicines Management

 NWL Clinical Commissioning Groups use pharmacist and prescribing advice services to support local GP practices with prescribing queries, which may require identifiable information to be shared. These pharmacists work with your usual GP to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is appropriate for your needs, safe and cost- effective. Where specialist prescribing support is required, the CCG medicines management team may provide relating to obtaining medications on behalf of your GP Practice to support your care.

Anticoagulation Date Managed with INRstar

 We use LumiraDx Care Solutions UK Ltd who manufacture INRstar which is the software used to support the monitoring of patients who are take Warfarin. They act as data processors on behalf of our practice for the anticoagulation data recorded on those patients. INRstar are moving these patient records to cloud based services on 25th – 27th June 2021. The data residency will remain in England in a UK Government approved data centre. Further details on their privacy policy and data protection impact assessment can be found at www.lumiradxcaresolutions.com/legal

iGPR

 We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

Push Doctor video consultations

 Our Practice offers video consultations with an online GP provided by a third party company called Push Doctor.

When you are seen by a Push Doctor GP, the GP can access your NHS medical records in order to provide you with care and can make additions to your NHS medical records to record the care that you have received. Push Doctor GPs are responsible for ensuring that

they access information appropriately and that the information they add to your NHS medical records is accurate. Push Doctor GPs do not have access to NHS medical records other than to inform and record the care provided to you.

When using this service, Push Doctor will also record information about you. When registering for this service, Push Doctor will provide you with their privacy notice explaining how they will use your personal information. The use of Push Doctor is optional. Push Doctor will let the practice know which patients are registered for the service and which patients had an appointment.

A copy of the Push Doctor privacy notice can be found at: https://www.pushdoctor.co.uk/privacy

In order to ensure the quality and safety of its services, Push Doctor uses medical officers to review patient files to check whether appropriate care has been provided. These medical officers are all medically qualified. Push Doctor Medical Officers do not have access to NHS medical records other than to carry out their quality assurance work.

If you want to exercise any of your data protection rights on information held in your NHS GP records please contact us. We will work with your Push Doctor GP as needed.

We have agreements in place with Push Doctor to ensure the confidentiality and security of your information. A Data Protection Impact Assessment has also been carried out for this processing.

Patient communication

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the organisation know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.

Primary care networks

The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces that ease the pressure of GPs, leaving them better able to focus on patient care. All areas within England are covered by a PCN.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons including improving the ability of practices to recruit and retain staff, to manage financial and estates pressures, to provide a wider range of services to patients and to integrate with the wider health and care system more easily.

All GP practices have come together in geographical networks covering populations of approximately 30–50,000 patients to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes that exist in many places in the country but are much smaller than most GP federations.

This means that Thornbury Road Centre for Health may share your information with other practices within the Primary Care Network to provide you with your care and treatment.

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g., cancer. Your information is collected by a number of sources including Thornbury Road Centre for Health. This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

Safeguarding

The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:

• Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

• Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information such as referrals to safeguarding teams is retained by Thornbury Road Centre for Health when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

Shared care

 To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.  You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Telephone system

Our telephone system records all incoming & outgoing telephone calls.  Recordings are retained for up to three years and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training. Access to these recordings is restricted by password to the practice management team.

Calls are recorded and stored by X-ON. The recordings are kept on their servers in a secure environment that cannot be accessed externally except by authenticated users.

X-On satisfy the security requirements for:

• ISO 27001 Security Standards certification
• ISO 9001 Quality Management System Standards certification

X-on are a Crown Commercial Service Supplier and have been assessed against the NHS Information Governance Toolkit.

For more information please visit: https://www.x-on.co.uk/knowledge-base/gdpr/

Opt-outs

National opt-out facility

This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following:

• Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice
• Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
• “Print and post” registration form: https://assets.nhs.uk/prod/documents/Manage_your_choice_1.1.pdf

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.  It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.

• Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS Digital and a proxy form is available to assist in registration.

Note: Unfortunately, the national data opt-out cannot be applied by this organisation.

General Practice Data for Planning and Research opt out (GPDPR)

The NHS needs data about the patients it treats to plan and deliver its services and to ensure that the care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, patient data can help the NHS to:

• Monitor the long-term safety and effectiveness of care
• Plan how to deliver better health and care services
• Prevent the spread of infectious diseases
• Identify new treatments and medicines through health research

GP practices already share patient data for these purposes but this new data collection will be more efficient and effective. This means that GPs can get on with looking after their patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

What patient data is shared about you with NHS Digital?

The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:

• Any living patient registered at a GP practice in England when the collection started – this includes children and adults
• Any patient who died after the data collection started and was previously registered at a GP practice in England when the data collection started

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that no one will be able to directly identify you from the data. The diagram below helps to explain what this means. The diagram below helps to explain what this means and using the terms in the diagram, the data we share would be described as de-personalised.

Image provided by Understanding Patient Data under licence.

 The data collected by NHS Digital

We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.

Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.

NHS Digital will collect:

• Data on your sex, ethnicity, and sexual orientation
• Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health
• Data about the staff who have treated you

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS Digital will not collect:

• Your name and address (except for your postcode in unique coded form)
• Written notes (free text) such as the details of conversations with doctors and nurses
• Images, letters and documents
• Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
• Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

NHS Digital legal basis for collecting, analysing and sharing patient data

When NHS Digital collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone’s data.

NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.

NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm’s-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.

How NHS Digital uses patient data

NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHS Digital can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).

These national data sets are analysed and used by NHS Digital to produce national statistics and management information including public dashboards about health and social care which are published. NHS Digital never publish any patient data that could identify any individual. All data they publish is anonymous statistical data.

For more information about data NHS Digital publish see Data and Information and Data Dashboards.

Who does NHS Digital share patient data with?

All data that is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

• The Department of Health and Social Care and its executive agencies including Public Health England and other government departments
• NHS England and NHS Improvement
• Primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
• Local authorities
• Research organisations including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

If the request is approved, the data will either be made available within a secure data access environment within the NHS Digital infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHS Digital plan to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment.

Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:

• Where the data is needed by a health professional for the patient’s own care and treatment
• Where the patient has expressly consented to this, for example to participate in a clinical trial
• Where there is a legal obligation, for example where there are COPI Notices
• Where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) – this is sometimes known as a ‘section 251 approval’

This would mean that the data was personally identifiable in the diagram above. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared.

Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register.

Where does NHS digital store patient data?

NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.

Some of the NHS Digital processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.

What to do if you have any questions

 Should you have any questions about our privacy policy or the information we hold about you, you can:

3. Contact the organisation via email at [email protected] GP practices are data controllers for the data they hold about their patients [1]
4. Write to the data protection officer at [email protected]
5. Ask to speak to the practice manager Maria Power or their deputy Gilly Bevan

The data protection officer (DPO) for Thornbury Road Centre for Health is  Dr Ernest Norman-Williams

Objections or complaints

 In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager at [email protected] in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

 We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed 13/07/2025

[1] BMA GPs as data controllers under the GDPR

GP2GP enables patients’ electronic health records to be transferred directly and securely between GP practices. It improves patient care as GPs will usually have full and detailed medical records available to them for a new patient’s first consultation.

Patient benefits

When patients move practices, paper medical records can take weeks to arrive but GP2GP transfers are faster, more reliable and more secure than the existing paper-based method of transferring patient records. This means your new practice will have your full and detailed medical record available in time for your very first appointment.

FAQs

1. What is GP2GP?
   GP2GP is the technology that transfers your electronic health record directly and securely from your previous GP when you register at this practice.
2. Does my old practice need to be using GP2GP for my electronic health record to be transferred electronically?
   Yes, both practices need to be using GP2GP. If they are not, only your paper medical record will be sent and will include a print-out of your electronic health record from your previous practice.
3. What happens to my paper record?
   Your paper medical record will also be transferred to this practice. This usually takes about six to eight weeks. In the future when all practices are using GP2GP the need for sending paper records may be reviewed.
4. What information will be transferred in my electronic health record?
   The information contained within your electronic health record at your previous practice will be transferred. This includes information about your medications, allergies, adverse reactions, immunisations and vaccinations, laboratory results, diagnoses, medical history and letters from specialists.
5. Will my repeat prescriptions be automatically transferred as well?
   Yes, GP2GP transfers all the information about your medications. Your new GP will review all the medicines you are taking before authorising any repeat prescription.
6. I am registering as a temporary resident. Will my electronic health record still be transferred electronically?
   No. If you are registering as a temporary resident your health records remain at your usual practice and are not transferred either as paper or via GP2GP. Your temporary practice will contact your registered GP if they require any information.
7. Where can I find out more about GP2GP
   Our practice staff should be able to answer any queries you may have. You can also read about GP2GP on the Health and Social Care Information Centre website: www.hscic.gov.uk/gp2gp

We aim to keep our surgery clean and tidy and offer a safe environment to our patients and staff. We are proud of our modern, purpose built Practice and endeavour to keep it clean and well maintained at all times.

If you have any concerns about cleanliness or infection control, please report these to our Reception staff.

Our practice infection control lead is Alexia De Castro Marlton

Our GPs and nursing staff follow our Infection Control Policy to ensure the care we deliver and the equipment we use is safe.

We take additional measures to ensure we maintain the highest standards:

• Encourage staff and patients to raise any issues or report any incidents relating to cleanliness and infection control.  We can discuss these and identify improvements we can make to avoid any future problems.
• Carry out an annual infection control audit to make sure our infection control procedures are working.
• Provide annual staff updates and training on cleanliness and infection control
• Review our policies and procedures to make sure they are adequate and meet national guidance.
• Maintain the premises and equipment to a high standard within the available financial resources and ensure that all reasonable steps are taken to reduce or remove all infection risk.
• Use washable or disposable materials for items such as couch rolls, modesty curtains, floor coverings, towels etc, and ensure that these are laundered, cleaned or changed frequently to minimise risk of infection.
• Make Alcohol Hand Rub Gel available throughout the building

Please see our Infection prevention control statement Jan 23

We are committed to protecting your privacy. You can access our website without giving us any information about yourself. But sometimes we do need information to provide services that you request, and this statement of privacy explains data collection and use in those situations.

In general, you can visit our web site without telling us who you are and without revealing any information about yourself. However there may be occasions when you choose to give us personal information, for example, when you choose to contact us or request information from us. We will ask you when we need information that personally identifies you or allows us to contact you.

We collect the personal data that you may volunteer while using our services. We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. We do not collect or use personal data for any purpose other than that indicated below:

• To send you confirmation of requests that you have made to us
• To send you information when you request it.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we do not have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.

We intend to protect the quality and integrity of your personally identifiable information and we have implemented appropriate technical and organisational measures to do so. We ensure that your personal data will not be disclosed to State institutions and authorities except if required by law or other regulation.

Wherever you visit an NHS service in England a record is created for you. This means  medical information about you can be held in various places, including your GP practice, any hospital where you’ve had treatment, your dentist practice, and so on.

At times, this can delay information sharing which can affect decision making and slow down treatment.

To help improve the sharing of important information about you there are several different record sharing initiatives. You can find information about the different types of record sharing & how to OPT-OUT using the links below.

• National Data Opt-Out
• Summary Care Record (Automatic opt-in)
• SystmOne Record Sharing (Automatic opt-in)
• WSIC Dashboard (Automatic opt-in)

Candidates applying for work privacy notice

Introduction

At Thornbury Road Centre for Health, we have a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records during the recruitment stage and then data is continued to be collected for any successful candidate. This is in both electronic and paper format.

This privacy notice applies to personal information processed by or on behalf of Thornbury Road Centre for Health. We are required to provide you with this privacy notice by law. It provides information on how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our practice manager at [email protected]

This notice explains:

• Who we are, how we use your information and our Data Protection Officer (DPO)
• What kind of personal information about you we process
• What the legal grounds are for our processing of your personal information (including when we share it with others)
• What you should do if your personal information changes
• How long your personal information is retained by us
• What your rights are under data protection laws

The UK General Data Protection Regulation (UK GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (DPA2018) the organisation responsible for your personal data is Thornbury Road Centre for Health.

This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights. This privacy policy applies to the personal data collected from candidates applying for roles within the organisation.

 How we use your information and the law

 Thornbury Road Centre for Health will be what is known as the ‘controller’ of the personal data you provide to us. Upon applying for work with the organisation you will be asked to supply the following personal information:

• Name
• Address
• Telephone numbers
• Email address
• Date of birth
• Previous employment data
• Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of your employment history, skills and experience
• Information about your current level of remuneration, including benefit entitlements
• Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
• Information in relation to your right to work in the UK [as per the Rights to Work in the UK – guide to checking]
• Information from the Disclosure and Barring Service (DBS) in order to administer relevant checks and procedures
• Vaccination and immunisation status/information

The information that we ask you to provide to the organisation is required for the following reasons:

• In order for us to review your application
• In order for us to contact you with interview details
• To comply with appropriate employment law
• To ensure that we can provide any reasonable adjustments as necessary

The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence and from forms completed by you or through interviews, meetings or other assessments including on-line tests.

This personal data might be provided to us by you, or someone else (such as a former employer’s reference, information from background check providers including criminal records checks permitted by law) or it could be created by us.

The organisation will seek information from third parties only once a job offer has been made to you and we will inform you that we are doing so.

Your personal data will be stored in a range of different places including in your application record, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).

Throughout the application process we will collect data and add this to your personnel file i.e., interview question answers, interview scores etc.

Special categories of personal data

 Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to job applicants with disabilities).

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.

 Where the organisation processes other special categories of personal data such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of job applicants which can be withdrawn at any time. Job applicants are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

If your application is unsuccessful, the organisation may keep your personal data on file in case there are future job opportunities for which you may be considered. We will seek your consent to do this and you are free to withdraw your consent at any time.

How do we lawfully use your data?

 We need to know your personal, sensitive and confidential data in order to employ you. Under the General Data Protection Regulation we will be lawfully using your information in accordance with:

• Article 6, (b) Necessary for performance of/entering into contract with you
• Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment

This notice applies to the personal data of our candidates applying for work at Thornbury Road Centre for Health.

How do we maintain the confidentiality of your record?

 We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The UK General Data Protection Regulations
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• NHS Codes of Confidentiality, Information Security and Records Management

We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.

Our policy is to respect the privacy of our candidates and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data will be protected.

All employees and sub-contractors engaged by Thornbury Road Centre for Health are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Thornbury Road Centre for Health an appropriate contract (art 24-28) will be established for the processing of your information.

Where do we store your information electronically?

All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.  We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

• Primary Care Networks
• Integrated Care Systems
• NHS Commissioning Support Units
• Clinical Commissioning Groups
• NHS England (NHSE) and NHS Digital (NHSD)
• Local authorities
• CQC
• Private sector providers providing employment services
• Other ‘data processors’ which you will be informed of

Sharing your personal data

Your information may be shared internally for the purpose of the recruitment exercise including with members of the HR and recruitment team, interviewers in the recruitment process, managers in the business area with the vacancy and IT staff if access to the data is necessary for performance of their roles.

The organisation will not share your personal data with third parties except those engaged for the purposes of the recruitment process or unless your application for employment is successful and we make you an offer of employment.  We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal record checks.

The organisation will not transfer your data to countries outside the European Economic Area.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by Thornbury Road Centre for Health are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.

Who is the data controller?

Thornbury Road Centre for Health is registered as a data controller under the Data Protection Act 2018. Our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

How long do we keep your personal information?

 We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

If your application is unsuccessful, the organisation will hold your personal data for a period of six months following the recruitment process. If you agree to allow the organisation to keep your personal data on file, for consideration for future job opportunities, we will hold your data for a further six months.  At the end of that period (or once you withdraw consent), your data will be deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.

Storing DBS certificates

The correct storage of DBS certificate information is important. The code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months.

How can you access, amend or move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the practice manager. We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

• Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
• Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.
• Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
• Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.

Your rights as a candidate applying for work

 Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

• Your request should be made to the practice manager: Maria Power [email protected]
• There is no charge to have a copy of the information held about you. However we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive
• We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require
• You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified and your records located

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact the practice manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).

What to do if you have any questions

 Should you have any questions about this privacy policy or the information we hold about you, you can:

3. Contact the organisation via email at [email protected]
4. Write to the data protection officer at NW London CCGs primary care Data Protection Officer service and they can be contacted by e-mail: [email protected]
5. Ask to speak to the practice manager Maria Power

The data protection officer (DPO) for Thornbury Road Centre for Health is NW London CCGs primary care Data Protection Officer service

Objections or complaints

 In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager Maria Power at Thornbury Road Centre for Health, Thornbury Road, Isleworth, TW& 4HQ in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

 We regularly review our employee privacy policy and any updates will be published to reflect the changes. This policy is to be reviewed 15/12/2022.

New contractual requirements came into force from 1 April 2014 requiring that GP Practices should make available a statement of intent in relation to the following IT developments :

• Summary Care Record (SCR)
• GP to GP Record Transfers
• Patient Online Access to Their GP Record
• Data for commissioning and other secondary care purposes

The same contractual obligations require that we have a statement of intent regarding these developments in place and publicised by 30 September 2014.
Please find below details of the practices stance with regards to these points.

Summary Care Record (SCR)

NHS England require practices to enable successful automated uploads of any changes to patient’s summary information, at least on a daily basis, to the summary care record (SCR) or have published plans in place to achieve this by 31st of March 2015.
Having your Summary Care Record (SCR) available will help anyone treating you without your full medical record. They will have access to information about any medication you may be taking and any drugs that you have a recorded allergy or sensitivity to.
Of course if you do not want your medical records to be available in this way then you will need to let us know so that we can update your record. You can do this via the opt out form.
The practice confirms that your SCR is automatically updated on at least a daily basis to ensure that your information is as up to date as it can possibly be.

GP to GP Record Transfers

NHS England require practices to utilise the GP2GP facility for the transfer of patient records between practices, when a patient registers or de-registers (not for temporary registration).
It is very important that you are registered with a doctor at all times. If you leave your GP and register with a new GP, your medical records will be removed from your previous doctor and forwarded on to your new GP via NHS England. It can take your paper records up to two weeks to reach your new surgery.
With GP to GP record transfers your electronic record is transferred to your new practice much sooner.
The practice confirms that GP to GP transfers are already active and we send and receive patient records via this system.

Patient Online Access to Their GP Record

NHS England require practices to promote and offer the facility to enable patients online access to appointments, prescriptions, allergies and adverse reactions or have published plans in place to achieve this by 31st of March 2015.
We currently offer the facility for booking and cancelling appointments and also for ordering your repeat prescriptions and viewing  a summary of your medical records on-line. If you do not already have a user name and password for this system – please register your interest  with our reception staff.

Data for commissioning and other secondary care purposes

It is already a requirement of the Health and Social Care Act that practices must meet the reasonable data requirements of commissioners and other health and social care organisations through appropriate and safe data sharing for secondary uses, as specified in the technical specification for care data.
At our practice we have specific arrangements in place to allow patients to “opt out” of care.data which allows for the removal of data from the practice. Please see the page about care data on our website

The Practice confirm these arrangements are in place and that we undertake annual training and audits to ensure that all our data is handled correctly and safely via the Information Governance Toolkit.

We welcome all comments on the services provided by the Practice.

You may submit any comments via our online Patient Feedback form below.

Please note: This form should only be used to provide your feedback on the website, your experiences as a patient or the services we provide. Please do not use it to ask questions or request prescriptions as we are unable to respond or deal with these requests via the form – please use our Online Services instead.

Alternatively you may write to us or contact us by phone or fax.  Our details can be found on our Feedback, Compliments and Complaint page.

You must OPT-IN if you want to receive information from us via e-mail or text message,  (including appointment confirmation text message and appointment reminder text messages)

You may have heard about the new General Data Protection Regulation (GDPR) that came into effect on 25 May 2018. To comply with GDPR consent requirements we need to confirm that you would like to receive information via text message and e-mail from the surgery.

Thornbury Road Centre for Health would like to contact you by text message and/or e-mail. During this digital age, text messages and e-mails are an efficient way to communicate with patients. If you agree to receive text message and e-mails from the practice, this will include;

• Appointment booking confirmation (text message)
• Appointment booking reminders the day before your appointment (text message)
• Notification of missed appointments (text message)
• Requests for you to contact the surgery
• Notification when test results are back, and if we need to speak to you
• Reminders to book an appointment (e.g. For immunisations, annual check-ups, blood tests)
• Invitation to appointments you are eligible for (e.g. NHS health checks, cervical screening)
• Health campaign information
• Surgery information / updates (e.g. Change in opening hours, new service starting etc)
• Information about the status of a referral to hospital or specialist service
• Information about your medication and prescriptions
• Information about other services (e.g. contact details)
• Requests for feedback following attendance at the surgery (friends and family test)

To OPT-IN, please click HERE to complete the opt-in form and this will be updated within 72 hours.

Last updated 18/12/24

Patient’s Rights

We are committed to giving you the best possible service. This will be achieved by working together. Help us to help you. You have a right to, and the practice will try to ensure that:

• You will be treated with courtesy and respect
• You will be treated as a partner in the care and attention that you receive
• All aspects of your visit will be dealt with in privacy and confidence
• You will be seen by a doctor of your choice subject to availability
• In an emergency, out of normal opening hours, if you telephone the practice you will be given the number to receive assistance, which will require no more than one further call
• You can bring someone with you, however you may be asked to be seen on your own during the consultation
• Repeat prescriptions will normally be available for collection within two working days of your request
• Information about our services on offer will be made available to you by way of posters, notice boards and newsletters
• You have the right to see your medical records or have a copy subject to certain laws.

Patient’s Responsibilities

With these rights come responsibilities and for patients we would respectfully request that you:

• Treat practice staff and doctors with the same consideration and courtesy that you would like yourself. Remember that they are trying to help you
• Please ensure that you order your repeat medication in plenty of time allowing 48 working hours.
• Please ensure that you have a basic first aid kit at home and initiate minor illness and self-care for you and your family.
• Please attend any specialist appointments that have been arranged for you or cancel them if your condition has resolved or you no longer wish to attend
• Please follow up any test or investigations done for you with the person who has requested the investigation
• Attend appointments on time and check in with Reception
• Patients who are more than 20 minutes late for their appointment may not be seen.
• If you are unable to make your appointment or no longer need it, please give the practice adequate notice that you wish to cancel. Appointments are heavily in demand and missed appointments waste time and delay more urgent patients receiving the treatment they need
• An appointment is for one person only. Where another family member needs to be seen or discussed, another appointment should be made
• Patients should make every effort to present at the surgery to ensure the best use of nursing and medical time. Home visits should be medically justifiable and not requested for social convenience
• Please inform us when you move home, change your name or telephone number, so that we can keep our records correct and up to date
• Read the practice leaflets and other information that we give you. They are there to help you use our services. If you do not understand their content please tell us
• Let us have your views. Your ideas and suggestions whether complimentary or critical are important in helping us to provide a first class, safe, friendly service in pleasant surroundings.

NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. For more information see these websites:

• GOV.UK – The NHS Constitution for England
• NHS Choices – NHS Constitution

The practice fully supports the NHS Zero Tolerance Policy. The aim of this policy is to tackle the increasing problem of violence against staff working in the NHS and ensures that doctors and their staff have a right to care for others without fear of being attacked or abused.

We understand that ill patients do not always act in a reasonable manner and will take this into consideration when trying to deal with a misunderstanding or complaint. We ask you to treat your doctors and their staff courteously and act reasonably.

All incidents will be followed up and you will be sent a formal warning after a second incident or removed from the practice list after a third incident if your behaviour has been unreasonable.

However, aggressive behaviour, be it violent or verbal abusive, will not be tolerated and may result in you being removed from the Practice list and, in extreme cases, the Police will be contacted if an incident is taking place and the patient is posing a threat to staff or other patients.

Removal from the Practice List

A good patient-doctor relationship, based on mutual respect and trust, is the cornerstone of good patient care. The removal of patients from our list is an exceptional and rare event and is a last resort in an impaired patient-practice relationship. When trust has irretrievably broken down, it is in the patient’s interest, just as much as that of The Surgery, that they should find a new practice. An exception to this is on immediate removal on the grounds of violence e.g. when the Police are involved.

Removing other members of the household

In rare cases, however, because of the possible need to visit patients at home it may be necessary to terminate responsibility for other members of the family or the entire household. The prospect of visiting patients where a relative who is no longer a patient of the practice by virtue of their unacceptable behaviour resides, or being regularly confronted by the removed patient, may make it too difficult for the practice to continue to look after the whole family. This is particularly likely where the patient has been removed because of violence or threatening behaviour and keeping the other family members could put doctors or their staff at risk.