Downloadable privacy notices
Please click the link below to view, alternatively the same information is available by scrolling down this page.
Patient GDPR Practice privacy notice – England 1.3 for patients
Privacy_notice_National_data_opt_out_for_GP_practices July 2022
MMC Patient Privacy Notice 27.02.24
Please click on the links below to view our GDPR privacy notices 2024
Data Protection Privacy Notice Landing Pagev0.1.docx
Human Resources Privacy Notice Template v0.2
GP Planning and Research Privacy Notice Templatev0.2.docx
GP Statutory Disclosures Privacy Notice Templatev0.2.docx
Patient Privacy Notice
How we use your personal information
Memorial Medical Centre collects personal information about you in order to provide your health care. When doing this the Memorial Medical Centre must respect your confidentiality and comply with all applicable Data Protection legislations.
Our Lawful bases for processing your personal information
We must, among other things, ensure personal information held about you is only used for specific purposes allowed by law. The Memorial Medical Centre collects and processes your personal information as it is necessary for the purposes of preventative or occupational medicine, medical diagnosis, and the provision of health or social care or treatment. This leaflet answers questions you might ask about what personal information we hold, why, and to whom it may be passed to.
What personal information do we collect?
The personal information we collect, store and use about you can includes:
- Personal details e.g. name, date of birth, nationality, gender and NHS number.
- Contact details e.g. phone number, email address and address.
- Equality and diversity information about you. This may include special category personal data like details of your ethnicity, sexual orientation, religious beliefs or opinion, biometric data, criminal convictions and offences.
- Information about next of kin or carers (including their contact details and their relevant medical history if required).
- Notes and reports relevant to your health, including any information you have told us about your health.
- Details of your treatment and care, including the professional opinion of the staff caring for you.
- Results of investigations, such as laboratory tests, scans and x-rays
- Relevant information from health and social care professionals, relatives or those who care for you.
- Communications, for example letters and emails between an NHS Trust providing your treatment and you.
A full list of all of the people we share with can be found via the Memorial Medical Centres privacy notice which is on our website at www.memorialmedicalcentre.co.uk and displayed in our waiting room.
What we can use your personal information for?
We can use your personal information to:
- Provide you with health or social care.
- Help other organisations provide you with health or social care.
- If you agree, to help other organisations provide you with other public services.
- Communicate with you and if appropriate your next of kin, about your care.
- Carry out internal audits and monitor the care we provide to ensure it is of the highest standard.
- Monitor equality and diversity.
- We may use anonymised data to help train and educate our staff. Should we use identifiable personal data we would always obtain your consent.
- Respond to complaints.
- Respond to queries from regulators like NHS Digital, the Integrated Care Board, the General Medical Council, the Audit Commission, the Nursing & Midwifery Council and the Health Service Ombudsman.
- Conduct legal claims or seek legal advice.
- Provide information to national registries that systematically collect data about particular conditions to help research which is only undertaken when consent is given.
How do you store my records?
Personal information may be stored electronically on a computer system and/or manually in a paper record form. When you arrive for an appointment, staff may check your details with you to ensure that our records are accurate. To assist with this, we ask that you notify us promptly of any changes to your personal details e.g. contact address, contact phone number, email address, next of kin etc.
Sharing your personal data
Your personal data will only be disclosed to those who have a genuine need to know and who agree to keep your information confidential. For your direct care we often share information with:
- GP federations, Sittingbourne PCN and out of hours providers.
- NHS hospitals e.g. NHS Trusts and NHS Foundation Trusts
- Organisations that deliver NHS services outside of hospital e.g. NHS Community Health Trusts, Social Care Partnership Trust, and the Mental Health providers for Swale.
- Private sector organisations that deliver NHS care in your area such as HCRG care group e.g. private hospitals, dentists, opticians, pharmacists.
- Voluntary sector organisations that deliver NHS care e.g. charities such as Wisdom Hospice and Demelza.
- Local authorities such as Kent County Council e.g. if social workers are part of the Care Team, education services, children’s services, housing or benefit offices
- Organisations that provide diagnostic tests.
- Solicitors for claims etc. but we will always obtain your written consent first.
- The police for legal purposes.
- Organisations that provide support health services such as running vaccination and awareness clinics at our practices.
- Organisations that provide ambulance services e.g. NHS Ambulance Trusts and Secamb.
Do you share my personal information with third parties or non NHS agencies?
We may need to share your personal information with organisations that provide back office support to the Practice in its delivery of services. These organisations are known as data processors. These organisations are only able to use your personal information in accordance with the Practices’ instructions and applicable laws:
- IT suppliers.
- Telephone services suppliers.
- Suppliers of web hosting services.
- Suppliers that we use to develop and improve the technology we use, including our website and electronic patient records.
Can my personal information be shared without my consent?
Your personal information may not be shared without your consent except in a number of limited circumstances when we are legally bound to do so to provide health and social care, for example:
- Where there is a danger of harm to a child or vulnerable adult
- As a result of a court order.
- When it is absolutely necessary for the prevention or detection of crime or the apprehension or prosecution of offenders.
- Reporting notifiable infection diseases.
- Where there are serious risks to the public or staff.
The above may only take place when there is a clear legal basis to use your personal information. All these uses help to provide better health and social care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.The Memorial Medical Centre is also working with NHS Digital to ensure compliance with the National Opt-out programme on the use of NHS data from 2020. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.
If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters or call 0300 303 5678; there you will:
- See what is meant by confidential patient information.
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Find out more about the benefits of sharing data.
- Understand more about who uses the data.
- Find out how your data is protected.
- Be able to access the system to view, set or change your opt-out setting.
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
- See the situations where the opt-out will not apply.
You can change your mind about your choice at any time.
Personal information being used or shared for purposes beyond individual care does not include your personal information being shared with insurance companies or used for marketing purposes as any of these would only be used in this way with your explicit permission.
What if I change my mind after giving my consent for sharing or use of my information? You have the right to restrict the use of your personal information in instances where your consent is needed for us to share your personal information; unless it is in relation to providing you with direct health and social care services or where the exceptional conditions above apply.
You can refuse or change your mind at any time about your consent; however this may affect the healthcare that is available to you. You can change your mind, but please inform us, so we can update our records.
Risk stratification
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including the Memorial Medical Centre; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Invoice validation
Your information may be shared if you have received treatment to determine which Integrated Care Board (ICB) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties
Retention periods
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
How do you keep my records confidential?
Everyone working within the Memorial Medical Centre has a legal duty to keep information about you confidential. There are strict codes of conduct in place to ensure your personal information is safe, whether it is on paper or computer. Staff must abide by:
- All applicable data protection legislations such as the EU General Data Protection Regulation 2016 and Data Protection Act 2018.
- Common Law Duty of Confidence.
- NHS Code of Confidentiality
Can I get a copy of my records?
You have a right under the Data Protection legislations to access your medical records or authorise a representative to do so. Personal information may be withheld if we believe it could harm your physical or mental health. We would prefer your request in writing if possible but will accept verbal requests if necessary: please contact us via our email at memorialmedical@nhs.net or by writing into the surgery at the below address:
Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
What other rights do I have?
You have the right to request that personal information about you that is factually incorrect be rectified by being amended or supplemented with additional information. Any information you do not agree with (but is not factually incorrect), we will make a note on your records of the point which you have drawn to our attention.
How can I complain about the way the Memorial Medical Centre handles my personal information?
If you are unhappy with the way we have dealt with your personal information please contact the Practice in the first instance and then the Kent and Medway Intergrated Care Board Data Protection Officers’ team at kmicb.kentandmedway@nhs.net or via the Practice name at the address at the end of this leaflet. You also have the right to complain directly to the Information Commissioner in relation to data protection. The contact details are also at the end of this leaflet.
It is important to note that the General Practitioner (GP) record, usually held at the General Practice, is the primary record of care and that the majority of other services must inform the GP through a discharge note or a clinical correspondence that a patient has received care. This record is to be retained for the life of the patient plus at least ten years after death. The GP record transfers with the individual as they change GP throughout their lifetime.
Where can I find further information?
If you would like to know more about how we use your personal information or if you do not wish to have your information to be used in any of the ways described above, please contact the Memorial Medical Centre at the address at the end of this leaflet. You can also read more about how we use your personal information on our website at www.memorialmedicalcentre.co.uk
General information can be obtained from the Information Commissioner’s Office. Information Commissioner’s Office: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF t: 0303 123 1113 www.ico.gov.uk
Who to contact
Practice details:
Administration Team, Memorial Medical centre, Bell Road, Sittingbourne, Kent ME10 4XX
Email: memorialmedical@nhs.net
Name of Data Protection Officer for the Practice: Mrs Rebecca Unwin
E: memorialmedical@nhs.net
Tel: 01795 477764
Name of Integrated Care Board Data Protection Officer:
Viral Patel – ICB Data Protection Officer
Kent and Medway ICB
Integrated Care Board
NHS Kent and Medway
2nd floor
Gail House
Lower Stone Street
Maidstone
ME15 6NB
Email: kmccg.northkentgpdataprotection@nhs.net
Changes to our privacy policy
We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.
Version: Review date: Edited by: Approved by: Comments:
1 23.05.2018 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
2 29.08.2019 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
3 11.03.2020 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
4 24/08/22 Adrienne Adams Valerie Gibson To be reviewed in 1 year
5 27.02.2024 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
Practice Privacy Notice (England)
Version: Review date: Edited by: Approved by: Comments:
1 23.05.2018 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
2 29.08.2019 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
3 19.05.2021 Fiona Willis Valerie Gibson To be reviewed in 1 year
4 25.04.2022 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
5 16.04.2024 Rebecca Unwin Adrienne Adams To be reviewed in 1 year
Table of contents
1 Introduction 2
1.1 Policy statement 2
1.2 Principles 2
1.3 Status 2
1.4 Training and support 2
2 Scope 2
2.1 Who it applies to 2
2.2 Why and how it applies to them 3
3 Definition of terms 3
3.1 Privacy notice 3
3.2 Data Protection Act 2018 (DPA18) 3
3.3 Information Commissioner’s Office (ICO) 3
3.4 General Data Protection Regulation (GDPR) 3
3.5 Data controller 3
3.6 Data subject 3
4 Compliance with regulations 4
4.1 GDPR 4
4.2 Article 5 compliance 4
4.3 Communicating privacy information 4
4.4 What data will be collected? 4
4.5
4.6 Privacy notice checklists 5
4.7 Privacy notice template 5
4.8 Summary 5
4.9 Annex A – Practice privacy notice 6
1 Introduction
1.1 Policy statement
NHS Digital collects information with the purpose of improving health and care for everyone. The information collected is used to:
- Run the health service
- Manage epidemics
- Plan for the future
- Research health conditions, diseases and treatments
1.2 Principles
NHS Digital is a data controller and has a legal duty, in line with the General Data Protection Regulation (GDPR), to explain why it is using patient data and what data is being used. Similarly, the Memorial Medical Centre has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.
1.3 Status
The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.
1.4 Training and support
The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
2 Scope
2.1 Who it applies to
This document applies to all employees, partners and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are encouraged to use it.
2.2 Why and how it applies to them
Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the practice will share that information.
The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the General Data Protection Regulation.
3 Definition of terms
3.1 Privacy notice
A statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.
3.2 Data Protection Act 2018 (DPA18)
The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.
3.3 Information Commissioner’s Office (ICO)
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
3.4 General Data Protection Regulation (GDPR)
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR comes into effect on 25 May 2018.
3.5 Data controller
The entity that determines the purposes, conditions and means of the processing of personal data.
3.6 Data subject
A natural person whose personal data is processed by a controller or processor.
4 Compliance with regulations
4.1 GDPR
In accordance with the GDPR, this practice will ensure that information provided to subjects about how their data is processed will be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge
4.2 Article 5 compliance
In accordance with Article 5 of the GDPR, this practice will ensure that any personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
4.3 Communicating privacy information
At the Memorial Medical Centre, the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration. We will:
- Inform patients how their data will be used and for what purpose
- Allow patients to opt out of sharing their data, should they so wish
4.4 What data will be collected?
At the Memorial Medical Centre, the following data will be collected:
- Patient details (name, date of birth, NHS number)
- Address and NOK information
- Medical notes (paper and electronic)
- Details of treatment and care, including medications
- Results of tests (pathology, X-ray, etc.)
- Any other pertinent information
4.5
4.6 Privacy notice checklists
The ICO has provided a privacy notice checklist which can be used to support the writing of the practice privacy notice. The checklist can be found by following this link.
4.7 Privacy notice template
A privacy notice template can be found at Annex A
4.8 Summary
It is the responsibility of all staff at the Memorial Medical Centre to ensure that patients understand what information is held about them and how this information may be used. Furthermore, the practice must adhere to the DPA18 and the GDPR, to ensure compliance with extant legal rules and legislative acts.
4.9 Practice Privacy Notice For Patients
The Memorial Medical centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Third Party Processors
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- GP Data for Planning and Research Programme: GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner. This programme is a planned replacement for the GP Extraction Service (GPES) currently used to collect data for planning and research from general practices in England.
It is a legal obligation for the practice to comply with the Data Provision Notice ‘DPN’ for this programme as a result of a new direction from the secretary of state for health and social care as part of the Health and Care Act 2012. Once fully established, this new collection will replace multiple other data collections from general practices including the GPES in due course.
It is important to state that this new GPDPR programme is not a new processing of GP data in any way; what it does is to carry out an ongoing processing i.e. extraction of patients’ data by NHS Digital for planning and research purposes via a more efficient means. NHS Digital has set out that, whilst general practice will still retain data controllership over patient records within their practice, once data has been extracted from patient records and shared with NHS Digital, NHS Digital will be the responsible and accountable data controller under the UK GDPR for data access and dissemination for planning and research. Full details on the processing of patients’ data for this programme can be found in the NHS Digital’ privacy notice here: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.
Risk stratification
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including the Memorial Medical Centre; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Invoice validation
Your information may be shared if you have received treatment to determine which Integrated Care Board (ICB) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
Retention periods
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
What to do if you have any questions
Should you have any questions about our privacy policy or the information we hold about you, you can:
- Contact the practice’s data controller via email at memorial.manager@nhs.net. GP practices are data controllers for the data they hold about their patients
- Write to the data controller at Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
- Ask to speak to the Data Protection Officer (DPO) for Memorial Medical Centre who is Rebecca Unwin or the Practice Manager Adrienne Adams.
Complaints
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.
Changes to our privacy policy
We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed 25th April 2023.
Privacy Notice for National Data Opt Out July 2022
How the NHS and care services use your information
The Memorial Medical Centre is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Memorial Medical Centre has the technical measures to run a report in the clinical systems which can easily remove all patients that have opted out of their data being used for purposes beyond their care or treatment (research and planning) this then creates a cleansed list of patients that we can then use/disclose.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-datamatters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data • Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
National data opt-out: data protection impact assessment – NHS Digital
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2022 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
Our organisation ‘is currently’ compliant with the national data opt-out policy. “