General Data Protection Regulations (GDPR) & Tyne Medical Practice
What is GDPR and what will it mean for patients and staff?
General Data Protection Regulations (GDPR)
GDPR is a new law that determines how your personal data is processed, kept safe and the legal rights that you have in relation to your own data. The regulation applies from 25th May 2018.
GDPR will supersede the Data Protection Act. It is similar to the Data Protection Action (DPA) 1988, which the Practice already complies with but strengthens many of the DPA’s principles.
What Is Personal Data?
Personal data is information that is related to a single person, such as his/her name, age, medical history, diagnosis etc.
What is Consent?
Consent is permission from patients/staff. An individual’s consent is defined as:
- Any freely given
- Specific and informed
- Indication of his/her wishes by which the data subject (patient/staff) agrees to relevant personal data being processed.
The changes in GDPR mean that we must get explicit permission from patients/staff when using your data. This is to protect your right to privacy and we may ask you to provide consent to do certain things like contact you or record certain information about you in your clinical/staff records.
Individuals have a right to withdraw consent at any time.
What GDPR Will Mean For Patients/Staff
- Must be processed lawfully, fairly and transparently.
- Collected for specific, explicit and legitimate purposes.
- Must be limited to what is necessary for the purposes for which it is processed.
- Must be accurate and kept up to date.
- Must be held securely.
- Can only be retained for as long as is necessary for the reasons it was collected.
- Being informed about how their data is used.
- To have access to their own data (via Subject Access Requests).
- To ask to have incorrect information changed.
- To restrict how their data is used.
- Move their patients/staff data from one organisation to another.
- To object to their personal information being processed (in certain circumstances).
The Main Changes Are
The Practice must comply with Subject Access Requests – a written signed request from an individual to see what information is held about them – like where we require your consent to process data. This must be freely given, specific, informed and unambiguous.
New special protection for personal data.
The Information Commissioner’s Office (ICO) must be notified within 72 hours of a data breach.
Data Protection Notice
1. Tyne Medical Practice
Tyne Medical Practice is a public organisation created in Scotland under section 1 of the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).
2. About the personal information we use
We use personal information on different groups of individuals including:
- Complainants, enquirers
- Survey respondents
- Professional experts and consultants
- Individuals captured by CCTV
The personal information we use includes information that identifies you like your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.
3. Our purposes for using personal information
Under the 1978 Act Tyne Medical Practice has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of Tyne Medical Practice and assist in operating a comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients (including reminding you of appointments), data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.
4. Our legal basis for using personal information
Tyne Medical Practice, as data controller, is required to have a legal basis when using personal information. Tyne Medical Practice considers that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which Tyne Medical Practice is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services; or
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights, for example research; or
- in order to protect the vital interests of an individual; or
- for the establishment, exercise or defence of legal claims or in the case of a court order.
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
5. Who provides the personal information
When you do not provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians; other public bodies e.g. Local Authorities and suppliers of goods and services.
6. Sharing personal information with others
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
- Our patients and their chosen representatives or carers
- Current, past and potential employers
- Healthcare social and welfare organisations
- Suppliers, service providers, legal representatives
- Auditors and audit bodies
- Educators and examining bodies
- Research organisations
- People making an enquiry or complaint
- Financial organisations
- Professional bodies
- Trade Unions
- Business associates
- Police forces.
- Security organisations.
- Central and local government.
- Voluntary and charitable organisations.
7. Transferring personal information abroad
It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHS Scotland Information Security Policy.
8. Retention periods of the information we hold
Within Tyne Medical Practice we keep personal information as set out in the Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.1 January 2012. The NHS Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule as part of our Records Management Policy detailing the minimum retention period for the information and procedures for the safe disposal of personal information.
9. How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
- All staff undertake mandatory training in Data Protection and IT Security
- Compliance with NHS Scotland Information Security Policy
- Organisational policy and procedures on the safe handling of personal information
- Access controls and audits of electronic systems
10. Your rights
This section contains a description of your data protection rights within Tyne Medical Practice.
The right to be informed
Tyne Medical Practice must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
- This Data Protection Notice
- Information leaflets
- Discussions with staff providing your care
The right of access
You have the right to access your own personal information.
This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
- Confirmation that your personal information is being held or used by us
- Access to your personal information
- Additional information about how we use your personal information
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by submitting a written request. Forms can be requested from Reception. Please complete and return to:
Carol Orr - Practice Manager
Tyne Medical Practice
Telephone: 01620 823 183
Please note email from your private address may not be secure.
Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.
If on consideration of your request Tyne Medical Practice does not consider the personal information to be inaccurate then we may add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how Tyne Medical Practice has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
The right to object
When Tyne Medical Practice is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided Tyne Medical Practice can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
The right to complain
If you are unhappy with the way in which we use your personal information please tell our Practice Manager using the contact details below.
Carol Orr - Practice Manager
Tyne Medical Practice
Telephone: 01620 823 183
Please note email from your private address may not be secure.
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website.
11. Translation Service/ Accessibility
If you require translation service please find details to enquire below.
Interpretation and Translation Service
NHS Lothian Staff Bank
Comely Bank Centre
13 Crewe Road South
Telephone: 0131 536 2020 option 5 option 5
Children and GDPR
Access to Children's medical records by their parents or guardians
Legally, patients from the age of 12 years, who are judged by the GP to be able to make decisions on their own, must agree if the practice is to give out medical information to their parent/guardian.
Patients, who fall into this age group and require tests after seeing a clinician, will be asked for their consent to share medical information with their parents/guardian and this will be recorded in their records.
Please do not be offended if we decline to share this information without receiving signed consent. We are endeavouring to do this when the child / young person attends the GP in the first instance to avoid any delays.
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.