Privacy Notice/GDPR

Atrium Medical Practice – Privacy Notice

PRACTICE PRIVACY NOTICE

 The overarching principle at Atrium Medical Practice is to process the data we hold for you fairly, lawfully and transparently. The following will provide you with the information we believe you should have to satisfy yourself that this is the case.

Data Controller

  1. Jan Javidan, Practice Manager, Atrium Medical Practice, Buchanan Centre, 126-130 Main Street, Coatbridge, ML5 3BJ.
  2. Michelle Nobes, Information Governance Manager, NHS Lanarkshire, Kirklands House, Fallside Road, Bothwell, G71 8BB

Data Processor

  1. Data Protection Officer, In Practice Systems Ltd, Vision, The Bread Factory, 1a Broughton Street, London, SW8 3QJ.
  2. Data Protection Officer, Microtech Group 17-19 Hill St, Kilmarnock KA3 1HA. Tel: 01563 530480

Data Protection Officer

Michelle Nobes, Information Governance Manager, DPO, eHealth Department, Kirklands Hospital, Fallside Road, Bothwell, G71 8BB. Tel: 01698 858079. Michelle.nobes@lanarkshire.scot.nhs.uk

Purpose for Processing Data

  • Data is processed on the basis of Articles 6(1)(e) and 9(2)(h) of the General Data Protection Regulation Act 2018 ( GDPA (2018)), which states;

“Processing shall be lawful only if and to the extent that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

Processing of personal data revealing racial or ethnic origin, political opinions, religious or  philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnoses, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

  • where disclosures are a legal requirement the lawful basis and special category condition for processing are: ‘…for compliance with a legal obligation…’ (Article 6(1)(c)) and Article 9(2)(h) ’…management of health or social care systems…’
  • for medical research the lawful basis and special category condition are Article 6(1)

(e) ‘…for the performance of a task carried out in the public interest…’ and Article

9(2)(j) ‘…research purposes…’;

Sharing personal information with others

Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:

  • Our patients and their chosen representatives or carers
  • Staff
  • Current, past and potential employers
  • Healthcare, social and welfare organisations
  • Suppliers, service providers, legal representatives
  • Auditors and audit bodies
  • Educators and examining bodies
  • Research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional bodies
  • Trade Unions
  • Business associates
  • Police forces
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations

Disclosures

 In order to comply with our legal obligations this practice may send data to NHS Scotland when directed by the Secretary of State for Health. This practice contributes to national clinical audits and will send data which are required by NHS Scotland when law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

  • The practice contributes to medical research and may send relevant information to medical research data base such as Scottish Primary Care Information Resources in Scotland (SPIRE). You can opt out of this. Please speak to one of our staff.

Management of Your Personal Health Information

 Your personal data will only be handled by the staff employed by the practice or act on behalf of the practice in pursuit of Article (6) or Article (9) of the GDPA (2018). All our staff have signed a Confidentiality and Disclosure statement as part of their Contract of Employment with us.

  • On deciding to join our list and by completion of the General Practice Registration (GPR) form, you are giving us implied consent under common law to seek recovery of all your previous GP medical records (both paper and electronic) held in United Kingdom, when such records exists.

During your stay with our practice as a patient, we will hold paper, electronic or both types of records for you in accordance with the item (4) above.

It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHS Scotland Information Security Policy.

  • Upon leaving our practice, all your records (paper and electronic) are returned to NHS National Services, Glasgow Registration, 5 Cadogan Street, Glasgow G2 6QE.
  • Your electronic data will be “inactivated” from our system. ( Also see 10 below)

  Right of Access

 You have the right of access to personal data concerning your health, for example the data in your medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided, which have been collected. If you wish to access your Health Records, please put your request in writing and either leave it with one of our staff or post to Mrs. Javidan. (see 3 above).

There is no fee for this service and we will endeavour to provide you with this information within 30 days, subject to the following;

Recital 63 of the GDPA (2018) state “ Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.”

We will use all reasonable measures to verify your identity when access is requested. This is particularly the case when we receive request for information from third parties such as solicitors or insurance companies We will not however retain personal data for the sole purpose of being able to react to potential requests

Article 12(3) state that we can ask for extension to the 30 days limit. This needs to be done in writing and we can only extend the 30 days deadline by a further 2 months.

Right of Rectification

 You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to be Forgotten

 Under Article 17(3) of the GDPA (2018) you cannot request to be forgotten.

Retention Period

 Retention is based on the Scottish Government, Annex D, Management, Retention and Disposal of Personal Health Records. The guide can be accessed via this link

http://www.gov.scot/Publications/2008/07/01082955/7

Nov2019/JJ