Privacy Notice Appendix A

Care Quality Commission

Purpose: The CQC is the regulator for the English Health and Social Care services to ensure safe care is provided. They inspect and produce reports back to the GP practice. The Law allows the CQC to access identifiable data.

Details on how they comply with data protection law (including UK GDPR) and their privacy statement

Processors: Care Quality Commission

Commissioning and contractual purposes

Coroner

Purpose: Personal health records or information relating to a deceased patient may be shared with the coroner.

Processor: The Coroner

Child Health Information Services (CHIS)

Purpose: South, Central and West Child Health Information Services (SCW CHIS) is commissioned by NHS England to support the monitoring of care delivered to children. Personal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions.

Fair Processing Notice Child Health Information Services

Processor: SCW, Apollo Medical Software Solutions, SystemC

Digitisation of paper medical records - Iron Mountain UK

Purpose: The NHS plan from 2019 needs primary care to digitise all paper healthcare records (commonly known as ‘Lloyd George’ records). Paper based medical records restrict the use of technology providing ‘joined-up’ services, so paper records will be transferred to a digital format. This involves scanning the paper records and then entering them into a patient’s electronic healthcare record. This work is completed by a third-party supplier, Iron Mountain UK plc, whose security standards have been reviewed by BOB ICB.

Processors: Iron Mountain UK plc

Direct Care

EMIS Consultation Writeback

Purpose: Our GP practice uses a system functionality called EMIS consultation writeback. It allows other authorised NHS organisations involved in your direct care to add relevant clinical information directly into your GP record.

Processor: Optum (EMIS), GP Connect

General Practice Extraction Service (GPES)

GP Clinical System

Purpose: NHS GP surgery clinical systems are digital platforms, that manage patient info, allowing online access via the NHS App for appointments, prescriptions, and viewing records (allergies, medicines, results). These systems ensure data sharing between clinicians through GP Connect, improving care, with all practices mandated to provide online access to new record entries.

Your medical record will be processed in order that a data base can be maintained, this is managed in a secure way and there are robust processes in place to ensure your medical record is kept accurate, and up to date. Your record will follow you as you change surgeries throughout your life.

Closed records will be archived by NHS England

Processor: EMIS

GP Connect

Purpose: In order for the practice to have access to a shared record, the Integrated Care Service has commissioned a number of systems including GP Connect, which is managed by NHS England.

GP Connect - NHS England Digital

GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

GP Connect provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of transferring information, such as email or telephone.

GP Connect transparency notice - NHS England Digital

Processor: NHS England

GP Federation Primary Care Visiting Service Hospital at Home Urgent Care Centre Community Gynaecology Service

Purpose: Your medical record will be shared with PML Services so that they can provide direct care services to the patient population. This could be in the form of video consultations, Minor injury clinics, GP extended access clinics. The Federation will act on behalf of the GP practice.

Processor: Principle Medical (PML)

Individual Funding Requests

Purpose: We may need to process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our standard NHS contract.

The clinical professional who first identifies that you may need the treatment will explain the information needed to assess your needs and commission your care. They will need your explicit consent to share this. You have the right to withdraw your consent at any time, but this may affect the individual funding.

Processor: Datix

Interpreting and Translation Services

Purpose: DA Languages Limited (Dals Ltd) provides language services to NHS patients accessing primary care from General Practices, Dental Practices, Pharmacies and Optometrists across BOB.

Processor: DA Languages Limited (Dals Ltd)

Learning Disability

Local share care record - The Thames Valley & Surrey (TVS) Care Records, Health Information Exchange (HIE)

Purpose: Health and social care services are developing shared systems to share data efficiently and quickly. It is important for anyone treating you to be able to access your shared record so that they have all the information they need to care for you. This will be during your routine appointments and in urgent situations such as going to A&E, calling 111, or going to an Out of Hours appointment. It is also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised staff can access the systems, and the information they see is carefully checked so that it relates to their job. Systems do not share all your data, just the data which services have agreed is necessary to include.

More info on the TVS Shared Care Record and HIE, you can visit their website

If you wish to opt out of this data sharing, you will need to let us know so we can change your record sharing settings. Please contact the surgery and ask us to record that you have refused consent for upload to the local shared electronic record.

Processors: Graphnet, Cerner

MDT meetings

Purpose: For some long-term conditions, the practice participates in meetings with staff from other agencies involved in providing care to help plan the best way to provide care to patients with these conditions. Personal data will be shared with other agencies so that mutual care packages can be decided.

Processor: District Nurses, Health Visitors, via MS Teams

Medical Examiner - Buckinghamshire, Oxfordshire and Berkshire West ICB

Purpose: Medical records associated with deceased patients are outside the scope of the UK GDPR, next of kin details are not. We will share specified deceased patient records and next of kin details with the Medical Examiners within BOB ICB.

Processor: Medical Examiners service - Buckinghamshire, Oxfordshire, and Berkshire West ICB

Medical Photography

Purpose: Where medical photography is to be taken, with patient consent, within the practice (photos not obtained via an Accurx link) secure transfer of photos onto the clinical system will be required (for example for Dermoscopy).

Processor: Consultant Connect

Medical reports

Medication/Prescribing

Purpose: Prescriptions containing personal identifiable and health data will be shared with organisations that provide medicines management, including pharmacies, to provide patients with essential medication regime management, medicines, and or treatment as their health needs dictate. This is achieved either face-to-face or electronically with the patient. Pharmacists may review medication, and patients may be referred to them to assist with diagnosis and care for minor treatment. Patients may have a nominated pharmacy they wish their repeat or acute prescriptions to be sent directly to, making the process more efficient.

Processor: Pharmacy of choice

Medicines Management Team

Messaging Service

Purpose: Personal identifiable information shared with the messaging service so that messages including: appointment reminders; results; campaign messages related to specific patients' health needs; and direct messages to patients, can be transferred to the patient in a safe way.

Provider: AccuRX, eConsult, NHSAPP

NHSMail and Office 365 (N365 Applications and SharePoint)

Purpose: NHSmail and Office 365 help NHS staff work more securely and efficiently which directly benefits our patients:

• Security: Emails are encrypted keeping your sensitive information safe.
• Collaboration: Staff can easily work together saving time and improving care.
• Reliability: The system is supported 24/7 to avoid service disruptions.
• National Reach: Staff can easily connect across different NHS organisations.
• Safety: Advanced protection against viruses and spam keeps information secure.
• Flexibility: Staff can communicate without disruption even if organisations change.
• These tools support the NHS's goal of improving digital care and collaboration.

Processor: Accenture

Sub-processor: Microsoft

Non-commissioned, private healthcare providers (e.g. BUPA, Virgin Care, etc.)

Purpose: Personal information shared with private health care providers to deliver direct care to patients at their request. Consent from the patient will be required to share data with Private Providers.

Provider: Private Healthcare Provider of choice

Off Site Storage of medical records

Purpose: the practice has contracted the facility of an offsite storage facility to provide secure offsite storage for all Lloyd George medical records. The practice can assure patients that their medical records will remain in control of the practice and robust mechanisms are in place to protect the security of the patient’s personal confidential data.

Processor: Restore

Online access

Purpose: To allow patients to access their GP medical record online via the NHS App. The view all documents and entries made into their record by the GP, including information sent to the GP Practice where exemptions do not apply. Where a patient has requested third party access (family/friends) to their medical records, it is the patient’s responsibility to ensure removal of this access if no longer required. Proxy access to the patient’s record will be limited unless the patient has requested full access.

Processor: NHS Digital, EMIS Patient Access

Online Consultation Provider (Triage)

Purpose: eConsult Health Ltd provide online consultation services. Online consultations enable patients to use a secure online system to ask questions and report symptoms. The online system asks questions which our Triage team can use to signpost patients to receive the most appropriate treatment, with the right person at the right time.

eConsult only collects information that is required for the purpose of delivering health care, this includes:

• Identity and contact information: including name, gender, date of birth, NHS number, email address and telephone number, postal address
• Special Categories of Personal Information: your health information such as your symptoms, conditions, medication and other details which are already held in your GP records and / or which you provide through the online consultation process

eConsult is approved to NHS England technical standards and has gone through stringent scrutiny and achieved all necessary requirements to provide Online Consultations.

Patient data is kept in line with the NHS Records Management Code of Practice and stored on the practice system. eConsult has completed all stages of NHS-required assurance to interact with the practice patient record system and is fully GDPR compliant.

Processor: eConsult Health Ltd

OpenSAFELY COVID-19 and Data Analytics Services

Purpose:

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish their data to be used as part of this process can register a type 1 opt out with their GP.

Find additional information about OpenSAFELY

Processor: NHS England, EMIS

Patient query online forms

Purpose: The practice has implemented a new website using Tree View Designs, which provides patients with easy access to information about the practice and local services.

The website features web forms for patients to update personal details, request prescriptions, or contact the practice. Information sent by the patient is encrypted and stored securely.

Processors: Tree View Designs

Patient Record Database

Purpose: Your medical record will be processed so that a database can be maintained, which is managed securely, and there are robust processes in place to ensure your medical record is accurate and up to date. Your record will follow you as you change surgeries throughout your life. Closed records will be archived by NHS England.

Processors: EMIS and PCSE

Payments, Invoice validation

Purpose: Contract holding GPs in the UK receive payments from their governments on a tiered basis. Most income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. The amounts paid per patient per quarter vary according to age, sex, and other demographic details. There are graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance, the proportion of diabetic patients who have had an annual review.

Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises.

Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors, and GPs themselves as well as research. In order to make patient-based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.

Processors: NHS England, ICB, Public Health

Police

Purpose: Personal confidential information may be shared with the Police authority for certain situations, the level of and purpose for sharing may vary. Where there is a legal basis for this information to be shared, consent will not always be required.

The Police will require the correct documentation to make a request. This could be, but not limited to, DS 2, Court order, s137, the prevention and detection of a crime. Or where the information is necessary to protect a person or community.

Processor: Police Constabulary

Population Health Management

Purpose: Population health management aims to shift the focus from reactive care to proactive, preventative care. It is a critical function of our new integrated care systems and the foundation to building a healthier future together.

Health and care services work together as ‘Integrated Care Systems’ (ICS) and are sharing data in order to:

• Understand the health and care needs of the care system’s population, including health inequalities
• Provide support to where it will have the most impact
• Identify early actions to keep people well, not only focusing on people in direct contact with services but looking to join up care across different partners.

Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data.

NB only organisations that provide your care will see your identifiable data.

Processors: Optum, Cerner

Primary Care Network (PCN)

Purpose: Your medical record will be shared with the Bicester PCN so that they can provide direct care services to the patient population.

Processors: Alchester Medical Group, Bicester Health Centre, Montgomery-House Surgery

Professional Training

Purpose: We are a training surgery. Our clinical team is required to be exposed to on the job, clinical experience, as well as continual professional development. Occasionally, you may be asked if you are happy to be seen by one of our GP registrars, pharmacists, or other clinical team to assist with their training as a clinical professional. You may also be asked if you would be happy to have a consultation recorded for training purposes. These recordings will be shared and discussed with training GPs at the surgery, and also with moderators at the RCGP and HEE.

Recordings remain under the control of the GP practice and they will delete all recordings from the secure site once they are no longer required.

Processors: RCGP, HEE, iConnect, Fourteen Fish

Public Health Screening Programmes (identifiable)

Registration Automation

Purpose: Healthtech-1 aims to reduce the time staff spend on administration and improve the patient experience. For Healthtech-1 to complete an automated patient registration, the primary data source is the patient who will manually enter their details onto the website. Additional special category data points are collected from the patient to increase the quality of care for that patient at the relevant GP surgery.

Processor: Healthtech-1

Remote consultation

Research

Purpose: We may share anonymous or pseudonymised patient information with research companies to explore new ways of providing healthcare and treatment for patients with certain conditions. This data will not be used for any other purpose.

Where personal confidential data is shared, your consent will be required.

When you have opted out of having your identifiable information shared for this Planning or Research your information will not be shared.

Where identifiable data is required for research, patient consent will be needed, unless there is a legitimate reason under law to do so or there is support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales.

Sharing of aggregated non identifiable data is permitted.

Processor: NIHR Clinical Research Network - Thames Valley and South Midlands area

Risk Stratification - Preventative Care

Purpose: ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from several sources, including NHS Trusts, GP Federations, and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health.

If you do not wish for information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

Identifiable/Pseudonymised/Anonymised/Aggregate Data

Processors: Buckinghamshire, Oxfordshire, and Berkshire West ICB

Safeguarding Adults

Purpose: We share personal confidential information with the safeguarding team where there are any safeguarding concerns and to protect the safety of individuals.

Consent is not required to share information for this purpose.

Processor: Oxfordshire Safeguarding Adults Board

Safeguarding Children

Purpose: We will share children’s personal information where there is a need to assess and evaluate any safeguarding concerns and to protect the safety of children.

Consent may not be required to share this information.

Processor: Oxfordshire Safeguarding Children Partnership

Shared Care Record

Purpose: The shared care record will assist in patient information being used for a number of care related services. These may include Population Health Management, Direct Care, and analytics to assist with planning services for the use of the local health population.

Where data is used for secondary uses no personal identifiable data will be used.

Where personal confidential data is used for research explicit consent will be required.

Processor: NHS England

Smoking Cessation

Purpose: Personal information is shared in order for the smoking cessation service to be provided. Only patients who wish to be party to this service will have their data shared.

Processor: Stop for Life Oxon

Social Prescribers

Purpose: Access to medical records is provided to social prescribers to undertake a full service to patients dependent on their health social care needs.

Only those patients who wish to be party to this service will have their data shared.

Processor: Bicester PCN

Summary Care Record

Telephony

Purpose: The practice uses an internet based telephony system that records calls for their own purpose and to assist with patient consultations. The telephone system has been commissioned to assist with the high volume and management of calls into the surgery, which in turn will enable a better service to patients.

Provider: Surgery Connect – X-ON