Please click here for more information

Who We Are

The Health Centre Surgery employs more than 10 practice staff and operates at the Halewood Centre, Roseheath Drive, Halewood, Liverpool, L26 9UH.

Our Practice is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z669448X.

Why We Collect Personal Information About You

The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care.

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

What Our Legal Basis Is For Processing Personal Information

Any personal information we hold about you is processed for the purposes of ‘provision of health or social care or treatment or the management of health or social care systems and services under chapter 2, section 9 of the Data Protection Act 2018.

For further information on this legislation please visit: http://www.legislation.gov.uk/

Our Use Of Third-Party Processors

To enable the effective use and management of patient information we utilise an approved & secure clinical system to process our patient information.

The Practice utilise the use of EMISWeb to maintain and store personal confidential information.

What Personal Information We Collect About You and How We Obtain It

Personal information about you is collected in a number of ways. This can be referral details from our staff, other 3rd parties or hospitals, directly from you or your authorised representative.

We will likely hold the following basic personal information about you: your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts, etc. We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.

In addition to the above, we may hold sensitive personal information about you which could include:

• • Notes and reports about your health, treatment and care, including:

    • • your medical conditions
    • • results of investigations, such as x-rays and laboratory tests
    • • future care you may need
    • • personal information from people who care for and know you, such as relatives and health or
        social care professionals
    • • other personal information such as smoking status and any learning disabilities

• • Your religion and ethnic origin

• • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

Our Use Of Third-Party Processors

To enable the effective use and management of patient information we utilise an approved & secure clinical system to process our patient information.

The Practice utilise the use of EMISWeb to maintain and store personal confidential information.

What We Do With Your Personal Information / What We May Do With Your Personal Information

Your records are used to directly, manage and deliver healthcare to you to ensure that:

• • Staff members involved in your care have accurate and up to date information. This is in order for them to assess and advise on the most appropriate care for you.

• • Staff members have the information they need to be able to assess and improve the quality and type of care you receive.

• • Appropriate information is available if you see another healthcare professional or are referred to a specialist, social care, another part of the NHS or healthcare provider.

The personal information we collect about you may also be used to:

• • Remind you about your appointments and send you relevant correspondence.

• • Review the care we provide to ensure it is of the highest standard and quality, e.g. Through audit or service improvement.

• • Support the funding of your care, e.g. with commissioning organisations;

• • Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies.

• • Help to train and educate healthcare professionals.

• • report and investigate complaints, claims and untoward incidents.

• • report events to the appropriate authorities when we are required to do so by law;.

• • review your suitability for research study or clinical trials.

• • Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients.

Unless a legal basis allows otherwise we will, where possible, always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality.

We will only use/share the minimum information necessary.

How We Maintain Your Records

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016.

In addition, those working for the NHS must comply with the Common Law Duty of Confidentiality this also includes various national and professional standards and requirements.

We have a duty to:

• • Maintain full and accurate records of the care we provide to you.

• • Keep records about you confidential and secure.

• • Provide information in a format that is accessible to you.

Use of Email – Some services in the Practice provide the option to communicate with patients via email.

Please be aware that the Practice cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

Further information can be found in our Data Security and Protection policy/Information Governance policy.

How Long We Keep Your Information For

All records held by the Practice will be kept for the duration specified by national guidance from the Department of Health.

Records Management Code of Practice for Health and Social Care 2016

We will keep a copy of your information in our Practice for as long as you are registered with our Practice and if you leave the practice we will ensure that a copy of anything we hold is passed on to your new GP.

Your record status will be marked as ‘inactive’ in our clinical system but it will not be deleted.

Confidential information is securely destroyed in accordance with this code of practice.

What Your Rights Are

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent.

The Data Protection Act 2018 gives you certain rights, including the right to:

• • Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our Access to Health Record Policy and Disclosure of Personal Data Procedure

• • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is also explained in our “Access to Health Record Policy and Disclosure of Personal Data Procedure”.

• • Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information. Where the Practice processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing. You must have an objection on grounds relating to your particular situation. If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims

• • Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.

• • Request your personal information to be transferred to other providers on certain occasions.

National Data Opt-Out Programme

The Health Centre Surgery is one of many organisation working in the health and care system to improve care for patients and the public. The information collected about you whenever you use a health or care service can be provided to other approved organisations, where there is a legal basis, to help with planning services, improving quality and standards of care provided, monitoring safety, research into developing new treatments and preventing illness.
All these uses help to provide better health care for you, your family and future generations.

Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way.

If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting https://www.nhs.uk/your-nhs-data-matters/.

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Practice under Data Protection and Freedom of Information legislation.

If you wish to appeal a decision or make a complaint regarding our handling on data please contact them via:
Information Commissioner’s Office – https://ico.org.uk/
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate number)
Fax: 01625 524 510
Email: casework@ico.org.uk

Practice Information Governance Lead

Please contact the Practice Information Governance Lead: Dr Carmen Simo

The Health Centre Surgery,
The Halewood Centre,
Roseheath Drive,
Halewood,
Liverpool,
L26 9UH

Tel: 0151 486 3780
Fax: 0151 448 0650
gp.n83013@nhs.net

Data Protection Officer

Deputy Director of Information and Acting Data Protection Officer: Malcolm Gandy

Information Governance Team – IG@sthk.nhs.uk

St Helens & Knowsley Teaching Hospitals NHS Trust
Alexandra Business Park,
Court Building,
Prescot Road,
St Helens,
WA10 3TP

1.0 Scope

The Practice is committed to adhering to the 10 National Data Security Guardian Standards (NDG) in order to ensure the protection and security of all Data which the Practice processes.

This policy was developed in conjunction with the guidance outlined in NHS Digitals Information Security Policy, Data Protection Act 2018 and advice from the Information Commissioner’s Office following the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.

2.0 Introduction

This policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of The Health Centre Surgery information.

It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:

• Information Security principles.
• Governance – outlining the roles and responsibilities.
• Supporting specific information security policies – Technical Security, Operational Security and Security Management.
• Compliance Requirements.

3.0 Duties, Accountabilities, and responsibilities

This policy applies to all those working within the Practice, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken, in line with the Practice’s disciplinary policy and procedure.

The Information Governance Lead/Practice Manager must make their staff aware of the Data Security & Protection Policy at the earliest possible opportunity.

3.1 Practice Staff

Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting business.

All staff are responsible for the information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. It is mandatory that staff ensure they understand their role and responsibilities, and that failure to comply with this policy may result in disciplinary action. This will be reinforced by yearly mandatory training.

Title: Data Security & Protection Policy
Document No: 1 – IG Date Approved: August 2018 Version No: 1
Status: Active Next Review Date: July 2021 Page: 4 of 9

3.2 Information Governance Lead

The Information Governance (IG) Lead must give their full backing to all the guidelines and procedures as set out and agreed. They must ensure that their staff are aware and adhere to the policy requirements.

The IG Lead is responsible for:

• Understanding what information is held.
• Knowing what is added and what is removed.
• Understanding how information is moved.
• Knowing who has access and why.

All Senior Managers, are individually responsible for ensuring that this policy and information security principles shall be implemented, managed and maintained in their business area. This includes:

• Appointment of Information Asset Owners (IAO) to be responsible for Information Assets in their area(s) of responsibility.
• Awareness of information security risks, threats and possible vulnerabilities within the business area and complying with relevant policies and procedures to monitor and manage such risks.
• Supporting personal accountability of users within the business area(s) for Information Security.
• Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures.

Dr Carmen Simo is accountable for information risk within the Practice and advises the Board on the effectiveness of information risk management within the Practice.

Operational responsibility for Information Security will be delegated to an appropriate individual within the IT Helpdesk who has the required expertise and knowledge to carry out the role.

All Information Security risks shall be managed in accordance with the Practices Risk Management Policy.

3.3 Information Security Lead

The Information Security Officer is responsible for the day to day operational effectiveness of the Data Security and Protection Policy and its associated policies and processes. The Information Security Lead shall:

• Lead on the provision of expert advice to the organisation on all matters concerning information security, compliance with policies, setting standards and ensuring best practice.
• Provide a central point of contact for information security.
• Ensure the operational effectiveness of security controls and processes.
• Monitor and co-ordinate the operation of the Information Security Management System.
• Be accountable to Dr Carmen Simo (IG Lead) / Fiona (Practice Manager) for Information Security with the Practice.
• Monitor potential and actual security breaches with appropriate expert security resource.

3.4 Caldicott Guardian/IG Lead

The Caldicott Guardian/IG Lead is responsible for:

• Ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data.
• Ensuring that the Practice processes satisfy the highest practical standards for handling patient information and provide advice and support to Practice staff as required.
• Ensuring that patient identifiable information is shared appropriately and in a secure manner. The Caldicott Guardian will liaise where there are reported incidents of person identifiable data loss or identified threats and vulnerabilities in Practice information systems to mitigate the risk.
• The aim of the Caldicott Guardian is to ensure the organisation implements the Caldicott principles and data security standards; there is no need to appoint a Caldicott Guardian, but there is a need to have an Information Governance lead (sometimes referred to as a Caldicott lead) who, if they are not a clinician, will need support from a clinically qualified individual.

3.5 Data Protection Officer (DPO)

The Data Protection Officer is responsible for ensuring the Practice remains compliant at all times with Data Protection, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall:

• Lead on the provision of expert advice to the Practice on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards.
• Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
• Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
• Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
• Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.

The DPO will be independent and an expert in data protection.

The DPO will be the Practice’s point of contact with the Information Commissioner’s Office.

4.0 Policy

The Data Protection & Security Policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of the Practices’ information.

It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:

• Information Security Principles.
• Governance – outlining the roles and responsibilities. (see section 3)
• Supporting specific information security policies – Technical Security, Operational Security and Security Management.
• Compliance Requirements.

4.1 Information Security Principles

The core information security principles are to protect the following information/data asset properties:

• Confidentiality (C) – protect information/data from breaches, unauthorised disclosures, loss of or unauthorised viewing.
• Integrity (I) – retain the integrity of the information/data by not allowing it to be modified.
• Availability (A) – maintain the availability of the information/data by protecting it from disruption and denial of service attacks.
• In addition to the core principles of C, I and A, information security also relates to the protection of reputation; reputational loss can occur when any of the C, I or A properties are breached. The aggregation effect, by association or volume of data, can also impact upon the Confidentiality property.

For the NHS, the core principles are impacted, and the effect aggregated, when any data breach relates to patient medical data.

4.2 Supporting Policies

The Data Security & Protection Policy is developed as a pinnacle document which has further policies, standards and guides which enforce and support the policy.

The supporting policies are grouped into 3 areas: Technical Security, Operational Security and Security Management and are shown in the diagram overleaf. The Data Security & Protection Policy is closely aligned to the NHS Information Governance Strategy and relies upon, and supports, the Practice’s Physical and Personnel Security policies.

Technical Security

The technical security policies detail and explain how information security is to be implemented. These policies cover the security methodologies and approaches for elements such as: Encryption Policy, cloud security policy, back-up policy.

Operational Security

The operational security policies detail how the security requirements are to be achieved.

These policies explain how security practices are to be achieved for matters such as: acceptable use policy, mobile & remote working, business continuity policy and use of social media.

Security Management

The security management practices detail how the security requirements are to be managed and checked. These policies describe how information security is to be managed and assured for processes such as: Data breach and incident reporting policy.

See Appendix One for a framework of policies.

4.3 Compliance Requirements

Legislation relevant to this policy;
The Practice will comply with all relevant legislation; this includes but is not limited to:

• The Data Protection Act 2018
• The General Data Protection Regulation
• The NHS Confidentiality Code of Practice 2003
• Common Law Duty of Confidentiality
• Freedom of Information Act 2000
• Health & Social Care Act 2016
• Computer Misuse Act 1990

 

If you need a Chaperone for an intimate examination you can bring a family member or friend, or we will organise one for you so long as we know that is your need. Otherwise we can always put off your examination until a chaperone is available.

Our full chaperone policy is available from our reception.

Introduction

Your Commitment To Us

Appointment Cancellation
If you know you cannot make an appointment please tell us as soon as you can.

We can re-arrange your appointment if you wish and fit someone else in on your cancellation.

Evening, Night and Weekend Visits
Please confine out of hours calls to requests for visits for urgent medical conditions only.

The doctor you are calling will have worked that day and will have to work the following day.

Changes of Name, Address and Telephone Number
If you change your circumstances please tell us so that we can update our records.

This makes it easy for us to contact you should the need arise.

Telephoning the Surgery
For routine telephone calls to the surgery please ring after 11am as the lines are usually very busy up till then.

Comments and Suggestions
Please let us know about the service you receive. It will help us to improve our service to you and to others.

If you have any comments, suggestions or complaints please contact our Practice Manager or one of the doctors.

Our Commitment To You

Be treated with courtesy by all members of staff.

You will receive care from the most appropriate and suitably qualified member of staff.

Access to your medical records will be limited to the staff providing care for you.

A non-urgent appointment will be available to you within three working days under normal circumstances.

If you require an urgent appointment you will be seen on the same day.

If all appointments have already been taken arrangements will be made to fit you in to the surgery that is running or, if there is no surgery running, the next surgery (in these circumstances some waiting may be unavoidable).

You may request an appointment with the doctor of your choice. This will be arranged for you as soon as possible depending on the availability of the doctor concerned.

Our aim is to see you on time. You will be informed of the reason for any substantial delay affecting your own appointment time.

Except in exceptional circumstances all daytime home visits will be undertaken by the doctors of this practice.

Repeat prescriptions, once authorised by one of the doctors, may be requested online, in person or by post (enclosing an SAE if you wish). Prescriptions will be ready for collection (or posted out) 48 hours later.

Suggestions, comments and complaints will be dealt with promptly and confidentially.

You may already be aware that all GP practices are required to provide all registered patients with a named GP who will have overall responsibility for the care and support that our surgery provides to you.

Having a named GP does not prevent you from seeing any other GP at this practice.

The practice has a Zero tolerance policy regarding violent and abusive behaviour towards staff or fellow professionals.

Patients exhibiting unacceptable behaviour will be removed from the practice patient list with immediate effect.

All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in The Health Centre Surgery in the 2021/22 financial year was £78,016 before tax and National Insurance. This was for four part-time GP.

This leaflet briefly explains why the doctor’s surgery collects information about you, and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

Records may be held in electronic or manual (written down) format, and may include the following information;

• Details about you, such as address and next of kin
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you and know you well.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information.

Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.

How do we maintain the confidentiality of your records?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

• NHS Trusts
• Specialist Trusts
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police
• Other ‘data processors’

Access to your Information

You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If you would like to make a ‘subject access request’, please contact the Practice Manager in writing.

If you would like further information about how we use your information, or if you do not want us to use your information in this way, please contact the Practice Manager.