Privacy Notice updated February 2024

How we use your information

Introduction

This privacy notice explains in detail why Wellfield Health Centre use your personal data which we, the Data Controller, collects and processes about you.  A Data Controller determines how the data will be processed and used with the GP practice and with others who we share this data with.  We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection

principles under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.  This notice also explains how we handle that data and keep it safe.

Caldicott Guardian

The GP Practice has a Caldicott Guardian. A Caldicott Guardian is a senior person within a health or social care organisation, preferably a health professional, who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained.  The Caldicott Guardian for the GP practice is:

Dr Matthew Pickford

Gmicb-hmr.wellfieldhc@nhs.net

01706 397 600

Data Protection Officer (DPO)

Under GDPR all public bodies must nominate a Data Protection Officer.  The DPO is responsible for advising on compliance, training and awareness and is the main point of contact with the Information Commissioner’s Office (ICO).  The DPO for the practice is:

Mr Paul Fox

Locality Information Governance Manager (Heywood, Middleton and Rochdale)

gmicb-hmr.dpo@nhs.net

We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the Law. 

Details we collect about you

Whenever you attend the surgery or use another health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

NHS Health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. The data the surgery holds will be relevant, adequate and limited to what is required for the surgery to fulfil its duty.

Records which Wellfield Health Centre may hold about you may include the following information:- 

• Details about you, such as your address, next of kin, date of birth, legal representative, emergency contact details
• Any contact the surgery has had with you, such as appointments, clinic visits,emergency appointments, etc.
• Notes and reports about your health
• Details about your treatment and care including medication
• Results of investigations such as laboratory tests, x-rays, etc
• Relevant information from other health professionals, relatives or those who care for you

 In addition to providing direct care we also use your data to:

• Confirm your identity to provide these services and those of your family / carers
• Understand your needs to provide the services that you request
• Obtain your opinion on our services (with consent)
• Prevent and detect fraud and corruption in the use of public funds
• Make sure we meet our statutory obligations, including those related to diversity and equalities
• Adhere to a legal requirement that will allow us to use or provide information (e.g. a formal Court Order or legislation)

Definition of Data Types

We use the following types of information / data:

Personal Data
This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth.

Special categories of data (previously known as sensitive data)
This is personal data consisting of information as to: race, ethnic origin, political opinions, health, religious beliefs, trade union membership, sexual life and previous criminal convictions. Under UK GDPR, this now includes biometric data and genetic data.

Personal Confidential Data (PCD)
This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data
Individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data by use of a key / code or pseudonym that should allow tracking back of the data to its original state.

Anonymised Data
This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

Aggregated Data
This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

How long do we keep your personal data?

Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected.  We comply with the Records Management NHS Code of Practice which states that we keep records for 10 years after date of death.  Following this time, the records are securely destroyed if stored on paper or archived.

Destruction will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:

• to ensure that information held in manual form is destroyed using a cross cut shredder or contracted to a reputable confidential waste company that complies with European Standard EN15713 and obtain certificates of destruction.
• to ensure that electronic storage media used to hold or process information are destroyed or overwritten to national standards.

Our data processing activities

The law on data protection under the GDPR sets out a number of different reasons for which personal data can be processed for.  The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category of data such as health data what the condition is for processing.  The types of processing we carry out in the GP practice and the legal bases and conditions we use to do this are outlined below:

Provision of Direct Care and administrative purposes within the GP practice

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	Patient and other health and care providers
Legal basis for processing personal data  and Condition for processing special category of data	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis	Implied Consent

Direct care means a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. This is carried out by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship with. In addition, this also covers administrative purposes which are in the patient’s reasonable expectations.

To explain this, a patient has a legitimate relationship with a GP in order for them to be treated and the GP practice staff process the data in order to keep up to date records and to send referral letters etc. 

Other local administrative purposes include waiting list management, performance against national targets, activity monitoring, local clinical audit and production of datasets to submit for national collections.

This processing covers the majority of our tasks to deliver health and care services to you.  When we use the above legal basis and condition to process your data for direct care, consent under GDPR is not needed.  However, we must still satisfy the common law duty of confidentiality and we rely on implied consent. For example, where a patient agrees to a referral from one healthcare professional to another and where the patient agrees this implies their consent.

To deliver direct care we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

 Accelerated Patient Access to Records

The NHS wants to give people better ways to see their personal health information online. We know that people want to be able to access their health records. It can help you see test results faster. It also lets you read and review notes from your appointments in your own time.

We are now letting you see all the information within your health record automatically. If you are over 16 and have an online account, such as through the NHS App, NHS website, or another online primary care service, you will now be able to see all future notes and health records from your GP.

This means that you will be able to see notes from your appointments, as well as test results and any letters that are saved on your records. This only applies to records from your GP from 01/11/2022.

Your GP may talk to you to discuss test results before you are able to see some of your information on the app. Your doctor GP may also talk to you before your full records access is given to make sure that having access is of benefit to you. There might be some sensitive information on your record, so you should talk to your doctor if you have any concerns.

These changes only apply to people with online accounts. If you do not want an online account, you can still access your health records by requesting this information by contacting reception. The changes also only apply to personal information about you. If you are a carer and would like to see information about someone you care for, speak to reception staff.

The NHS App, website and other online services are all very secure, so no one is able to access your information except you. You’ll need to make sure you protect your login details. Don’t share your password with anyone as they will then have access to your personal information.

If you do not want to see your health record, or if you would like more information about these changes, please speak to your GP or reception staff

Medicines Management and Optimisation

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	GP Practice
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9 (2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Confidentiality basis	Implied Consent

Heywood, Middleton and Rochdale ICB pharmacists and pharmacy technicians work with GP practices to provide advice on medicines and prescribing queries, process repeat prescription requests and review prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information.

In cases where identifiable data is required, this is done with practice agreement and in the case of repeat prescription processing with patient consent. No data is removed from the practice’s clinical system and no changes are made to patient's records without permission from the GP. Patient records are viewed in the GP practice.

Identifiable data is also used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. In cases where identifiable data is used, this is done with the consent of the patients.

Greater Manchester Care Record (GMCR)/Share For You

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	Patient and other health and care providers
Legal basis for processing personal data  and Condition for processing special category of data	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis	Implied Consent

Sharing your patient information is critical in supporting your care and treatment, especially in situations such as the COVID-19 pandemic.

The GM Care Record allows workers in health or social care easy access to patient information that is critical to support decision-making about patient care and treatment.

It shares important information about your health and care including:

• Any current health or care issues
• Your medications
• Allergies you may have
• Results of any recent tests that you may have had
• Details on any plans created for your care or treatment
• Information on any social care or carer support you may receive

The GMCR pulls patient information from several areas of health and care including: 

• primary care e.g. GP practices
• community services
• mental health services
• social care
• secondary care e.g. hospitals
• specialist services e.g. NWAS

It means that patients won’t have to keep repeating their medical history to each professional in different organisations, care plans will be followed consistently, and clinicians will be better equipped to identify patterns and plan care more effectively to meet the patients’ needs.

The amount of data that the GMCR holds is increasing all the time. Data is constantly being added, so that a combined record can be developed for all our citizens to help better decision making and more informed care and treatment.

In response to the pandemic, the GMCR also includes information about when a patient has been diagnosed with COVID-19 and whether they are self-isolating at home or have been hospitalised. This ensures continuity of care across different care settings and alternatives such as digital support can be put in place.

You can opt out at any time if you prefer that we don’t share your care record to other health and social care services.

The project has been overseen by Health Innovation Manchester and the GM Health and Social Care Partnership, working on behalf of GM’s devolved health and care partners. For further information on the GMCR, please refer to the main GM Care Record privacy notice that can be found by clicking onto the link below
htthttps://gmwearebettertogether.com/your-privacy/p://www.HMRshareforyou.nhs.uk/

Summary Care Record

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	Patient and other health and care providers
Legal basis for processing personal data  and Condition for processing special category of data	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems
Common Law Duty of Confidentiality basis	Implied Consent

The Summary Care Record (SCR) is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had.

Storing information in one place (The SCR) makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed, or if you attend the 7 Day Access Clinic.  This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.

Only healthcare staff involved in your care can see your Summary Care Record.  It is not compulsory to have a summary care record. If you choose to opt out of the scheme please contact the GP Practice.

Purposes other than direct individual care and treatment

This is information which is used for non-healthcare purposes. Generally this could be for research purposes, audits, service management, safeguarding, commissioning, complaints and patient and public involvement.

When your personal information is used for secondary use this should, where appropriate, be limited and de-identified so that you cannot be identified and the  process is confidential.

Safeguarding

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	Patient and other health and care providers
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9 (2)(b) - Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of …social protection law
Common Law Duty of Confidentiality basis	Overriding Public Interest / children and adult safeguarding legislation

Information is provided to care providers to ensure that adult and children's safeguarding matters are managed appropriately. Access to personal data and health information will be shared in some limited circumstances where it's legally required for the safety of the individuals concerned. For the purposes of safeguarding children and vulnerable adults, personal and healthcare data is disclosed under the provisions of the Children Acts 1989 and 2006 and Care Act 2014.

Risk Stratification

Type of Data	Personal Data – demographics Special category of data – Health data
Source of Data	GP Practice and other care providers
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Section 251 NHS Act 2006

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care.  A GP / health professional reviews this information before a decision is made.

The use of personal and health data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval). This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but CCG staff will only be able to see information in a format that does not reveal your identity.

 NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

 Knowledge of the risk profile of our population helps to commission appropriate preventative services and to promote quality improvement.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. We can add a code to your records that will stop your information from being used for this purpose. Please see the section below regarding objections for using data for secondary uses.

 National Clinical Audits

Type of Data	Personal Data – demographics Special category of data – Health data Pseudonymised Anonymised
Source of Data	GP Practice and other care providers
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(c) - Processing is necessary for compliance with a legal obligation Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012)

The GP practice contributes to national clinical audits (for example the National Diabetes Audit) and will send the data which are required by NHS Digital when the law allows. This may include demographic data such as data of birth and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Clinical Research

Type of Data	Personal Data – demographics Special category of data – health data
Source of Data	GP Practice
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9 (2)(j) - Processing is necessary for…scientific or historical research purposes… Common law duty of confidentiality – explicit consent or if there is a legal statute for this which you will be informed of

All NHS organisations (including Health & Social Care in Northern Ireland) are expected to participate and support health and care research. The Health Research Authority make sure they protect your privacy and comply with the law when they are involved in research.  Health and care research may be exploring prevention, diagnosis or treatment of disease, which includes health and social factors in any disease area. Research may be sponsored by companies developing new medicines or medical devices, NHS organisations, universities or medical research charities. The research sponsor decides what information will be collected for the study and how it will be used.

 Health and care research should serve the public interest, which means that research sponsors have to demonstrate that their research serves the interests of society as a whole. They do this by following the UK Policy Framework for Health and Social Care Research. They also have to have a legal basis for any use of personally-identifiable information.

How patient information may be used for research

When you agree to take part in a research study, the sponsor will collect the minimum personally-identifiable information needed for the purposes of the research project. Information about you will be used in the ways needed to conduct and analyse the research study. NHS organisations may keep a copy of the information collected about you. Depending on the needs of the study, the information that is passed to the research sponsor may include personal data that could identify you. You can find out more about the use of patient information for the study you are taking part in from the research team or the study sponsor. You can find out who the study sponsor is from the information you were given when you agreed to take part in the study.

For some research studies, you may be asked to provide information about your health to the research team, for example in a questionnaire. Sometimes information about you will be collected for research at the same time as for your clinical care, for example when a blood test is taken. In other cases, information may be copied from your health records. Information from your health records may be linked to information from other places such as central NHS records, or information about you collected by other organisations. You will be told about this when you agree to take part in the study.

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research, unless under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applies.

 Your choices about health and care research

If you are asked about taking part in research, usually someone in the care team looking after you will contact you. People in your care team may look at your health records to check whether you are suitable to take part in a research study, before asking you whether you are interested or sending you a letter on behalf of the researcher.

It’s important for you to be aware that if you are taking part in research, or information about you is used for research, your rights to access, change or move information about you are limited. This is because researchers need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from a study, the sponsor will keep the information about you that it has already obtained. They may also keep information from research indefinitely.

If you would like to find out more about why and how patient data is used in research, please visit the Understanding Patient Data website.

https://understandingpatientdata.org.uk/what-you-need-know

 To find out more about GDPR and using personal data for research, please visit the Health Research Authority website on the link below:

 https://www.hra.nhs.uk/hra-guidance-general-data-protection-regulation/

 Current Research Projects

The practice supports medical research by sending some of the information from patient records to the Clinical Practice Research Datalink (CPRD). CPRD is a Government organisation that provides anonymised patient data for research to improve patient and public health. You cannot be identified from the information sent to CPRD. If you do not want anonymised information from your record used in research you can opt out by informing the GP Practice.

Complaints

Type of Data	Personal Data – demographics Special category of data – health data
Source of Data	Data Subject, Primary Care, Secondary Care and Community Care
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(a) – Explicit Consent Article 9 (2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Common law duty of confidentiality – explicit consent

 If you contact the GP Practice or NHS England about a complaint, we require your explicit consent to process this complaint for you.  You will be informed of how and with whom your data will be shared by us, including if you have or you are a representative you wish the GP practice to deal with on your behalf.

 Purposes requiring consent

There are also other areas of processing undertaken where consent is required from you. Under GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent, to confirm you have understood. 

Patient and Public Involvement

Type of Data	Personal Data – demographics
Source of Data	GP Practice
Legal Basis and Condition for processing special category of data under GDPR	Article 6 (1)(a) – Explicit Consent Article 9 (2)(a) – Explicit Consent

 If you have asked us to keep you regularly informed and up to date about the work of the GP Practice or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

We obtain your consent for this purpose. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

How we protect your personal data

 We will use the information we collect in a manner that conforms to the General Data Protection Regulations (GDPR) and Data Protection Act 2018.   The information you provide will be subject to rigorous measures and procedures to make sure it can’t be seen, accessed or disclosed to any inappropriate persons.   We have an Information Governance Framework that explains the approach within the GP practice, our commitments and responsibilities to your privacy and cover a range of information and technology security areas. 

Access to your personal confidential data is password protected on secure systems and securely locked in filing cabinet when on paper.

Our IT Services provider, Greater Manchester Shared Service, regularly monitor our system for potential vulnerabilities and attacks and look to always ensure security is strengthened.

All our staff have received up to date data security and protection training.  They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. We have incident reporting and management processes in place for reporting any data breaches or incidents.  We learn from such events to help prevent further issues and inform patients of breaches when required.

With whom do we share your data?

As stated above, where your data is being processed for direct care this will be shared with other care providers who are providing direct care to you such as:

• NHS Trusts / Foundation Trusts
• GPs
• Out of Hours Provider (BARDOC)
• NHS Commissioning Support Units
• GP Federation (Rochdale Health Alliance)
• Primary Care Network (Canalside PCN)
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• Health and Social Care Information Centre (HSCIC)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Voluntary Sector Providers
• National Diabetes Audit
• Other ‘data processors’

We work with third parties and suppliers (data processors) to be able for us to provide a service to you.  These include:

• EMIS and Docman to provide our electronic clinical system
• NHS Greater Manchester Shared service – to provide our IT services
• Risk Stratification QRisk software provided by EMIS
• SMS Text Services provided by MJOG and PATCHS
• Nova Healthcare Solutions for Document Management
• Shred-It for the on-site destruction of confidential paper documents

There may be occasions whereby these organisations have potential access to your personal data, for example, if they are fixing an IT fault on the system.  To protect your data, we have contracts and / or Information Sharing Agreements in place stipulating the data protection compliance they must have and re-enforce their responsibilities as a data processor to ensure you data is securely protected at all times.

We will not disclose your information to any 3^rd party without your consent unless:

• there are exceptional circumstances (life or death situations)
• where the law requires information to be passed on as stated above
• required for fraud management – we may share information about fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
• It is required to be disclosed to the police or other enforcement, regulatory or government body for prevention and / or detection of crime

 Where is your data processed?

Your data is processed within the GP surgery and by other third parties as stated above who are UK based.  Your personal data is not sent outside of the UK for processing.

Where information sharing is required with a country outside of the EU you will be informed of this and we will have a relevant Information Sharing Agreement in place. We will not disclose any health information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory functions i.e. reporting to external bodies to meet legal obligations

 What are your rights over your personal data?

You have the following rights over your data we hold:

Subject Access Rights – you can request access to and or copies of personal data we hold about you, free of charge (subject to exemptions) and provided to you within one calendar month. We request that you provide us with adequate information in writing to process your request such as full name, address, date of birth, NHS number and details of your request and documents to verify your identity so we can process the request efficiently.  On processing a request, there may be occasions when information may be withheld if your GP believes that releasing the information to you could cause serious harm to your physical or mental health. Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

To request a copy or request access to information we hold about you and / or to request information to be corrected if it is inaccurate, please contact The Practice Manager:

Wellfield Health Centre, 116 Oldham Road, Rochdale, OL11 1AD.
Email: gmicb-hmr.wellfieldhc@nhs.net

 Right to rectification - The correction of personal data when incorrect, out of date or incomplete which must be acted upon within one calendar month of receipt of such request.  Please ensure the GP practice has the correct contact details for you. 

Right to withdraw consent - If we have your explicit consent for any processing we do, you have the right to withdraw that consent at any time

Right to Erasure (‘be forgotten’)
If we obtain consent for any processing we do, you have the right to have that data deleted / erased.  Please note this does not apply to health records.

Right to Data Portability
If we obtain consent for any processing we do, you have the right to have data provided to you in a commonly used and machine readable format such as excel spreadsheet, csv file.

Right to object to processing – you have the right to object to processing however please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue.  If we didn’t process any information about you and your health care if would be very difficult for us to care and treat you.

When Wellfield Health Centre is about to participate in any new data-sharing or scheme that requires the processing of patient data we will make patients aware by displaying prominent notices in the surgery and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

Right to restriction of processing
This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.

Objections to processing your confidential information for research and planning and “Your Data Matters”

You have a choice about whether your confidential patient information can be used for NHS research and planning purposes. If you are happy with your information to be used in this way you do not need to do anything.

In England you can register your choice to opt out of sharing your information for NHS research and planning via the “Your Data Matters” webpage on the link below:

 https://www.nhs.uk/your-nhs-data-matters/

If you do choose to opt out you can still agree to take part in any research study you want to, without affecting your ability to opt out of other research.

If you do choose to opt out your confidential information will still be used to support your individual care and will not prevent anonymised data from being used for purposes beyond individual care where it is anonymised in line with the Information Commissioner’s code of anonymisation.

You can also change your choice about opting out at any time.

 Please note that data being used for research and planning (and other purposes beyond individual care) does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Complaints / Contacting the Regulator

If you feel that your data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, please contact our Data Protection Officer / Practice Manager at the following contact details:

Email us at: gmicb-hmr.wellfieldhc@nhs.net

Or write to us at: Wellfield Health Centre, 116 Oldham Road, Rochdale OL11 1AD

If you are not happy with our responses and wish to take your complaint to an independent body, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1133
Or go online to www.ico.org.uk/concerns

Further Information / Contact Us

We hope that the Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.  Should you have any questions / or would like further information, please visit the websites below and / or contact either our Caldicott Guardian / Data Protection Officer / Practice Manager at the following contact details:

Email us at: gmicb-hmr.wellfieldhc@nhs.net

Or write to us at: Wellfield Health Centre, 116 Oldham Road, Rochdale OL11 1AD

Links

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click and / or search for the following on the internet:

• Information Commissioners Office
• Information Governance Alliance
• NHS Digital National Data Opt Out Programme
• NHS Constitution
•  NHS Care Record Guarantee
• NHS Digital Guide to Confidentiality in Health and Social Care
• Health Research Authority
• Health Research Authority Confidentiality Advisory Group (CAG)
• Access to patient records through the NHS App