At Alliance Teaching Practices we have a legal duty to explain how we use any personal information we collect about you at the organisation. This is in both electronic and paper format.
Why do we have to provide this privacy notice?
We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer.
Please read the following information carefully to understand how we process your personal data.
For the purpose of the Data Protection Laws, the Data Controller is Coventry and Rugby GP Alliance, whose address is Unit 1, The Boiler House, Electric Wharf, Sandy Lane, Coventry, CV1 4JU
When we refer to ‘we’, ‘us’ and ‘our’, we mean Coventry and Rugby GP Alliance
We are registered with the Information Commissioner’s Office and our registration number is ZA129377.
The main things the law says we must tell you about what we do with your personal data are:
- We must let you know why we collect personal and healthcare information about you
- We must let you know how we use any personal and/or healthcare information we hold about you
- We need to inform you in respect of what we do with it
- We need to tell you about who we share it with or pass it on to and why
- We need to let you know how long we can keep it for
The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.
For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).
Use of your personal information
We will use your information so that we can check and review the quality of care we provide. This helps us improve our services to you.
- We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital or your GP will send details about your prescription to your chosen pharmacy
- Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information see NHS England Summary Care Record
You have the right to object to information being shared for your own care. Please speak to us if you wish to object. You also have the right to have any mistakes or errors corrected.
Your records may exist in several formats including electronic, paper or a mixture of both, and we deploy many working organisational approaches to ensure that such information is maintained within a confidential and secure environment. The records which we could hold about you may include the following information:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender
- Contact Data includes email, postal address and phone numbers
- Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g., patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’
- Special Categories of Personal Data (non-health) includes information about disability, race or ethnicity, religious or philosophical beliefs, sexual orientation or information about political opinions
Registering for NHS care
- All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS England, a national organisation which has legal responsibilities to collect NHS data
- More information can be found at NHS England – Spine
Identifying patients who might be at risk of certain diseases
- Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible
- This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this organisation
Safeguarding
- Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare, and we do not need your consent or agreement to do this
- We have local policies with more information and are available on request
Artificial intelligence (AI)
- Prior to using AI, a full data protection impact assessment has been compiled, and any AI use will comply with the strict UK data protection laws that also includes UK GDPR
- Clinicians may use AI software during consultations to support both the compiling and documenting of a patients clinical record. There are two main types of personal data that will be processed during a consultation, including the patient’s name, contact details, medical history, diagnosis, treatment information, and any other information shared during consultations. There may also be an audio recording of the clinician, although this is to detail their professional identifiers, such as name and title. Should you not wish the clinician to use any AI during your consultation, please make them aware of this
Medical research
- This organisation shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We will also use your medical records to carry out research within the organisation
- The use of information from GP medical records is very useful in developing new treatments and medicines; medical researchers use information from these records to help to answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive
- You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to us if you wish to object
Checking the quality of care – clinical audits
- This organisation contributes to clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers to measure and check the quality of care that is provided to you
- The results of the checks or audits can show where organisations are doing well and where they need to improve. These results are also used to recommend improvements to patient care
- Data is sometimes sent to NHS England, a national body with legal responsibilities to collect data
- The data will include information about you, such as your NHS Number and date of birth, and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure
- We will only share your information for national clinical audits or checking purposes when the law allows
We are required by law to provide you with the following information about how we handle your information:
| Data Controller | |
| Data Protection Officer | DPO@agem |
| Purpose of the processing | To give direct health or social care to individual patients. An example is, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care. To check and review the quality of care. (This is called audit and clinical governance). Medical research and to check the quality of care which is given to patients (this is called national clinical audit). |
| Lawful basis for processing | These purposes are supported under the following sections of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits): Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. For medical research: there are two possible Article 9 conditions Article 9(2)(a) – ‘the data subject has given explicit consent…’ or Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. Healthcare staff will also respect and comply with their obligations under the common law duty of confidence. |
| Recipient or categories of recipients of the processed data | The data will be shared with: healthcare professionals and staff in this surgery;local hospitals;out of hours services; diagnostic and treatment centres; or other organisations involved in the provision of direct care to individual patients. |
| Rights to object and the national data opt-out | You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice. You are not able to object to your name, address and other demographic information being sent to NHS England. This is necessary if you wish to be registered to receive NHS care. You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The National Data Opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. The National Data Opt-out only applies to any disclosure of data for purposes beyond direct care, so having National Data Opt-out will not prevent your GP patient record being shared via GP Connect Please contact the practice if you wish to opt-out. Further information is available from NHS England. |
| Right to access and correct | You have a right under the Data Protection Act 2018, to request access to view or to obtain a copy of what information the organisation holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and the way it works is outlined below: – Your SARs request must be made in writing. The latest regulations state that there is no charge to have a printed copy of your information provided. The request will be reviewed and if possible, completed within one month (subject to our possible requests for further clarification for you) You will need to provide adequate proof of your identity before we will release the requested details (e.g., full name, address, date of birth, NHS number and details of your request), you must also provide two forms of identification. We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view. |
| Retention period | Records will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice. |
| Right to complain | In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Further details, visit https://ico.org.uk/for-the-public/ and select “Make a complaint” or telephone: 0303 123 1113. |
| Data we get from other organisations | We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service. |
| Cookies & Privacy | When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally. These pieces of information are used to improve services for you through, for example: Enabling a service to recognise your device so you don’t have to give the same information several times during one task, Recognising that you may already have given a username and password, so you don’t need to do it for every web page requested, Measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast. You can manage these small files yourself within your browser settings. Our Use of Cookies There are two types of cookie you may encounter when using websites: First party cookies: these are the website’s own cookies, controlled by the website owner and used to provide information about usage of the site and possibly help the website’s functionality. https://www.coventryrugbygpalliance.nhs.uk/ does not use these cookies. Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook or X have their own cookies, which are controlled by them. We use a number of suppliers who may also set cookies on their websites on its behalf. https://www.coventryrugbygpalliance.nhs.uk/ does not control the dissemination of these cookies. You should check the third-party websites for more information about these. Provider: Google Analytics Name: _utma _utmb _utmc _utmz Purpose: These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. |
Maintaining the confidentiality of your records
We will take all possible care to protect your privacy and will only use information collected with the law including:
- Data Protection Act 2018 including General Data Protection Regulation (GDPR)
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012 (if appropriate)
- Codes of Confidentiality, Information Security and Records Management
Our staff are all trained and briefed in data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed need to do so or a legal reason. We will only share your data without your permission if there are very exceptional circumstances (i.e., life or death situations, urgent Safeguarding incident where consent cannot be gained), where the law requires information to be passed on and / or in accordance with the Caldicott Principle 7 e.g., to share or not to share. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles. Whilst the Caldicott Principles were originally developed for NHS purposes, we have adopted the underlying principles in order to align with best practice.
All personal information that we manage is stored within the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.
Legal basis for processing
Our legal basis for processing your data relies on certain conditions set out GDPR Articles 6 and 9 as part of the UK GDPR and the UK Data Protection Act. 2018. e.g:
- UK GDPR Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
and - UK GDPR Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (of Article 9)
Partner Organisations
It may be possible that we will share your information with other organisations, if this is required, we will apply very strong controls. The current organisations who we share data with includes: –
- NHS Trusts
- Local University
- Clinical Commissioning Group
- General Practices
It is noted that the above list is not exhaustive, and we may contract with other external organisations to undertake processing of your personal information. These 3rd party organisations will abide with our stringent contractual conditions regarding the protection of personal data.
In some cases, you will be requested to provide positive consent if we intend to share your personal details with other organisations.
Access to personal information and your rights
You have a right under the Data Protection Act 2018, to request access to view or to obtain a copy of what information the organisation holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and the way it works is outlined below:
- Your SARs request must be made in writing to the organisation’s IG Lead at the address shown above
- The latest regulations state that there is no charge to have a printed copy of your information provided
- The request will be reviewed and if possible, completed within one month (subject to our possible requests for further clarification for you)
- You will need to provide adequate proof of your identity before we will release the requested details (e.g., full name, address, date of birth, NHS number and details of your request), you must also provide two forms of identification
In addition to the right of access, under the Data Protection Act 2018, you will also have the following rights:
- Erasure, which is the right to request that your personal data is removed from our systems be they paper or electronic – please note that under certain circumstances we are legal obliged to maintain a copy of your data for contractual and or statutory reasons
- Restriction of processing, this is the right for you to request that we only process certain parts of your data
- Objection – you have the right to object to the way that we are processing your data
- Data portability – this concerns the right to request that we provide a copy of your data in an easily transportable format
- Automatic processing – you have the right to object to the way we automatically process data – in the case of our organisation we do not, at present, carry out automatic processing of your data
- If you have provided us with your consent to process your data for the purpose of providing our services, you have the right to withdraw this at any time. In order to do this should contact us by emailing or writing to the organisation
Retention of your data
Your data will be retained for no longer than is absolutely necessary.
Withdrawal of consent
If you have provided us with consent to process your data for the purpose of providing our services, you have the right to request to withdraw this at any time. In order to do this should contact us in writing.
Cookies and privacy
When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
These pieces of information are used to improve services for you through, for example:
- Enabling a service to recognise your device so you don’t have to give the same information several times during one task
- Recognising that you may already have given a username and password, so you don’t need to do it for every web page requested
- Measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast
You can manage these small files yourself within your browser settings.
Our use of cookies
There are two types of cookie you may encounter when using websites:
First party cookies: these are the website’s own cookies, controlled by the website owner and used to provide information about usage of the site and possibly help the website’s functionality. www.coventryrugbygpalliance.nhs.uk does not use these cookies.
Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook or Twitter have their own cookies, which are controlled by them.
Third party cookies
We use a number of suppliers who may also set cookies on their websites on its behalf. www.coventryrugbygpalliance.nhs.uk does not control the dissemination of these cookies. You should check the third-party websites for more information about these.
The cookies we use include:
| Provider | Name | Purpose | More info |
| Google Analytics | _utma _utmb _utmc _utmz | These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. |
Our Data Protection Officer is Judith Jordan. You can contact her at agem.dpo@nhs.net or via our postal address:
Coventry and Rugby GP Alliance
Unit 1, The Boiler House
Electric Wharf
Sandy Lane
Coventry
CV1 4JU
Please mark the envelope ‘Data Protection Officer’.
You also have the right to raise a concern with the Information Commissioner’s Office at any time, whose address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone
0303 123 1113