Your Views Matter

Fir Park Medical Centre is always looking for ways to improve the services it offers to patients. To do this effectively, the practice needs to know what you think about the services you receive. Tell us what we do best, where we don’t meet your expectations plus any ideas and suggestions you may have. Only by listening to you can the practice continue to build and improve upon the service it offers.

Compliments

We want to hear from you if you are particularly pleased with the service you have received from an individual or team within the Surgery and wish to pass on your thanks or praise.

If you can tell us what we do well, we can give others a better service too. We will ensure that compliments reach the individuals concerned. If it is appropriate, we will also share your comments with other colleagues.

Friends & Family Test

This is your opportunity to give us feedback. Please do complete the forms available by reception; via our website online; or by text message.

Comments

We also want to hear from you with any comments you have about any of our services or suggestions for ways we can improve. When you make a comment it will be sent to the Practice Manager for action or learning.

Complaints

We always try to give a good service but sometimes things go wrong. You can help us make changes by telling us about what is wrong and how you would like us to put it right.

You may want to complain about:

• A service
• Any action, attitude or behaviour of a member of staff which has affected you or someone close to you

Please get in touch with the Practice Manager if you need help or support in using our procedure, or if you need the information in another format.

How to complain

You should discuss any comments or concerns with the person providing the service, for example a Nurse or a Doctor, or ask to speak to the Practice Manager. If you are unhappy with the outcome, or if you would prefer to speak to somebody separate from the surgery, you could consider contacting the Patient Advice and Liaison Service (PALS). Contact details are included below.

PALS aims to:

• Help sort out problems informally and quickly on your behalf
• Provide advice or refer patients, families and carers to other agencies where appropriate
• Advise on the formal complaints procedure if necessary
• Feedback to the Halton Clinical Commissioning Group (CCG) on common themes and concerns and bring about improvements and change

Ideally formal complaints about the surgery should be made directly to the surgery, in writing or by telephone.  You can, however, choose to complain to the Halton Commissioning Group if you do not wish to deal with the surgery directly. Contact details are included below.

Complaining on Behalf of Someone Else

We keep to the strict rules of medical and personal confidentiality. If you wish to make a complaint and are not the patient involved, we will require the written consent of the patient to confirm that they are unhappy with their treatment and that we can deal with someone else about it.

Please ask at reception for the Complaints Form which contains a suitable authority for the patient to sign to enable the complaint to proceed.

Where the patient is incapable of providing consent due to illness or accident it may still be possible to deal with the complaint. Please provide the precise details of the circumstances which prevent this in your covering letter.

Please note that we are unable to discuss any issue relating to someone else without their express permission, which must be in writing, unless the circumstances above apply.

We may still need to correspond direct with the patient, or may be able to deal direct with the third party, and this depends on the wording of the authority provided.

What happens when you make a complaint?

When the practice looks into your complaint it aims to:

• Acknowledge your complaint within 3-5 working days.
• Ascertain the full circumstances of the complaint.
• We aim to respond as soon as possible.
• Make arrangements for you to discuss the problem with those concerned, if you would like this.
• Make sure you receive an apology, where this is appropriate
• Identify what the practice can do to make sure the problem does not happen again
• Send a final letter setting out the result of any practice investigations

What if I am not happy with the response?

All complaint responses will include instructions on how to raise any queries with a complaint response.

The practice welcomes feedback and will undertake follow up investigations if you are unhappy with our original investigation or response.

Complainants will be contacted to agree how they would like their remaining issues to be taken forward. A meeting will be offered, or a further complaint investigation, as appropriate.

All complainants are also provided with information regarding the PHSO (Parliamentary Health Service Ombudsman), with their response.

If you remain unsatisfied after the practice has exhausted all attempts at resolution, you may wish to contact the Health Service Ombudsman. The Health Service Ombudsman is completely independent of both the NHS and of the Government. They can investigate complaints about NHS services and complaints about how the complaints procedure is working.

The Ombudsman does not have to investigate every complaint put to them and they will not usually take on a case which has not first been through the NHS complaints procedure.

Our Privacy Notice

Fir Park Medical Centre is committed to protecting your personal information and being transparent about what we do with it. We are committed to using your personal information in accordance with all applicable laws concerning the protection of personal information and not to do anything with your information you wouldn’t reasonably expect.  We have a legal duty to explain how we use any personal information we collect about you, as a registered patient at the practice

Data Security

Our Data Protection & Security Policy describes our approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of Fir Park Medical Centre information. It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards.

Subject Access Requests

Data protection legislation allows you to find out what information is held about you. This is known as “right of subject access”, and applies to your health and social care records.

If you want to see a copy of your health records you should contact a member of staff or complete a Subject Access Request Form.  In order to process any requests we will need to confirm your identity.

Data Protection Impact Assessment (DPIA)

The General Data Protection Regulation (GDPR) introduces a new obligation andFir Park Medical Centre is expected to carry out a Data Protection Impact Assessment (DPIA) before implementing new changes or processing that are likely to result in high risk to individuals’ interests. Any completed DPIA’s will be listed below.

The National Data Opt-Out – March 2020

The national data opt-out was introduced on 25 March 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian  in her Review of Data Security, Consent and Opt-Outs.

We are no longer able to record your preference, patients can view or change their national data opt-out choice at any time by using the online service at NHS: Your Data Matters or by calling 0300 3035678

You can also view this on the NHS app

Policy Overview

The purpose of the Data Security & Protection Policy is to support the 7 Caldicott Principles, the 10 Data Security Standards, General Data Protection Regulation (2016), Data Protection Act (2018), the common law duty of confidentiality and all other relevant legislation. Data Protection is a fundamental right and the Practice will embrace the principles of data protection by design and default. The Practice is committed to adhering to the 10 National Data Security Guardian Standards (NDG) in order to ensure the protection and security of all Data which the Practice processes. This policy was developed in conjunction with the guidance outlined in NHS Digitals Information Security Policy, Data Protection Act 2018 and advice from the Information Commissioner’s Office following the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.

Aims

This policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of Fir Park Medical Centre information. It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:

• Information Security principles
• Governance – outlining the roles and responsibilities
• Supporting specific information security policies – Technical Security, Operational Security and Security Management.
• Compliance Requirements.

Scope

This policy applies to all those working within the Practice, in whatever capacity. A failure to follow the requirements of the policy may result in investigation and management action being taken, in line with the Practice’s disciplinary policy and procedure.

Both the Clinical & Operational Leads for Information Governance will ensure all staff are aware of the Data Security & Protection Policy at the earliest possible opportunity.

Roles and Responsibilities

Practice Staff

Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting business. All staff are responsible for the information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. It is mandatory that staff ensure they understand their role and responsibilities, and that failure to comply with this policy may result in disciplinary action. This will be reinforced by yearly mandatory training

Clinical Lead for Information Governance

The Clinical Lead for Information Governance is the practice’s registered Caldicott Guardian and is responsible for:

• Ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data.
• Ensuring that the Practice processes satisfy the highest practical standards for handling patient information and provide advice and support to Practice staff as required.
• Ensuring that patient identifiable information is shared appropriately and in a secure manner. The Caldicott Guardian will liaise where there are reported incidents of person identifiable data loss or identified threats and vulnerabilities in Practice information systems to mitigate the risk.

In addition, they are responsible for information risk within the Practice and advise the Partners on the effectiveness of information risk management within the Practice. Operational responsibility for Information Security is delegated to the Operational Lead for Clinical Governance. All Information Security risks shall be managed in accordance with the Practices Risk Management Policy. The Clinical Lead for Information Governance (IG) for Fir Park Medical Centre is Dr Brindle.

Operational Lead for Information Governance

The Operational Lead for Information Governance is responsible for the day to day operational effectiveness of the Data Security and Protection Policy and its associated IG policies and processes. They must ensure that their staff are aware and adhere to the policy requirements. The Operational Lead for IG is responsible for:

• Understanding what information is held.
• Knowing what is added and what is removed.
• Understanding how information is moved.
• Knowing who has access and why.

Additional responsibilities include:

• Acting as Information Asset Owner (IAO) i.e. responsible for Information Assets within the practice.
• Awareness of information security risks, threats and possible vulnerabilities within the practice and complying with relevant policies and procedures to monitor and manage such risks.
• Provide a central point of contact for information security.
• Ensure the operational effectiveness of security controls and processes.
• Monitor and co-ordinate the operation of the Information Security Management System.
• Monitor potential and actual security breaches with appropriate expert security resource (provided by HIS Team).
• Supporting personal accountability of users within the practice for Information Security
• Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures.

The Operational Lead for Information Governance (IG) for Fir Park Medical Centre is Anita Corrigan.

Data Protection Officer (DPO)

The Data Protection Officer is responsible for ensuring the Practice remains compliant at all times with Data Protection, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall:

• Lead on the provision of expert advice to the Practice on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards.
• Inform and advise the organisation and its employees of their data protection obligations under the GDPR.
• Monitor the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
• Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes.
• Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting.

The DPO will be independent and an expert in data protection. The DPO will be the Practice’s point of contact with the Information Commissioner’s Office

The Data Protection Officer (DPO) for Fir Park Medical Centre is the Information Governance Team

Camilla Bhondoo
Mid-Mersey Digital Alliance
Alexandra Business Park
Court Building
Prescot Road
St Helens
WA10 3TP

Email: IG@midmerseyda.nhs.uk

Policy

The Data Protection & Security Policy outlines the approach, methodology and responsibilities for preserving the confidentiality, integrity and availability of the Practices’ information. It is the overarching policy for information security and supported by specific technical security, operational security and security management policies. It supports the 7 Caldicott principles and 10 data security standards. This policy covers:

• Information Security Principles.
• Governance – outlining the roles and responsibilities. (see section 3)
• Supporting specific information security policies – Technical Security, Operational Security and Security Management.
• Compliance Requirements.

Information Security Principles

The core information security principles are to protect the following information/data asset properties:

• Confidentiality (C) – protect information/data from breaches, unauthorised disclosures, loss of or unauthorised viewing.
• Integrity (I) – retain the integrity of the information/data by not allowing it to be modified.
• Availability (A) – maintain the availability of the information/data by protecting it from disruption and denial of service attacks.

In addition to the core principles of C, I and A, information security also relates to the protection of reputation; reputational loss can occur when any of the C, I or A properties are breached. The aggregation effect, by association or volume of data, can also impact upon the Confidentiality property.

For the NHS, the core principles are impacted, and the effect aggregated, when any data breach relates to patient medical data.

Supporting Policies

The Data Security & Protection Policy is developed as a pinnacle document which has further policies, standards and guides which enforce and support the policy. The supporting policies are grouped into 3 areas: Technical Security, Operational Security and Security Management and are shown in the diagram overleaf. The Data Security & Protection Policy is closely aligned to the NHS Information Governance Strategy and relies upon, and supports, the Practice’s Physical and Personnel Security policies.

Technical Security

The technical security policies detail and explain how information security is to be implemented. These policies cover the security methodologies and approaches for elements such as: Encryption Policy, cloud security policy, back-up policy.

Operational Security

The operational security policies detail how the security requirements are to be achieved. These policies explain how security practices are to be achieved for matters such as: acceptable use policy, mobile & remote working, business continuity policy and use of social media.

Security Management

The security management practices detail how the security requirements are to be managed and checked. These policies describe how information security is to be managed and assured for processes such as: Data breach and incident reporting polic

Framework of IG Policies

Fir Park Medical Centre maintain the following key policies to support effective Information Governance

Policy Owner – Mid Mersey Digital Alliance

• Network Security Policy
• Mobile Devices Policy
• Patch Test Policy

Policy Owner – Fir Park Medical Centre

• Code of Confidentiality & Data Protection Policy
• Information Governance Policy
• Remote Working Policy
• Third Party Confidentiality Policy
• Mobile Devices Policy
• Business Continuity Plan
• E-mail, Internet and Telecommunications Safety and Acceptable Use Policy
• Safe Haven Policy for the Secure Transfer of Personal Confidential Data Policy
• Information Security Incident Reporting Policy
• Information Security Policy
• Smartcard Policy
• Data Security & Protection Policy
• Data Breach Policy including Incident Reporting Procedure
• Patient Privacy Notice
• Privacy Notice Children
• Privacy Notice Information Leaflet for Children
• Staff Privacy Notice
• Clinical Lead for Information Governance Responsibilities
• Operational Lead for Information Governance Responsibilities
• Data Protection Impact Assessment
• Freedom of Information Act Policy
• Records Management Policy
• Data Quality Policy
• Subject Access Request Policy
• CHAIN SMS Protocol

Policy Owner – NHS Digital

• How We Use and Protect Your Personal Information – Patient Information Leaflet

Data Security Audit Procedures

Confidentiality audits will focus on controls within electronic records management systems and paper record systems; the purpose being to discover whether confidentiality has been breached, or put at risk through deliberate misuse of systems, or as a result of insufficient controls. Audits of security and access arrangements are to be conducted on a six-monthly.

Audits will be carried out as required by some or all of these methods unannounced spot checks to random work areas & discussion with individual staff members. These audits will be instigated by the Operational Lead for Information Governance.

Training and Awareness

All new staff are required to complete the Introduction to Information Governance training module via the online IG Training Tool, when they first join the organisation unless they have completed appropriate IG Training within the last year and can evidence this. In addition new staff are provided with an Information Governance User Handbook and sign a declaration confirming its receipt

The Practice also requires all existing staff to complete online IG Training annually; if they have previously completed the ‘Introduction to Information Governance’ they must complete the Refresher Module thereafter. This includes completion of an IG Training Record to ensure they have received appropriate training and address any outstanding training needs

Ad hoc training may be completed where an incident investigation requires this.

Review

This policy and associated strategy and procedures will be reviewed on an annual basis or earlier if appropriate, to take into account any changes to legislation that may occur, and/or national guidance. Policies are communicated to all staff via Intradoc and are available to all staff

Compliance Requirements

Legislation relevant to this policy; The Practice will comply with all relevant legislation; this includes but is not limited to:

• The Data Protection Act 2018
• The General Data Protection Regulation
• The NHS Confidentiality Code of Practice 2003
• Common Law Duty of Confidentiality
• Freedom of Information Act 2000
• Health & Social Care Act 2016
• Computer Misuse Act 1990

References

NHS Digital (2017) Information Security Policy UK

To ensure all patients at the surgery are made aware of their rights under the new legislation, and so that the surgery meets its responsibilities under the GDPR, we will be adding information to this page as it becomes available to us and when centrally-approved by NHS England.

Various actions will occur over the coming months as part of the surgery working toward full GDPR compliance and we will let you know via posters/leaflets in the surgery, through our waiting room screens and on this website.

We text those patients who have agreed to receiving appointment reminders, and other healthcare-related messages such as the Friends and Family Test feedback, on their mobile phones.

If you no longer want to receive any text reminders, you have the right to opt out. Please note that by opting out, it means you will not receive any texts from the practice, but you can opt in again at any time. Please let the practice know if you wish to opt out.

All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in Fir Park Medical Centre in the last financial year was £100,569 before tax and National Insurance. This is for 3 full time GPs, 4 part time GPs and 1 locum GP who have worked in the practice for more than six months.

NHS England require that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown below. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.

This privacy notice explains in detail why we use your personal data which we, the GP practice (Data Controller), collects and processes about you. A Data Controller determines how the data will be processed and used and who this data will be shared with. We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This notice also explains how we handle that data and keep it safe.

Caldicott Guardian

The GP Practice has a Caldicott Guardian. A Caldicott Guardian is a senior person within a health or social care organisation, preferably a health professional, who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained.

The Caldicott Guardian for the GP practice is: Dr M. J. Brindle – Clinical Information Governance Lead/Caldicott Guardian

• Email: Miles.brindle@haltongp.nhs.uk

Data Protection Officer (DPO)

Under the UK GDPR all public bodies must nominate a Data Protection Officer. The DPO is responsible for advising on compliance, training and awareness and is the main point of contact with the Information Commissioner’s Office (ICO).

The DPO for the practice is: Camilla Bhondoo

• The Information Governance Team St Helens & Knowsley Teaching Hospital Trust Health Informatics Services Alexander Business Park, Prescot Road, St Helens, Merseyside WA10 3TP
• Contact Number: 0151 676 5698
• Email: IG@midmerseyda.nhs.uk

What we do?

We are here to provide care and treatment to you as our patients. In order to do this, the GP practice keeps personal demographic data about you such as your name, address, date of birth, telephone numbers, email address, NHS Number etc and your health and care information. Information is needed so we can provide you with the best possible health and care.

We also use your data to:

• Confirm your identity to provide these services and those of your family / carers
• Understand your needs to provide the services that you request
• Obtain your opinion on our services (with consent)
• Prevent and detect fraud and corruption in the use of public funds
• Make sure we meet our statutory obligations, including those related to diversity and equalities
• Adhere to a legal requirement that will allow us to use or provide information (e.g. a formal Court Order or legislation, investigations)

Definition of Data Type

We use the following types of information / data

Personal Data

This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.

Special categories of data (previously known as sensitive data)

This is personal data consisting of information as to: race, ethnic origin, political opinions, health, religious beliefs, trade union membership, sexual life and previous criminal convictions. Under UK GDPR, this now includes biometric data and genetic data.

Personal Confidential Data (PCD)

This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data

Individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data by use of a key / code or pseudonym that should allow tracking back of the data to its original state.

Anonymised Data

This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

Aggregated Data

This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

Our data processing activities

The law on data protection under the UK GDPR sets out a number of different reasons for which personal data can be processed for. The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category of data such as health data what the condition is for processing. The types of processing we carry out in the GP practice and the legal bases and conditions we use to do this are outlined below:

Provision of Direct Care and administrative purposes within the GP practice

Direct care means a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. This is carried out by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship with. In addition, this also covers administrative purposes which are in the patient’s reasonable expectations.

To explain this, a patient has a legitimate relationship with a GP in order for them to be treated and the GP practice staff process the data in order to keep up to date records and to send referral letters etc. Other local administrative purposes include waiting list management, performance against national targets, activity monitoring, local clinical audit and production of datasets to submit for national collections. This processing covers the majority of our tasks to deliver health and care services to you. When we use the above legal basis and condition to process your data for direct care, consent under UK GDPR is not needed. However, we must still satisfy the common law duty of confidentiality and we rely on implied consent. For example, where a patient agrees to a referral from one healthcare professional to another and where the patient agrees this implies their consent.

Purposes other than direct care (secondary use)

This is information which is used for non-healthcare purposes. Generally this could be for research purposes, audits, service management, safeguarding, commissioning, complaints and patient and public involvement. When your personal information is used for secondary use this should, where appropriate, be limited and deidentified so that the secondary uses process is confidential.

Safeguarding

Information is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to personal data and health information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. For the purposes of safeguarding children and vulnerable adults, personal and healthcare data is disclosed under the provisions of the Children Acts 1989 and 2006 and Care Act 2014.

Risk Stratification

Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition. To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care. A GP / health professional reviews this information before a decision is made.

The use of personal and health data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval). This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but CCG staff will only be able to see information in a format that does not reveal your identity.

NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population helps to commission appropriate preventative services and to promote quality improvement.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.

Our data processor for Risk Stratification purposes is Midlands & Lancashire Commissioning Support Unit Business Intelligence Team

If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. We can add a code to your records that will stop your information from being used for this purpose. Please see the section below regarding objections for using data for secondary uses.

National Clinical Audits

The GP practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data such as data of birth and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Research

All NHS organisations (including Health & Social Care in Northern Ireland) are expected to participate and support health and care research. The Health Research Authority and government departments in Northern Ireland, Scotland and Wales set standards for NHS organisations to make sure they protect your privacy and comply with the law when they are involved in research. Our research ethics committees review research studies to make sure that the research uses of data about you are in the public interest, and meet ethical standards.

Health and care research may be exploring prevention, diagnosis or treatment of disease, which includes health and social factors in any disease area. Research may be sponsored by companies developing new medicines or medical devices, NHS organisations, universities or medical research charities. The research sponsor decides what information will be collected for the study and how it will be used.

Health and care research should serve the public interest, which means that research sponsors have to demonstrate that their research serves the interests of society as a whole. They do this by following the UK Policy Framework for Health and Social Care Research. They also have to have a legal basis for any use of personally-identifiable information.

How patient information may be used for research

When you agree to take part in a research study, the sponsor will collect the minimum personally-identifiable information needed for the purposes of the research project. Information about you will be used in the ways needed to conduct and analyse the research study. NHS organisations may keep a copy of the information collected about you. Depending on the needs of the study, the information that is passed to the research sponsor may include personal data that could identify you. You can find out more about the use of patient information for the study you are taking part in from the research team or the study sponsor. You can find out who the study sponsor is from the information you were given when you agreed to take part in the study.

For some research studies, you may be asked to provide information about your health to the research team, for example in a questionnaire. Sometimes information about you will be collected for research at the same time as for your clinical care, for example when a blood test is taken. In other cases, information may be copied from your health records. Information from your health records may be linked to information from other places such as central NHS records, or information about you collected by other organisations. You will be told about this when you agree to take part in the study.

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK.

Your choices about health and care research

If you are asked about taking part in research, usually someone in the care team looking after you will contact you. People in your care team may look at your health records to check whether you are suitable to take part in a research study, before asking you whether you are interested or sending you a letter on behalf of the researcher.

In some hospitals and GP practices, you may have the opportunity to sign up to a register to hear about suitable research studies that you could take part in. If you agree to this, then research nurses, researchers or administrative staff authorised by the organisation may look at your health records to see if you are suitable for any research studies.

It’s important for you to be aware that if you are taking part in research, or information about you is used for research, your rights to access, change or move information about you are limited. This is because researchers need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from a study, the sponsor will keep the information about you that it has already obtained. They may also keep information from research indefinitely.

If you would like to find out more about why and how patient data is used in research, please visit the Understanding Patient Data website

In England you can register your choice to opt out via the “Your Data Matters” webpage

If you do choose to opt out you can still agree to take part in any research study you want to, without affecting your ability to opt out of other research. You can also change your choice about opting out at any time.

To find out more about UK GDPR and using personal data for research, please visit the Health Research Authority website

Complaints

If you contact the GP Practice about a complaint, we require your explicit consent to process this complaint for you. You will be informed of how and with whom your data will be shared by us, including if you have or you are a representative you wish the GP practice to deal with on your behalf.

Purposes requiring consent

There are also other areas of processing undertaken where consent is required from you. Under UK GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent, to confirm you have understood.

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the GP Practice or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us. We obtain your consent for this purpose. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

Using anonymous or coded information

This type of data may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance where the law allows this. Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.

National Data Opt-out (opting out of NHS Digital sharing your data)

This applies to identifiable patient data about your health (personal identifiable data in the diagram below), which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital for purposes except your own care – either GP data, or other data we hold, such as hospital data – you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

From 1 October 2021, the National Data Opt-out will also apply to any confidential patient information shared by your GP practice with other organisations for purposes except your individual care. It won’t apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for GP practices to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out or change your choice on the NHS website or by calling 0300 3035678.

Whenever you use a health or care service, such as attending the practice, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

FIND OUT MORE OR REGISTER YOUR OPT OUR CHOICE

On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used:

• Health and Care Research
• How and why patient information is used, the safeguards and how decisions are made

Opting out of NHS Digital collecting your data (Type 1 Opt-out)

If you do not want your identifiable patient data (personally identifiable data in the diagram above) to be shared outside of your GP practice for purposes except for your own care, you can register an opt-out with your GP practice. This is known as a Type 1 Opt-out.

Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens people who have registered a Type 1 Opt-out will be informed. More about National Data Opt-outs is in the section Who we share patient data with.

NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.

If you do not want your patient data shared with NHS Digital, you can register a Type 1 Opt-out with your GP practice. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.

A start date for the Data sharing with NHS Digital will be announced.

If you wish to register a Type 1 Opt-out with your GP practice before data sharing starts with NHS Digital, this should be done by completing our secure online form as soon as possible to allow time for processing it. If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can also call 0300 3035678 for a form to be sent out to you.

If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out. There is more about National Data Opt-outs and when they apply in the National Data Opt-out section below

National Data Opt-out (opting out of NHS Digital sharing your data)

This applies to identifiable patient data about your health, which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital for purposes except your own care – either GP data, or other data we hold, such as hospital data – you can register a National Data Opt-out

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

From 31st March 2022, the National Data Opt-out will also apply to any confidential patient information shared by your GP practice with other organisations for purposes except your individual care. It won’t apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for GP practices to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out or change your choice on the NHS website or by calling 0300 3035678.

How we protect your personal data

We will use the information in a manner that conforms to the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018. The information you provide will be subject to rigorous measures and procedures to make sure it can’t be seen, accessed or disclosed to any inappropriate persons. We have an Information Governance Framework that explains the approach within the GP practice, our commitments and responsibilities to your privacy and cover a range of information and technology security areas. Access to your personal confidential data is password protected on secure systems and securely locked in filing cabinet when on paper.

Our IT Services provider, Mid Mersey Digital Alliance, regularly monitor our system for potential vulnerabilities and attacks and look to always ensure security is strengthened.

All our staff have received up to date data security and protection training. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. We have incident reporting and management processes in place for reporting any data breaches or incidents. We learn from such events to help prevent further issues and inform patients of breaches when required.

How long do we keep your personal data?

Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. For a GP practice, we comply with the Records Management NHS Code of Practice 2021 which states that we keep records for 10 years after date of death. Following this time, the records are securely destroyed if stored on paper, deleted on the electronic health record system or archived for research purposes where this applies.

Destruction

This will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:

• to ensure that information held in manual form is destroyed using a cross cut shredder or contracted to a reputable confidential waste company Shred-It that complies with European Standard EN15713 and obtain certificates of destruction.
• to ensure that electronic storage media used to hold or process information are destroyed or overwritten to national standards

Who we share your data with?

As stated above, where your data is being processed for direct care this will be shared with other care providers who are providing direct care to you such as:

• NHS Trusts / Foundation Trusts
• GP’s
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Social Care Services
• Out of hours providers
• Walk in centres
• Clinics

We work with third parties and suppliers (data processors) to be able for us to provide a service to you. These include:

• EMIS & Docman – to provide our electronic clinical systems
• Mid Mersey Digital Alliance – to provide our IT services
• INR Star – to monitor and treat our patients on anti-coagulants
• Outcomes4Health – to record Covid vaccination administration
• Accubx – to schedule and book Covid vaccinations
• Accurx – single text messaging service linked to EMIS
• Mjog – bulk text messaging service
• St Helens and Knowsley NHS Trust – to archive records
• Midlands & Lancashire Commissioning Support Unit Business Intelligence Team – for Risk Stratification purposes
• Shred-It – for record destruction

There may be occasions whereby these organisations have potential access to your personal data, for example, if they are fixing an IT fault on the system. To protect your data, we have contracts and / or Information Sharing Agreements in place stipulating the data protection compliance they must have and re-enforce their responsibilities as a data processor to ensure you data is securely protected at all times.

We will not disclose your information to any 3rd party without your consent unless:

• there are exceptional circumstances (life or death situations)
• where the law requires information to be passed on as stated above
• required for fraud management – we may share information about fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
• It is required to be disclosed to the police or other enforcement, regulatory or government body for prevention and / or detection of crime

Where is your data processed?

Your data is processed with the GP surgery and by other third parties as stated above who are UK based. Your personal data is not sent outside of the UK for processing. Where information sharing is required with a country outside of the EU you will be informed of this and we will have a relevant Information Sharing Agreement in place. We will not disclose any health information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory functions i.e. reporting to external bodies to meet legal obligations

What are your rights over your personal data?

You have the following rights over your data we hold:

Subject Access Rights

You can request access to and or copies of personal data we hold about you, free of charge (subject to exemptions) and provided to you within 1 calendar month. We request that you provide us with adequate information in writing to process your request such as full name, address, date of birth, NHS number and details of your request and documents to verify your identity so we can process the request efficiently. On processing a request, there may be occasions when information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

Submit a Subject Access Request

Right to rectification

The correction of personal data when incorrect, out of date or incomplete which must be acted upon within 1 calendar month of receipt of such request. Please ensure the GP practice has the correct contact details for you.

Request information to be corrected if it is inaccurate

Right to withdraw consent

Where your explicit consent is required for any processing we do, you have the right to withdraw that consent at any time.

Right to Erasure (‘be forgotten’)

This is not applicable to health records but is normally relied upon where consent is obtained for any processing. You have the right to have that data deleted / erased.

Right to Data Portability

If we obtain consent for any processing we do, you have the right to have data provided to you in a commonly used and machine readable format such as excel spreadsheet, csv file.

Right to object to processing

You have the right to object to processing however please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue. If we didn’t process any information about you and your health care if would be very difficult for us to care and treat you.

Right to restriction of processing

This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.

Objections to processing for secondary purposes (other than direct care)

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. The possible consequences (i.e. lack of joined up care, delay in treatment if information has to be sourced from elsewhere, medication complications which all lead to the possibility of difficulties in providing the best level of care and treatment) will be fully explained to you to allow you to make an informed decision.

If you wish to opt out of your data being processed and / or shared onwards with other organisations for purposes not related to your direct care, please contact the surgery by using our secure online form

Complaints / Contacting the Regulator

If you feel that your data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, please contact our Data Protection Officer / Practice Manager at the following contact details:

• Secure Online Form 
• Fir Park Medical Centre, Lanark Gardens, Upton Rocks, Widnes, Cheshire, WA8 9DT

If you are not happy with our responses and wish to take your complaint to an independent body, you have the right to lodge a complaint with the Information Commissioner’s Office.

HOW TO CONTACT THE INFORMATION COMMISSIONER’S OFFICE

What is safeguarding?

Safeguarding simply means keeping people safe from harm. It is about protecting children and adults from abuse or neglect. There are many different types of abuse.

Types of abuse that children can suffer include:

• physical abuse
• sexual abuse
• neglect
• emotional abuse
• domestic abuse
• bullying and cyberbullying
• child sexual exploitation
• child trafficking
• criminal exploitation and gangs
• female genital mutilation
• grooming

For more information on these types of abuse and how you can spot them, visit:

• Halton Safeguarding Partnership
• NSPCC

Types of abuse that adults can suffer include:

• physical abuse
• sexual abuse
• domestic abuse
• psychological or emotional abuse
• financial or material abuse
• modern slavery
• discriminatory abuse
• organisational or institutional abuse
• neglect
• self-neglect

For more information on these types of abuse, you can visit:

• Halton Safeguarding Adults Board
• Social Care Institute of Excellence

Who is responsible for safeguarding?

Safeguarding is everyone’s responsibility. Here at Fir Park Medical Centre, all staff members play a role in safeguarding. Safeguarding is not just something we choose to do, it is also something we are required by law to do.

At Fir Park Medical Centre, the Safeguarding Lead is Dr T Wellens and the Deputy Safeguarding Lead is Dr M Sendegeya.

How does Fir Park Medical Centre safeguard children and adults who are, or who might be, experiencing abuse or neglect?

Keeping children and adults safe from abuse and neglect cannot be done by one person or one agency. At the heart of any safeguarding process is the child or adult who may be suffering abuse. We work in partnership with our patients who are, or who are at risk of, experiencing abuse as well as their families and advocates as appropriate.

We work closely with our health colleagues such as health visitors, the school nursing team, midwives, paediatricians, mental health teams and other hospital colleagues. We also work with our partner agencies locally such as child and adult social care, education and the police to ensure any child or adult suffering abuse can be supported and protected and any concerns about abuse can be properly investigated.

To find out more about how agencies work together in Cheshire to keep children and adults safe visit:

• Halton Safeguarding Partnership
• Halton Safeguarding Adults Board

Safeguarding Training

All staff at Fir Park Medical Centre have the appropriate levels of safeguarding training for their job role. Safeguarding training standards are set nationally for all healthcare professionals and we follow this national guidance. Safeguarding training is essential to ensure all staff are able to spot signs of abuse or neglect and take action. We work hard to make safeguarding a key priority for our practice and our patients.

What will happen if a GP or any member of staff at the practice is worried that a child or adult is being abused or neglected?

All staff in the practice have a duty and responsibility to speak up and say something if they are worried a child or adult might be being abused or neglected. If any staff member has concerns they will discuss this with the practice Safeguarding Lead or with one of the other GPs who will decide what needs to happen next.

If a doctor is concerned that a child or young person is at risk of abuse or neglect, they must take steps to make sure the child or young person is protected. It can be very upsetting and stressful for families when this happens and parents often have questions about what their doctor may or may not do.

The General Medical Council helps answer those questions

If a doctor is concerned that an adult is at risk of abuse or neglect, they will

• Ask the person if they require any immediate support to keep themselves safe
• Explain how safeguarding works
• Ask the person what they would like to happen
• Support the person in a way to give them choice and control to improve their quality of life, wellbeing, and safety.

To do this the doctor will:

• Listen to the person
• Understand their views and wishes
• Take them seriously
• Treat them with respect
• Support them to feel as safe as they want
• Support them to make their own decisions
• Keep them informed and involved
• Tell the person what will happen next.

Capacity

When making decisions about what action is necessary to safeguard an adult, healthcare professionals have to consider whether the person has capacity to understand their situation and make decisions about what should happen to them.

What is capacity?

• Capacity means the ability to use and understand information to make a decision, and communicate any decision made.
• A person lacks capacity if their mind is impaired or disturbed in some way, which means they’re unable to make a decision at that time.

MORE INFO

All professionals have to follow The Mental Capacity Act which empowers and protects people who are not able to make their own decisions. This covers decisions about property and financial affairs, health, welfare and where they live.

MORE INFO

Information Sharing

Sharing information with other relevant professionals is an important part of safeguarding. Sadly, reviews of cases where a child or adult has been killed or seriously harmed due to abuse or neglect, have often found that professionals have not shared the right information with the right person at the right time to keep the child or adult safe.

All staff at the practice must comply with the law and national guidance when making decisions about information sharing. The General Medical Council (GMC) provide guidance for doctors making decisions about information sharing. The practice also follows the Caldicott Principles:

1. Justify the purpose(s) for using confidential information
2. Don’t use personal confidential data unless it is absolutely necessary
3. Use the minimum necessary personal confidential data
4. Access to personal confidential data should be on a strict need-to-know basis
5. Everyone with access to personal confidential data should be aware of their responsibilities
6. Comply with the law
7. The duty to share information can be as important as the duty to protect patient confidentiality

As a general rule we will ask for the person’s (or relevant parent/guardian, advocate, Power of Attorney) permission before sharing information for safeguarding purposes.

However, there are circumstances where we will need to share information even without the person’s permission (consent). Examples of these circumstances include:

• Other people are, or may be, at risk, including children
• Sharing the information could prevent a serious crime
• A serious crime has been committed
• Someone in a position of trust is implicated in causing abuse/neglect
• The risk of serious harm or death is very high in a domestic abuse situation
• A court order has requested the information

Again as a general rule, we will inform the person that we will need to share information about them in order to keep them or others safe from serious harm, as long as this does not increase risk of harm to the person or others.

Where can you get help if you are worried you or someone else is suffering abuse or neglect?

Remember:

• Abuse is always wrong
• No one should have to live with abuse
• By reporting abuse you can help bring it to an end

Worried about a child?

Where there are significant immediate concerns about the safety of a child, you should contact the police on 999.

if you are worried about any child and think they may be a victim of neglect or abuse, you can make a referral to:

• Children’s Social Care Contact Centre – Tel: 0151 907 8305 (Office Hours 9 am – 5 pm Mon – Thurs, 9 am – 4.30 pm Fri)
• Children’s Social Care Out of Hours – 0345 050 0148
• iCART (Intergrated Contact and Referral Team) Referral Form
• NSPCC – Helpline: 0808 800 5000, email them or submit an online form via the NSPCC Website

Worried about an adult?

If you or the person you are concerned about is in danger and immediate action is required, you should ring the emergency services on 999.

If you or the person you are concerned about is not in immediate danger, you should ring

• Adults Social Care – Tel: 0151 907 8306
• Adults Social Care Out of Hours – Tel: 0345 050 0148

You can also speak in confidence to any member of staff.

Medical Students

We are a teaching practice and students sometimes sit in with the doctors and nurses. If you prefer not to have a student sitting in, please let the doctor or receptionist know.

General Practitioner Registrars

GP Registrars are often attached to the practice and are fully qualified doctors gaining experience in general practice.

Videoing Consultations

As part of on-going training some doctors may on occasion video their consultations. Consent is always obtained from patients prior to there appointment being videod. You of course have the opportunity to decline.

In order for the practice to maintain good relations with their patients the practice would like to ask all its patients to read and take note of the occasional types of behaviour that would be found unacceptable:

• Using bad language or swearing at practice staff
• Any physical violence towards any member of the Primary Health Care Team or other patients, such as pushing or shoving
• Verbal abuse towards the staff in any form including verbally insulting the staff
• Racial abuse and sexual harassment will not be tolerated within this practice
• Persistent or unrealistic demands that cause stress to staff will not be accepted. Requests will be met wherever possible and explanations given when they cannot
• Causing damage/stealing from the Practice’s premises, staff or patients
• Obtaining drugs and/or medical services fraudulently

We ask you to treat your GPs and their staff courteously at all times.

Removal from the practice list

A good patient-doctor relationship, based on mutual respect and trust, is the cornerstone of good patient care. The removal of patients from our list is an exceptional and rare event and is a last resort in an impaired patient-practice relationship. When trust has broken down, it is in the patient’s best interest, just as much as that of the practice, that they should find a new practice. An exception to this is on immediate removal on the grounds of violence e.g. when the police are involved.