Privacy Notice

The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.

More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on CQC website.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

CFH Docmail Ltd is acting as a data processor. We provide them with names & addresses and a template letter (e.g. an invitation for flu vaccination), and CFH Docmail perform a mail merge and post the letter to those patients. The least amount of sensitive data is provided to CFH Docmail.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable Frome Medical Practice to send out letters to patients regarding their medical care. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

CFH Docmail Ltd acting as data processor.

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

CFH Docmail delete all personal/sensitive data provided to them under the agreement within 30 days.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire and rescue service, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”.  If lodged in your records these will normally be honoured despite the observations in the first paragraph.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres. This includes the Air Ambulance, South West Ambulance Service, Somerset Fire & Rescue Service, Somerset Police, Out of Hours Service (Devon Doctors), Accident & Emergency and Minor Injuries Units.

6) Rights to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

You also have the right to have an "Advance Directive" placed in your records and brought to the attention of relevant healthcare workers or staff.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

What data do we collect and receive about you?

Records are stored electronically and on paper and include personal details about you such as your address, carers, legal representatives, emergency contact details, as well as:

• Any appointments, visits, emergency appointments
• Notes and reports about your health
• Details about your diagnosis, treatment and care
• Details about any medication you are taking
• Results of investigations such as laboratory tests, x-rays
• Relevant information from health and care professionals, relatives or carers

We also receive information from other organisations that are caring for you that we hold in your record. This will include letters and test results.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, mainly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will only normally have access to that which they need to fulfil their roles.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.

We may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/ confidential patient information will be safeguarded in the same way it would with any other consultation and any risks explained to you before the consultation begins.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the practice. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this practice and at hospitals, diagnostic and treatment centres who contribute to your personal care. This includes NHS 111, District Nurses, Health Visitors, Dieticians, Midwives, Paramedics, Pharmacies, Somerset ICB, Diabetic Retinopathy Screening Service, DESMOND, Home Oxygen service, Integrated care team, Somerset Integrated Digital Electronic Record (SIDeR), Your Health & Wellbeing Mendip, Open Exeter, Somerset Digital Diabetes Prevention Buddi & Oviva, Health Connections Mendip, NHS Trusts, Frome Community Hospital, Royal United Hospital, Shepton Mallet Treatment Centre, Circle Bath, Bath Clinic, Royal National Hospital for Rheumatic Diseases, EMIS Health, CQRS, Somerset County Council, AccuRx, CFH Docmail, Child Health Information Services (CHIS), Social Services, Citizens Advice Bureau, Apollo Medical (Eclipse), Formstack, Treeview Designs, University of Bath, Dorothy House Hospice, My MHealth, BOC Healthcare, Interface Clinical Services, Pinnacle, NHS South Central & West CSU, Klinik Healthcare UK, Surgery Connect, Engage Health, Belmont Villa Care Home, Catherine House Care Home, Critchill Court Residential Home, Frome Nursing Home, Gracewell of Frome, Greenhill Grange Residential Home, Rowden House Care Home, Healthy.Io, Thrive Tribe, Momenta, Cinapsis, Medical Examiners Office and Amazon Web Services and other third sector organisations supporting your direct care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

As with any disclosures to the police, there must be:

• A legal duty to disclose, or
• A sufficiently important reason to disclose AND a legal basis for doing so.

This includes:

• The Prevention of Terrorism Act (1989) and Terrorism Act (2000)
• The Road Traffic Act (1988)
• The Female Genital Mutilation Act (2003)

4) Lawful basis for processing

To enable the police to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and:

Article 9(2)(g) "Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards"

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Police (or other judicial authorities)

6) Rights to object

Not applicable

7) Right to access and correct

Not applicable

8) Retention period

Data retained in line with Police policies.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Applicants & license holders have a legal duty to notify the DVLA of any injury or illness that would have a likely impact on driving ability.

GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Driver & Vehicle Licensing Agency (DVLA).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with DVLA policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Patients are free to provide Frome Medical Practice with their email address.

At any time you can ask us to remove your email address from your GP record. We will honour any such objection.

All email messages are for direct medical care purposes only, which may include repeat prescription requests, sending appointment reminders or cancellations or to send information about our services.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable staff at Frome Medical Practice to communicate with patients via email. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you).

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: http://www.cqc.org.uk/

The type of information we keep incorporates, but is not limited to:

• Personal details, including Name, address, contact details
• Recruitment and employment checks
• Financial (bank and salary)
• Trade union membership
• Personal Demographics
• Relevant medical information
• Professional registration
• Employee relations (disciplinary, grievances, complaints, etc)
• Criminal Record Checks (dependent on employee position)

We are also required by HMRC and various taxation laws, such as "The Income Tax (Pay As You Earn) Regulations 2003" to keep financial records. Employee health data may also be shared with Occupational Health.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To comply with the Health and Social Care Act and taxation law.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 6(1)(b) "necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract."

and;

Article 9(2)(b) "...processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;"

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC and Fairway Training, for payroll purposes. Employee health data will be shared with Occupational Health, when required.

6) Rights to object

You have the right to object to some or all of the information being shared with CQC. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The Friends and Family Test helps us to understand what you think of our services by asking you to answer some questions about how likely you would be to recommend our service to your friends and family. Providing feedback is completely voluntary and will not affect the level of care we provide to you. The information we collect from you is used and shared in a way which does not tell us who you are. In addition to the questions you will be asked as part of the Friends and Family Test, you will also be able to provide us with additional comments in free text fields.

Collecting this feedback gives us the opportunity to see what our patients are saying about our services and helps us to understand what we are doing well and where we need to improve our services.

You can give us feedback by using one of our Friends and Family feedback forms or via our website.

We will not be able to tell who you are from the feedback you give to us, unless you want us to contact you to discuss it, in which case you would need to provide us with your name and contact details.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Collecting this feedback gives us the opportunity to see what our patients are saying about our services and helps us to understand what we are doing well and where we need to improve our services.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital via the Calculating Quality Reporting Service (CQRS)

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance 

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practice.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The General Medical Council (GMC).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with GMC policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The HSO has the power to request access to a patient’s medical records for the purposes of an investigation based on the Health Service Commissioners Act 1993, s12

4) Lawful basis for processing

To enable the HSO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Health Service Ombudsman (HSO).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with HSO policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The practice is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The practice collects a range of information about you. This includes:

your name, address and contact details, including email address and telephone number;

details of your qualifications, skills, experience and employment history;

information about your current level of remuneration, including benefit entitlements;

whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;

information about your entitlement to work in the UK; and

equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

The practice collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment. The practice will also collect personal data about you from third parties, such as references supplied by former employers and where applicable information from criminal records checks. The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems

The practice takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all. You are also under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Some of the organisation's recruitment processes are based solely on automated decision-making, for example whether or not you are eligible to work in the UK.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The practice needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the practice needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The practice has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the practice to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The practice may also need to process data from job applicants to respond to and defend against legal claims.

The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

The organisation will not use your data for any purpose other than the recruitment exercise for which you have applied.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

Article 6(b) Contract

and…

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the processed data

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, the Digital, Data and Technology team if access to the data is necessary for the performance of their roles, and interviewers involved in the recruitment process.

The practice will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organisation will then share your data with former employers to obtain references for you, and where applicable the Disclosure and Barring Service to obtain necessary criminal records checks.

The organisation will not transfer your data outside the European Economic Area.

6) Rights to object

You have the right to delete or stop processing your data. If you wish to do so please contact the practice. 

7) Right to access and correct

You have the right to access a copy of your data and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

If your application for employment is unsuccessful, the organisation will hold your data on file for 6 months after the end of the relevant recruitment process. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How the NHS and care services use your information

Frome Medical Practice is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit Your NHS Data Matters.  On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

• Health Research Authority (which covers health and care research); and
• Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to opt out please visit Your NHS Data Matters

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at Population screening programmes

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at Population screening programmes. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Avon and Somerset Breast Screening, Somerset Diabetic Eye Screening, Somerset Bowel Cancer Screening, Somerset and North Devon Abdominal Aortic Aneurysm (AAA) Screening, Public Health Services (England).

6) Rights to object

You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. For national screening programmes: you can opt to no longer receive an invitation to a screening programme.

Visit Opting out of the NHS population screening programmes

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

GP medical records will be kept in line with the law and national guidance.

Information on how long records can be kept can be found at: Records management code of practice

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see Code of Data Matching Practice for the National Fraud Initiative

NFI activities vary each year, so data would only be disclosed if required by the focus of their activities

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information.

4) Lawful basis for processing

To enable the cabinet office and NHS counter fraud authority to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

NHS Counter Fraud Authorities, Cabinet Office.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with NHS Counter Fraud policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes. Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc. and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data, CVD PREVENT audit and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called "Directions". More information on the directions placed on GPs can be found at NHS Digital - NHS England Directions and NHS Data Sharing. See the NHS Digital transparency notice.

This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy notice link

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

To enable the HCO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to third party organisations such as solicitors (e.g. personal injury claims), insurance companies (e.g. life assurance), employers etc.

The explicit consent of patients must be obtained and demonstrable before the release of any such information.

4) Lawful basis for processing

To enable the Frome Medical Practice employees to provide information to other third parties, the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and;

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality"

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The requesting third party organisation.

6) Rights to object

You do not have to consent to your data being shared with a third party. If you have consented to your data being shared with a third party you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Data retained in line with the third party organisation’s policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The health and social care system will take action to manage and mitigate the spread and impact of any pandemic outbreak. Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the pandemic outbreak and incidents of exposure.

Any notices of pandemic will be posted on the GOV.UK website  

Supplementary privacy notices may be issued on our website for specific pandemics as they occur.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The purpose of this Notice is to require organisations to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to the pandemic. "Processing" for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) requires organisations to process confidential patient information in the manner set out in Regulation 3(1) of COPI.

5) Recipient or categories of recipients of the processed data

Health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the pandemic outbreak and incidents of exposure.

The data subject (you)

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected.

8) Retention period

This will be in line with the guidance from the GOV.UK website

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Your data during the COVID-19 outbreak

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our Privacy Notice for Pandemics.

Why your information can help us manage COVID-19

The health and social care system is facing significant pressures due to COVID-19. Health and care information is essential to deliver care to individuals, to support health and social care services and protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. Existing law that allows patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS England and other organisations, such as the UK Health Security Agency (UKHSA), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during COVID-19 will be limited to the period of the outbreak unless there is another legal basis to use the data.

Opt outs

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111.  We may also use the details we have to send public health messages to you, either by phone, text or email. 

Telephone and video consultations

During this period we may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/ confidential patient information will be safeguarded in the same way it would with any other consultation and any risks explained to you before the consultation begins.

Sharing your information

We will also be required to share certain personal/ confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. 

NHS England have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England and the UKHSA. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Activation of patient online access for any given patient is only performed with the consent of the patient (or their parent/guardian or representative).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable patients to securely access their GP record online via the NHS App, to access health care features such as, booking appointments, requesting repeat medication and viewing their medical information.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1) (a)  - Consent of the data subject

and;

Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you);

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.

In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws

NHS England’s powers to commission health services under the Health and Care Act 2022 or to delegate such powers to ICBs

For more information about payments please see; GP Payments and NHS Payments to GP Practice

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable the practice to receive payments.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this practice, NHS England, Somerset ICB (Integrated Care Board), UK Health Security Agency (formerly Public Health England),  and at hospitals, diagnostic and treatment centres, who contribute to your personal care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process and will be in line with the principles of Article 89(1) of General Data Protection Regulation (GDPR)

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. If section 251 is appropriate the National Data Opt Out applies. Please see our Privacy Notice for National Data Opt Out. We may also use your medical records to carry out research within the practice.

Under Section 251 we share information with the following medical research organisations and you can opt out of this via the National Data Opt Out:

• Clinical Practice Research Datalink (CPRD)
• University of Bath

We also share information with the following medical research organisations:

• QResearch

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

For QResearch; patients who do not wish their data to be included in the upload are able to opt out by informing  the practice who will add SNOMED CT code (1898191000006104) to your record which will cancel any future data collection.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Medical research.

4) Lawful basis for processing

Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;

Article 6(1)(e) may apply "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"

and in addition there are three possible Article 9 justifications:

Article 9(2)(a) – "the data subject has given explicit consent…"

or;

Article 9(2)(j) – "processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject".

or;

Article 9(2)(h) – "processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services..."

Under Section 251 please see the lawful basis for processing or sharing on the Privacy Notice for the National Data Opt Out.

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Clinical Practice Research Datalink (CPRD), University of Bath and QResearch.

6) Rights to object

You do not have to consent to your data being used for research. If you have consented to your data being used in research you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

The data will be retained for the period as specified in the specific research protocol(s).

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The records we keep enable us to plan for your care

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as "health analytics".

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The practice performs searches of some or all patient records to identify individuals who may be at increased risk of certain conditions or diagnoses, for example, diabetes, heart disease, risk of falling. Your records may be amongst those searched. This is often called "risk stratification" or "case finding". These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared for processing and for subsequent healthcare with Somerset ICB, NHS Foundation Trusts, NHS England, Interface Clinical Services, NHS South Central & West CSU.

6) Rights to object

You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. If you wish to object please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

• Section 47 of The Children Act 1989
• Schedule 1 paragraph 10 of Data Protection Act 2018 (preventing or detecting unlawful acts)

and;

• Section 45 of the Care Act 2014

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; - section 17 Childrens Act 1989

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The purpose of the processing is to protect the child or vulnerable adult.

4) Lawful basis for processing

The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:

For consented processing;

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For unconsented processing;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

and;

9(2)(b) "...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law.."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Somerset Social Services, Get Set, Somerset NHS Foundation Trust – Mental Health, School Nurses, Health Visitors

6) Rights to object

This sharing is a legal and professional requirement and therefore there is no right to object.

There is also GMC guidance

7) Right to access and correct

You, or your legal representative, have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Patients are free to provide Frome Medical Practice with their mobile telephone number and consent will be recorded to allow our staff to use SMS if needed, or if preferred by the patient.

SMS messages are automatically generated to remind patients of forthcoming appointments that they have booked.

All SMS text messages are for direct medical care purposes only.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

SMS messages are automatically generated to remind patients of forthcoming practice appointments that they have booked and for direct medical care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you).

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The Summary Care Record is an NHS England initiative. It consists of a basic medical record held on a central government database on every patient registered with a GP Practice in England.

The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient

As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.

Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.

You can find out more about the SCR here

You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

During a pandemic information about vaccines may be available for clinicians to see in a clinical setting if necessary. This information is available through an NHS system called the Summary Care Record application (SCRa).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Upload of basic and detailed additional SCR data.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) "necessary for the performance of a task carried out in the public interest or in the exercise of official authority."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.” 

and;

Article 9(2)(b) "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject."

and;

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital and health and social care organisations who contribute to your personal care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to Frome Medical Practice via surveys created by Frome Medical Practice. This includes online and paper based surveys for patients and/or staff members.

By completing the survey the person is giving consent to process their information.

4) Lawful basis for processing

To enable the Frome Medical Practice to process survey information the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and:

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Frome Medical Practice will be the sole processor of person identifiable information. The findings of the survey may be shared with other third parties but all shared data will be anonymised.

6) Rights to object

By completing the survey you are giving consent to process and share your anonymised data. If you have consented to your personal data being processed you can change your mind and withdraw your consent at any time. 

7) Right to access and correct

You have the right to access any of your identifiable data that is being processed and have any inaccuracies corrected.

8) Retention period

Some data may be added to the patient medical record and this will be retained in line with the law and national guidance.

All other electronic survey or form data is retained for a period of up to 7 years after which the data will be securely destroyed. Any paper records are destroyed as soon as they have been recorded electronically. 

9) Right to complain

You have the right to complain to the Information Commissioner's Office

This privacy notice explains about our telephony system. When calls come into the practice there will be a message to explain that all telephone calls are recorded for training and monitoring purposes.

Calls going out of the practice will also be recorded for the same reason and this information can be found in this privacy notice, displayed on our website and in the practice. We lawfully do not require your consent; however, you do have the right to end the call if you do not wish for the call to be recorded.

All calls will be stored securely on the telephony system.

When a call is recorded we collect:

• a digital recording of the telephone conversation
• the telephone number of both parties personal data revealed during a telephone call will be digitally recorded for example name and contact details to deliver appropriate services
• occasionally 'special category' personal information may be recorded where a customer request for advice and/or services.
• telephone call recording will be turned off, when a customer's credit or debit card details are given, in line with Payment Card Industry Data Security Standards (PCS DSS) and data protection legislation including General Data Protection Regulations ('GDPR').

People will only have access to data necessary to fulfil their roles.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable a safe two-way communication between patients, or other individuals or services, and the practice.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in the practice and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 6(1)(b) ‘…necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract.’

and;

Article 9(2)(h) ‘…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

and;

Article 9(2)(b) ‘…carrying out of obligations under employment, social security or social protection law, or a collective agreement’

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Data is accessible by the Practice as the Data Controller for this information. Information may be accessed remotely by the supplier for support purposes. Recordings are available for the Practice. Patients, individuals, and services may request access to their recordings.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The recording data will be retained for 36 months on the telephony system before deletion.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable healthcare professionals working at Frome Medical Practice to provide all necessary information about individuals to the courts when instructed (Court Order).

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The courts.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with judiciary policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

UKHSA encompasses everything from national smoking and alcohol policies, the management of pandemics or epidemics such as flu, the control of large-scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform UKHSA, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with UKHSA.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

There are occasions when medical data needs to be shared with UKHSA either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,.."

5) Recipient or categories of recipients of the processed data

The data will be shared with UK Health Security Agency

6) Right to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the period of the public interest and according to legal requirements and UKHSA’s criteria on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office