Privacy Notice

The Care Quality Commission (CQC) is the independent regulator of health and adult social care services in England. It was set up by law to make sure that care is safe, effective, and meets high standards.

CQC checks all GP practices in England. These checks are called inspections. They look at how care is provided and whether it meets national standards. Inspections happen regularly, but not always on a fixed schedule. They may happen more often if there are concerns about safety or quality.

CQC has legal powers to look at personal and medical records when needed to carry out its work. This includes checking how services are run, investigating serious incidents, and making sure care is safe. GP practices must also tell CQC about certain events, such as serious injuries or safeguarding concerns.

CQC follows data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act. It has strict rules to make sure your information is kept safe, secure, and used properly.

You can read more about how CQC uses personal information in its privacy statement - https://www.cqc.org.uk/about-us/our-policies/privacy-statement

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

CFH Docmail Ltd is acting as a data processor. We provide them with names & addresses and a template letter (e.g. an invitation for flu vaccination), and CFH Docmail perform a mail merge and post the letter to those patients. The least amount of sensitive data is provided to CFH Docmail.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable Frome Medical Practice to send out letters to patients regarding their medical care. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

CFH Docmail Ltd acting as data processor.

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

CFH Docmail delete all personal/sensitive data provided to them under the agreement within 30 days.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As part of benefit claim assessments, the Department for Work and Pensions (DWP) may request medical information from your GP practice. This information helps DWP determine eligibility for benefits such as Universal Credit, Personal Independence Payment (PIP), and Employment and Support Allowance (ESA).

1) Data Controller contact details    

Frome Medical Practice, Frome Medical Centre, Enos Way, Frome, Somerset, BA11 2FH

Telephone: 01373 301301

2) Data Protection Officer contact details    

Kevin Caldwell
GP Data Protection Officer
Somerset ICB
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR

Telephone: 01935 384000
Email: somicb.GPDPO@nhs.net

3) Purpose of the processing    

To enable Department of Work & Pensions to process benefit claims.

The information shared may include:

• Diagnoses and clinical history
• Functional difficulties (e.g., mobility, communication)
• Treatment plans and medication
• Ability to travel to assessments
• Any relevant information from your medical records

4) Lawful basis for processing    

The following Article 6 and 9 conditions apply: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”  

Common law duty of confidentiality: Satisfied by DWP’s assurance of your explicit consent

5) Recipient or categories of recipients of the shared data    

Department for Work and Pensions (DWP) acting as data processor

6) Rights to object     

You have the right to object. If you wish to do so, please contact the practice.

7) Right to access and correct  

DWP’s medical reports are exempt from the provisions of the Access to Medical Reports Act 1998 because the reports are not for employment or insurance purposes. This means the person cannot request access to it before it is sent to the DWP.

If a person wishes to see the report, they should request it from DWP through the Subject Access Request process. The practice will not keep a copy of the report that is sent to the DWP.

8) Retention period   

Data retained in line with DWP policies  

9)  Right to Complain

You have the right to complain to the Information Commissioner’s Office, you can use this link or calling their helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate) 

Sharing information in an emergency

Sometimes we need to act quickly to protect someone’s life or prevent serious harm. This might happen if a person collapses, has a diabetic coma, or is badly injured. In these situations, the person may be unconscious or too unwell to speak. When this happens, we have a duty to do everything we can to help. This may include sharing your health information with emergency services like paramedics, hospital staff, the police, or fire and rescue teams. We only share what is needed to make sure you get the right care. The law supports this. It allows us to share information without asking for consent if it is needed to protect someone’s life or prevent serious harm.

Advance decisions (sometimes called living wills) 

You can make decisions in advance about the care you want to receive if you become seriously ill in the future. These are called advance decisions to refuse treatment. If you have made one and it is recorded in your medical notes, we will follow it even in an emergency unless there is a very strong reason not to..

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres. This includes the Dorset and Somerset Air Ambulance, South West Ambulance Service Foundation Trust, Devon and Somerset Fire & Rescue Service, Avon and Somerset Police, Out of Hours Service (Devon Doctors), Accident & Emergency and Urgent Care Centres.

6) Rights to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

You also have the right to have an "Advance Directive" placed in your records and brought to the attention of relevant healthcare workers or staff.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How we use your information for your care

We keep records about your health and care to help us provide safe and effective treatment. These records may be stored electronically or on paper and include personal details like your name, address, emergency contacts, carers, and legal representatives. They also include:

• Appointments and visits, including emergencies
• Notes and reports about your health
• Details about your diagnosis, treatment and care
• Medicines you are taking
• Results of tests, such as blood tests or x-rays
• Information from other health and care professionals, relatives or carers

We also receive letters, test results and other updates from organisations involved in your care. These are added to your record so we have a full picture of your health.

Your NHS Record

When you register for NHS care, your details are added to a national database. This is managed by NHS England, which has legal responsibilities to collect and protect NHS data.

Who is involved in your care

Your GP is responsible for your overall care, but they work with a team. It is not possible for one GP to personally deliver care to every patient, so tasks are shared with other trained professionals in the practice and sometimes with trusted organisations outside the practice. If you need care from another NHS service, we will share the information they need to treat you. When you use NHS services outside the practice, they usually send us a summary of your care, which we add to your record. We may also receive reports from non-NHS services, but this is less consistent.

Sharing your information

We share your information with others involved in your care when it is necessary. This is called implied consent, and it is supported by UK law. People who access your information will only see what they need to do their job. You have the right to object to this sharing, but we may still share information if it is in your best interests or required by law.

Remote consultations

We may offer you a consultation by phone or video. By joining the call, you are agreeing to this type of consultation. Your information will be protected in the same way as in a face-to-face appointment, and any risks will be explained to you beforehand.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the practice. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this practice and at hospitals, diagnostic and treatment centres who contribute to your personal care. This includes:

• AccuRx
• Amazon Web Services
• Apollo Medical (Eclipse)
• Bath Clinic
• Bering (Brave AI)
• Belmont Villa Care Home
• BOC Healthcare
• Catherine House Care Home
• CFH Docmail
• Child Health Information Services (CHIS)
• Cinapsis
• Citizens Advice Bureau
• CQRS
• Critchill Court Residential Home
• DESMOND
• Diabetic Retinopathy Screening Service
• Dieticians
• District Nurses
• Dorothy House Hospice
• EMIS Health
• Engage Health
• Formstack
• Frome Community Hospital
• Frome Nursing Home
• Greenhill Grange Residential Home
• Health Connections Mendip
• Health Visitors
• Healthy.Io
• Home Oxygen service
• InHealth
• Integrated care team
• Klinik Healthcare UK
• Medical Examiners Office
• Midwives
• Momenta
• NHS 111
• NHS Foundation Trusts
• NHS South, Central and West Commisioning Support Unit (SCWCSU)
• Open Exeter
• Paramedics
• Pharmacies
• Pinnacle
• Rossetti House
• Rowden House Care Home
• Royal National Hospital for Rheumatic Diseases
• Royal United Hospital, Bath
• Shepton Mallet Treatment Centre
• Social Services
• Somerset County Council
• Somerset ICB
• Somerset Integrated Digital Electronic Record (SIDeR)
• Sulis Hospital Bath
• Surgery Connect (X-on)
• Treeview Designs
• University of Bath
• Your Health and Wellbeing Mendip

and other third sector organisations supporting your direct care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Sharing information with the police

Sometimes the police ask us for information to help with an investigation. These requests are taken seriously and are always reviewed carefully.

We will only share information if:

• the law says we must, for example after a road traffic accident
• the police give a strong reason, such as preventing or investigating a serious crime
• it is necessary to protect someone from serious harm

We will only share the minimum amount of information needed, and only with authorised officers. We may not always be able to tell you about the request if doing so would put someone at risk.

Each request is looked at on a case-by-case basis. We follow data protection laws and national guidance to make sure your information is handled safely and lawfully.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

As with any disclosures to the police, there must be:

• A legal duty to disclose, or
• A sufficiently important reason to disclose AND a legal basis for doing so.

This includes:

• The Prevention of Terrorism Act (1989) and Terrorism Act (2000)
• The Road Traffic Act (1988)
• The Female Genital Mutilation Act (2003)

4) Lawful basis for processing

To enable the police to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and:

Article 9(2)(g) "Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards"

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Police (or other judicial authorities)

6) Rights to object

Not applicable

7) Right to access and correct

Not applicable

8) Retention period

Data retained in line with Police policies.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Applicants & license holders have a legal duty to notify the DVLA of any injury or illness that would have a likely impact on driving ability.

GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Driver & Vehicle Licensing Agency (DVLA).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with DVLA policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Using your email address

You can choose to give us your email address. This helps us contact you quickly and easily. We may use your email to:

• send appointment reminders or cancellations
• respond to repeat prescription requests
• share information about our services
• support your direct care

We will only use your email for things related to your care.

We do not use it for marketing or share it with others without your permission.

You can ask us to remove your email address from your record at any time. We will respect your choice and stop using it.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable staff at Frome Medical Practice to communicate with patients via email. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you).

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: http://www.cqc.org.uk/

The type of information we keep incorporates, but is not limited to:

• Personal details, including Name, address, contact details
• Recruitment and employment checks
• Financial (bank and salary)
• Trade union membership
• Personal Demographics
• Relevant medical information
• Professional registration
• Employee relations (disciplinary, grievances, complaints, etc)
• Criminal Record Checks (dependent on employee position)

We are also required by HMRC and various taxation laws, such as "The Income Tax (Pay As You Earn) Regulations 2003" to keep financial records. Employee health data may also be shared with Occupational Health.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To comply with the Health and Social Care Act and taxation law.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 6(1)(b) "necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract."

and;

Article 9(2)(b) "...processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;"

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC and Fairway Training, for payroll purposes. Employee health data will be shared with Occupational Health, when required.

6) Rights to object

You have the right to object to some or all of the information being shared with CQC. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The Friends and Family Test helps us understand what you think about our services. We ask how likely you are to recommend our care to your friends and family.

Giving feedback is completely voluntary. It will not affect the care you receive.

You can give feedback by:

• filling in a Friends and Family Test form
• using the feedback section on our website

You can also add comments in your own words. This helps us understand what we are doing well and where we can improve.

We do not ask for your name, and we will not be able to tell who you are from your answers unless you choose to give us your contact details. If you do, we may get in touch to talk about your feedback.

Your answers are used in a way that protects your identity. We follow data protection laws to keep your information safe.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Collecting this feedback gives us the opportunity to see what our patients are saying about our services and helps us to understand what we are doing well and where we need to improve our services.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital via the Calculating Quality Reporting Service (CQRS)

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance 

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practice.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The General Medical Council (GMC).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with GMC policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The HSO has the power to request access to a patient’s medical records for the purposes of an investigation based on the Health Service Commissioners Act 1993, s12

4) Lawful basis for processing

To enable the HSO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Health Service Ombudsman (HSO).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with HSO policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As part of the compensation process for individuals affected by infected blood, GP practices may be required to share relevant medical information with the Infected Blood Compensation Authority. This is to support claims and ensure accurate assessment of eligibility and compensation.

1) Data Controller contact details    

Frome Medical Practice, Frome Medical Centre, Enos Way, Frome, Somerset, BA11 2FH

Telephone: 01373 301301

2) Data Protection Officer contact details    

Kevin Caldwell

GP Data Protection Officer
Somerset ICB
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000
Email: somicb.GPDPO@nhs.net

3) Purpose of the processing    

This is to support claims and ensure accurate assessment of eligibility and compensation.

The information shared may include:

• Patient identifiers (e.g., name, date of birth, NHS number)
• Relevant medical history and diagnoses
• Treatment records and outcomes
• Supporting documentation from the patient’s medical file

4) Lawful basis for processing    

IBCA has been created through the Victims and Prisoners Act 2024 (VAP), which sets out its duties and obligations.
Section 53 of the VAP provides IBCA with the legal power to require information from NHS organisations when needed to process an infected blood compensation claim.

It also provides NHS providers with a legal power to provide information to IBCA for the purposes of any matter connected with the administration of the compensation scheme, which includes personal data such as medical records or information. The Act imposes a duty upon NHS providers to comply with requests for information from IBCA. Section 53 also allows IBCA to seek a court order in the event a notice to provide is not complied with.

The requirement to send information to IBCA is not therefore a Subject Access request on behalf of the patient but a request for information using the statutory powers of the VAP.
Section 53 of the VAP sets aside the Common Law Duty of Confidentiality and gives the practice the legal power to provide the information to the IBCA upon request. This means patient consent to share information with IBCA is not required.

Under UK GDPR, the following Article 6 and 9 conditions apply: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Article 9(2)(g) ‘processing is necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.’ 

5) Recipient or categories of recipients of the shared data    

The Infected Blood Compensation Authority (IBCA) acting as data processor

6) Rights to object     

You have the right to object. If you wish to do so, please contact the practice.

7) Right to access and correct    

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period     

Data retained in line with the IBCA policies  

9) Right to complain    

You have the right to complain to the Information Commissioner’s Office, you can use this link or calling their helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate) 

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The practice is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The practice collects a range of information about you. This includes:

your name, address and contact details, including email address and telephone number;

details of your qualifications, skills, experience and employment history;

information about your current level of remuneration, including benefit entitlements;

whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;

information about your entitlement to work in the UK; and

equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

The practice collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment. The practice will also collect personal data about you from third parties, such as references supplied by former employers and where applicable information from criminal records checks. The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems

The practice takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all. You are also under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Some of the organisation's recruitment processes are based solely on automated decision-making, for example whether or not you are eligible to work in the UK.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The practice needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the practice needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The practice has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the practice to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The practice may also need to process data from job applicants to respond to and defend against legal claims.

The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

The organisation will not use your data for any purpose other than the recruitment exercise for which you have applied.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

Article 6(b) Contract

and…

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the processed data

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, the Digital, Data and Technology team if access to the data is necessary for the performance of their roles, and interviewers involved in the recruitment process.

The practice will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organisation will then share your data with former employers to obtain references for you, and where applicable the Disclosure and Barring Service to obtain necessary criminal records checks.

The organisation will not transfer your data outside the European Economic Area.

6) Rights to object

You have the right to delete or stop processing your data. If you wish to do so please contact the practice. 

7) Right to access and correct

You have the right to access a copy of your data and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

If your application for employment is unsuccessful, the organisation will hold your data on file for 6 months after the end of the relevant recruitment process. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How the NHS and care services use your information

Frome Medical Practice is part of the wider NHS and care system. When you use health or care services, such as visiting A&E or receiving community care, important information about you is collected and added to your health record. This helps make sure you get the best possible care. Sometimes, information from your health record is also used for reasons beyond your individual care. This can include:

• improving the quality of care
• developing new treatments
• preventing illness
• checking safety
• planning NHS services

This kind of use is only allowed when there is a clear legal basis. Most of the time, the data used is anonymised so you cannot be identified.

You can choose whether your confidential patient information is used for purposes beyond your care. If you are happy with this, you do not need to do anything. If you choose to opt out, your information will still be used to support your individual care. You can change your choice at any time.

To find out more or to set your choice, visit: Your NHS Data Matters

On this website, you can:

• learn what confidential patient information means
• see examples of how your data is used
• understand the benefits of sharing data
• find out who uses the data and how it is protected
• set or change your opt-out choice
• find contact details if you prefer to do this by phone
• see when the opt-out does not apply

You can also find more information at:

• Health Research Authority - about health and care research
• Understanding Patient Data - about how and why patient data is used

Your data will never be shared with insurance companies or used for marketing without your specific permission.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to opt out please visit Your NHS Data Matters

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The NHS offers national screening programmes to help find certain health conditions early, when they are easier to treat. These programmes are based on age, sex, and other health factors.

You may be invited for screening for:

• Bowel cancer
• Breast cancer
• Abdominal aortic aneurysm (AAA)
• Diabetic eye disease
• Fetal anomalies during pregnancy
• Sickle cell and thalassaemia
• Newborn hearing
• Newborn blood spot conditions
• Newborn and infant physical checks

To make sure you receive your invitation, we share your contact details with NHS England. This is allowed by law and helps ensure you get the right care at the right time.

Screening and gender identity

Screening invitations are usually based on the gender recorded in your GP record. If you are transgender or non-binary, this may affect which invitations you receive.

For example:

• Trans women registered as female may be invited for breast screening but not AAA screening.
• Trans men registered as male may not be invited for cervical or breast screening, even if they still need it.

If you are not invited for a screening programme you think you should be part of, you can speak to your GP or contact the screening service to request it.

You can find more information about screening for trans and non-binary people here: NHS screening information for transgender people

More details about all NHS screening programmes are available at: NHS screening programmes

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at Population screening programmes. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Avon and Somerset Breast Screening, Somerset Diabetic Eye Screening, Somerset Bowel Cancer Screening, Somerset and North Devon Abdominal Aortic Aneurysm (AAA) Screening, Public Health Services (England).

6) Rights to object

You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. For national screening programmes: you can opt to no longer receive an invitation to a screening programme.

Visit Opting out of the NHS population screening programmes

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

GP medical records will be kept in line with the law and national guidance.

Information on how long records can be kept can be found at: Records management code of practice

9) Right to complain

You have the right to complain to the Information Commissioner's Office

National Fraud Initiative (NFI)

We take part in the National Fraud Initiative, a government programme that helps prevent and detect fraud in public services.

The Cabinet Office runs this programme by comparing sets of data from different public bodies. This is called data matching. It helps identify unusual patterns that may suggest fraud, error, or other issues that need to be looked into.

What this means for you

We may share some of your information with the Cabinet Office if it is needed for a data matching exercise. This could include details like your name, address, or NHS number. The exact data shared depends on the focus of each year’s exercise.

This is allowed by law under Part 6 of the Local Audit and Accountability Act 2014. It does not require your consent, and it does not breach confidentiality. However, we still follow data protection laws to keep your information safe.

How your data is protected

The Cabinet Office follows a strict Code of Data Matching Practice to make sure your data is used fairly, securely, and lawfully. You can read the code here:  Code of Data Matching Practice for the National Fraud Initiative

Each year, the types of data used may change depending on the focus of the fraud prevention work. We only share data when it is required.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information.

4) Lawful basis for processing

To enable the cabinet office and NHS counter fraud authority to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

NHS Counter Fraud Authorities, Cabinet Office.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with NHS Counter Fraud policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How NHS England uses your information

NHS England is responsible for collecting and analysing patient data from across the NHS. It helps improve care by producing reports, statistics, audits, and research.

Examples include:

• A&E and outpatient waiting times
• NHS staffing numbers
• GP payments and performance
• National audits like the Female Genital Mutilation dataset, General Practice Appointments Data, CVD PREVENT, and the National Diabetes Audit

Why we share data

GP practices are required by law to share certain information with NHS England when instructed. These instructions are called “Directions” and are issued under the Health and Social Care Act 2012. This is a legal duty and does not require patient consent. We support important health and care planning and research by sharing your data with NHS England. This helps improve services for everyone.

Your privacy and rights

NHS England keeps your data safe and follows strict rules under data protection law. Most of the time, data is anonymised so you cannot be identified.

You can find more information here:

• NHS England Privacy Notice
• NHS England – Data and Information
• Directions and Data Provision Notices
• GP Practice Privacy Notice – Planning and Research

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

To enable the HCO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS England according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS England. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to third party organisations such as solicitors (e.g. personal injury claims), insurance companies (e.g. life assurance), employers etc.

The explicit consent of patients must be obtained and demonstrable before the release of any such information.

4) Lawful basis for processing

To enable the Frome Medical Practice employees to provide information to other third parties, the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and;

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality"

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The requesting third party organisation.

6) Rights to object

You do not have to consent to your data being shared with a third party. If you have consented to your data being shared with a third party you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Data retained in line with the third party organisation’s policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The health and social care system will take action to manage and mitigate the spread and impact of any pandemic outbreak. Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the pandemic outbreak and incidents of exposure.

Any notices of pandemic will be posted on the GOV.UK website  

Supplementary privacy notices may be issued on our website for specific pandemics as they occur.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The purpose of this Notice is to require organisations to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to the pandemic. "Processing" for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) requires organisations to process confidential patient information in the manner set out in Regulation 3(1) of COPI.

5) Recipient or categories of recipients of the processed data

Health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the pandemic outbreak and incidents of exposure.

The data subject (you)

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected.

8) Retention period

This will be in line with the guidance from the GOV.UK website

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Your data during the COVID-19 outbreak

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our Privacy Notice for Pandemics.

Why your information can help us manage COVID-19

The health and social care system is facing significant pressures due to COVID-19. Health and care information is essential to deliver care to individuals, to support health and social care services and protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. Existing law that allows patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS England and other organisations, such as the UK Health Security Agency (UKHSA), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during COVID-19 will be limited to the period of the outbreak unless there is another legal basis to use the data.

Opt outs

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111.  We may also use the details we have to send public health messages to you, either by phone, text or email. 

Telephone and video consultations

During this period we may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/ confidential patient information will be safeguarded in the same way it would with any other consultation and any risks explained to you before the consultation begins.

Sharing your information

We will also be required to share certain personal/ confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. 

NHS England have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England and the UKHSA. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Activation of patient online access for any given patient is only performed with the consent of the patient (or their parent/guardian or representative).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable patients to securely access their GP record online via the NHS App, to access health care features such as, booking appointments, requesting repeat medication and viewing their medical information.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1) (a)  - Consent of the data subject

and;

Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you);

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.

In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws

NHS England’s powers to commission health services under the Health and Care Act 2022 or to delegate such powers to ICBs

For more information about payments please see NHS Payments to GP Practice

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable the practice to receive payments.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this practice, NHS England, Somerset ICB (Integrated Care Board), UK Health Security Agency (formerly Public Health England),  and at hospitals, diagnostic and treatment centres, who contribute to your personal care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process and will be in line with the principles of Article 89(1) of General Data Protection Regulation (GDPR)

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. If section 251 is appropriate the National Data Opt Out applies. Please see our Privacy Notice for National Data Opt Out. We may also use your medical records to carry out research within the practice.

Under Section 251 we share information with the following medical research organisations and you can opt out of this via the National Data Opt Out:

• Clinical Practice Research Datalink (CPRD)
• University of Bath

We also share information with the following medical research organisations:

• QResearch

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

For QResearch; patients who do not wish their data to be included in the upload are able to opt out by informing  the practice who will add SNOMED CT code (1898191000006104) to your record which will cancel any future data collection.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Medical research.

4) Lawful basis for processing

Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;

Article 6(1)(e) may apply "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"

and in addition there are three possible Article 9 justifications:

Article 9(2)(a) – "the data subject has given explicit consent…"

or;

Article 9(2)(j) – "processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject".

or;

Article 9(2)(h) – "processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services..."

Under Section 251 please see the lawful basis for processing or sharing on the Privacy Notice for the National Data Opt Out.

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Clinical Practice Research Datalink (CPRD), University of Bath and QResearch.

6) Rights to object

You do not have to consent to your data being used for research. If you have consented to your data being used in research you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

The data will be retained for the period as specified in the specific research protocol(s).

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The records we keep enable us to plan for your care

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as "health analytics".

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The practice performs searches of some or all patient records to identify individuals who may be at increased risk of certain conditions or diagnoses, for example, diabetes, heart disease, risk of falling. Your records may be amongst those searched. This is often called "risk stratification" or "case finding". These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared for processing and for subsequent healthcare with Somerset ICB, NHS Foundation Trusts, NHS England, NHS South Central & West CSU and Bering Ltd (Brave AI).

6) Rights to object

You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. If you wish to object please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

• Section 47 of The Children Act 1989
• Schedule 1 paragraph 10 of Data Protection Act 2018 (preventing or detecting unlawful acts)

and;

• Section 45 of the Care Act 2014

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; - section 17 Childrens Act 1989

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The purpose of the processing is to protect the child or vulnerable adult.

4) Lawful basis for processing

The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:

For consented processing;

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For unconsented processing;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

and;

9(2)(b) "...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law.."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Somerset Social Services, Get Set, Somerset NHS Foundation Trust – Mental Health, School Nurses, Health Visitors

6) Rights to object

This sharing is a legal and professional requirement and therefore there is no right to object.

There is also GMC guidance

7) Right to access and correct

You, or your legal representative, have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Patients are free to provide Frome Medical Practice with their mobile telephone number and consent will be recorded to allow our staff to use SMS if needed, or if preferred by the patient.

SMS messages are automatically generated to remind patients of forthcoming consultations that they have booked.

All SMS text messages are for direct medical care purposes only.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

SMS messages are automatically generated to remind patients of forthcoming practice consultations that they have booked and for direct medical care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you).

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The Summary Care Record is an NHS England initiative. It consists of a basic medical record held on a central government database on every patient registered with a GP Practice in England.

The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient

As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.

Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.

You can find out more about the SCR here

You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

During a pandemic information about vaccines may be available for clinicians to see in a clinical setting if necessary. This information is available through an NHS system called the Summary Care Record application (SCRa).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Upload of basic and detailed additional SCR data.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) "necessary for the performance of a task carried out in the public interest or in the exercise of official authority."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.” 

and;

Article 9(2)(b) "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject."

and;

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital and health and social care organisations who contribute to your personal care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to Frome Medical Practice via surveys created by Frome Medical Practice. This includes online and paper based surveys for patients and/or staff members.

By completing the survey the person is giving consent to process their information.

4) Lawful basis for processing

To enable the Frome Medical Practice to process survey information the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and:

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Frome Medical Practice will be the sole processor of person identifiable information. The findings of the survey may be shared with other third parties but all shared data will be anonymised.

6) Rights to object

By completing the survey you are giving consent to process and share your anonymised data. If you have consented to your personal data being processed you can change your mind and withdraw your consent at any time. 

7) Right to access and correct

You have the right to access any of your identifiable data that is being processed and have any inaccuracies corrected.

8) Retention period

Some data may be added to the patient medical record and this will be retained in line with the law and national guidance.

All other electronic survey or form data is retained for a period of up to 7 years after which the data will be securely destroyed. Any paper records are destroyed as soon as they have been recorded electronically. 

9) Right to complain

You have the right to complain to the Information Commissioner's Office

This privacy notice explains about our telephony system. When calls come into the practice there will be a message to explain that all telephone calls are recorded for training and monitoring purposes.

Calls going out of the practice will also be recorded for the same reason and this information can be found in this privacy notice, displayed on our website and in the practice. We lawfully do not require your consent; however, you do have the right to end the call if you do not wish for the call to be recorded.

All calls will be stored securely on the telephony system.

When a call is recorded we collect:

• a digital recording of the telephone conversation
• the telephone number of both parties personal data revealed during a telephone call will be digitally recorded for example name and contact details to deliver appropriate services
• occasionally 'special category' personal information may be recorded where a customer request for advice and/or services.
• telephone call recording will be turned off, when a customer's credit or debit card details are given, in line with Payment Card Industry Data Security Standards (PCS DSS) and data protection legislation including UK General Data Protection Regulations (UK GDPR).

People will only have access to data necessary to fulfil their roles.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable a safe two-way communication between patients, or other individuals or services, and the practice.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in the practice and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 6(1)(b) ‘…necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract.’

and;

Article 9(2)(h) ‘…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

and;

Article 9(2)(b) ‘…carrying out of obligations under employment, social security or social protection law, or a collective agreement’

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Data is accessible by the Practice as the Data Controller for this information. Information may be accessed remotely by the supplier for support purposes. Recordings are available for the Practice. Patients, individuals, and services may request access to their recordings.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The recording data will be retained for 36 months on the telephony system before deletion.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable healthcare professionals working at Frome Medical Practice to provide all necessary information about individuals to the courts when instructed (Court Order).

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The courts.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with judiciary policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

UKHSA encompasses everything from national smoking and alcohol policies, the management of pandemics or epidemics such as flu, the control of large-scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform UKHSA, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with UKHSA.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

There are occasions when medical data needs to be shared with UKHSA either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,.."

5) Recipient or categories of recipients of the processed data

The data will be shared with UK Health Security Agency

6) Right to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the period of the public interest and according to legal requirements and UKHSA’s criteria on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office