Merton Medical Practice is the data controller for the personal information it processes.
In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This notice explains how we process personal information in accordance with our legal obligations and is a good opportunity for you to understand or exercise your information rights.
We are legally required to tell you:
- What personal information we use
- Why we need your personal information
- The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it
- How we use, store, protect and dispose of your personal information
- How long we keep it for and who we may share it with
- About your information rights
- How to report a complaint or concern
Your Personal Information
When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms of data, such as email address, car registration, biometric or identifying characteristics, NHS number, pictures, images and so forth.
Much of the information we process is ‘special category data’ under UK GDPR because it relates to health, ethnicity, religious beliefs, sexual orientation or other sensitive matters requiring additional protection. Special category data includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, criminal offence data, where lawful and necessary.
Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you.
The personal information we collect may be used for any of the following specific purposes:
- Health care for patients – diagnosis, treatment and referral
- Accounting, financial management and auditing
- Education and training
- Consultancy and Advisory services
- Human resources and staff administration
- Crime prevention and prosecution
- Health administration and services management
- Business management, service planning and administrative functions
- Contractual arrangements for data processing by third parties
- Occupational Health referrals
- Research, service evaluation and national surveys
- Security services e.g CCTV monitoring, confidentiality audits
Without your personal information, we cannot:
- Direct, manage and deliver the health care you may require
- Ensure we have accurate and up to date information to assess and provide what you require
- Provide the appropriate level of assistance or adequate guidance
- Refer you to a specialist or another service
- Protect the general public or promote public health
- Manage, develop or improve our services
- Investigate complaints or proceed with legal actions for claims
- Employ you to join our workforce
- Procure products and services
- Commission and manage healthcare services
- Comply with a court order
- Comply with regulatory requirements
- Meet some of our legal obligations
- Compile statistics to review our performance
- Educate and train our workforce
- Undertake clinical trials and research studies you have consented to
- Undertake occupational health assessments where lawful and necessary
- Keep you and other service users safe on our premises
Lawful Basis for Processing your Personal Information
We do not generally rely on consent as our lawful basis for processing personal data for the provision of healthcare. Instead, we rely on UK GDPR Articles 6 and 9, and our statutory duties under health legislation. Consent may still be used where required for specific purposes (for example, certain research activities).
We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the UK GDPR and Data Protection Act 2018:
For your personal information
Article 6(1)(b) – ‘processing necessary for the performance of a contract’
Article 6 (1)(c) – ‘processing is necessary for compliance with a legal obligation..’
Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’
“Article 6(1)(f) – ‘processing necessary for legitimate interests pursued by the Practice or a third party, except where overridden by the interests or rights of the individual’
(only where applicable)
For your special category information
Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’
Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’
Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’
Please note: You cannot opt out of the use of your personal information for direct care, where this is required to provide safe and effective healthcare. You may, however, opt out of certain uses such as planning, research, and secondary purposes via the National Data Opt-Out. Please speak to a member of the Practice or our Data Protection Officer, or visit https://digital.nhs.uk/services/national-data-opt-out
We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.
Retention and Disposal of Personal Information
Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Practice. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management Code of Practice for Health and Social Care 2021.
Records are retained only for as long as necessary and in accordance with NHS retention schedules and legal requirements.
Keeping your Personal Information Safe
We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.
We are registered to the Information Commissioner’s Office: registration number: Z6606591
Mandatory training and regular audits are in place to ensure that only authorised personnel with a legitimate need to access the information in order to carry out their role can use it.
When there are personal data breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.
Sharing Personal Information
We may need to share your personal information with another organisation e.g. NHS organisations, health and social care organisations, public bodies (Local Authorities, Probation Service, Police, Regulatory Authorities) or third-party providers commissioned to process personal information on our behalf.
This is because we have both a duty of confidentiality and a duty to share information appropriately where it is in the patient’s best interests or required by law. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.
NHS England may require GP practices to share pseudonymised data for approved research, planning and public health purposes, including through secure data environments such as OpenSAFELY, in accordance with legal directions and NHS requirements.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Patients may have rights to object to or opt out of certain secondary uses of their information, subject to NHS national policies. Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.
Here you can find additional information about OpenSAFELY.
Your Information Rights
You have the right to:
- Be informed about the processing of your personal information by the Practice (done through this notice)
- Access the information we hold about you (paper, digital or electronic copies)
- Ask the Practice to correct or complete your personal information
- Ask the Practice to erase your personal information under certain circumstances, if the Practice does not have a lawful basis to process it
- Ask the Practice to restrict the processing of your personal information under certain circumstances
- Ask the Practice to move, copy and transfer your personal information which you have provided to the Practice, in a portable, commonly-used/machine readable format and securely, for your own purpose
- Object to the processing of your personal information, where applicable and subject to legal limitations
- Object to certain types of processing carried out in the public interest, for direct marketing, research or statistical purposes, subject to legal limitations
- Receive a response to your access or change request within a calendar month, subject to lawful extensions where permitted.
We do not routinely carry out automated decision-making or profiling. Any decisions about your care are made by appropriately qualified health professionals.
Requests for information
Please complete a Subject Access Request (SAR) form on our website or ask Reception for a paper copy. We will require proof of identity before we can disclose any personal information.
Report Complaints or Concerns
We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.
The Practice benefits from an external IG & Data Protection Officer (DPO). The role of our DPO is to examine our information handling practices and ensure we operate within the law. See https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-officers/
This service is provided by Laura Watson, IG & GP DPO for the ICB Patient Information Team. She can be contacted on swl.gpdpo@swlondon.nhs.uk.
Address: Ms Laura Watson
South West London Integrated Care System
120 The Broadway, Wimbledon, SW19 1RH
If you remain dissatisfied with how your information has been handled, you have the right to complain to the Information Commissioner’s Office (ICO). https://ico.org.uk/make-a-complaint/