General Data Protection Regulations (GDPR)
The General Data Protection Regulations (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.
The regulation applies from 25th May 2018, and will apply even after the UK leaves the EU.
What GDPR means for patients:
The GDPR sets out the key principles about processing personal data for patients:
- Data must be processed lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed
- Information must be accurate and kept up to date
- Data must be stored securely
- It can be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include:
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
The right to object to their patient information being processed (in certain circumstances)
For further information relating to how we process patient data, please click on the link below:
“How the NHS and care services use your information”
St Catherine’s Surgery is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the Type 1 Opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data Type 1 Opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is / is not currently’ compliant with the national data Type 1 Opt-out policy.
Privacy Notice 2020
Staff Privacy Notice 2021
St Catherine's Surgery Privacy Leaflet - Adult
St Catherine's Surgery Privacy Leaflet - Young Person
Covid-19 and your information - Updated on 8th April 2020
HIE Data Sharing
click here for more information
Patient Privacy Notice
This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it.
St Catherine’s Surgery also publishes a number of specific notices which are available at the bottom of this page.
To find out more about our Privacy Notice, please select the relevant hyperlink below:
Who we are?
St Catherine’s Surgery employs more than thirty members of staff and operates from St Catherine’s Health Centre in Birkenhead.
Our Practice is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z7345095
For further information please refer to the ‘About US’ page on our website
Why we collect personal information about you?
The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care. This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
What is our legal basis for processing personal information about you?
Any personal information we hold about you is processed for the purposes of ‘provision of health or social care or treatment or the management of health of social care systems and services> under chapter 2, section 9 of the Data Protection Act 2018
For further information on this legislation please visit: http://www.legislation.gov.uk/
What personal information do we need to collect about you and how do we obtain it?
Personal information about you is collected in a number of ways. This can be from referral details from our staff, other 3rd parties or hospitals, directly from you or your authorised representative.
We will likely hold the following basic personal information about you: your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts, etc. We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.
In addition to the above, we may hold sensitive personal information about you which could include:
• Notes and reports about your health, treatment and care, including:
- your medical conditions
- results of investigations, such as x-rays and laboratory tests
- future care you may need
- personal information from people who care for and know you, such as relatives and health or social care professionals
- other personal information such as smoking status and any learning disabilities
- Your religion and ethnic origin
- Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
What do we do with your personal information?
What we may do with your personal information.
Your records are used to directly, manage and deliver healthcare to you to ensure that:
- The staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you.
- Staff have the information they need to be able to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.
The personal information we collect about you may also be used to:
- Remind you about your appointments and send you relevant correspondence.
- review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
- support the funding of your care, e.g. with commissioning organisations;
- prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
- help to train and educate healthcare professionals;
- report and investigate complaints, claims and untoward incidents;
- report events to the appropriate authorities when we are required to do so by law;
- review your suitability for research study or clinical trial
- contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary.
Who do we share your information with and why?
We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, NHS Practice, other general practitioners (GPs), ambulance services, primary care agencies, and other carefully selected third party service providers (i.e. companies that provide IT services and support) etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Further details regarding specific third party processors can be supplies on request.
We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties without your explicit consent unless there are circumstances, such as when the health or safety of others is at risk or where current legislation permits or requires it.
There are occasions where the Practice is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.
The Practice is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Practice in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Practice will always do its best to notify you of this sharing.
How we maintain your records
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain full and accurate records of the care we provide to you;
- keep records about you confidential and secure;
- provide information in a format that is accessible to you.
Use of Email - Some services in the Practice provide the option to communicate with patients via email. Please be aware that the Practice cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.
Further information can be found in our Data Security and Protection policy/Information Governance policy, available at:
How long do we keep your information?
All records held by the Practice will be kept for the duration specified by national guidance from the Department of Health. The Records Management Code of Practice for Health and Social Care 2016.
Records Management Code of Practice for Health and Social Care 2016
We will keep a copy of your information in our Practice for as long as you are registered with our Practice and If you leave the practice we will ensure that a copy of anything we hold is passed on to your new GP. Your record status will be marked as ‘inactive’ in our clinical system but it will not be deleted”.
Confidential information is securely destroyed in accordance with this code of practice.
What are your rights?
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:
- Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our Access to Health Record Policy and Disclosure of Personal Data Procedure
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is also explained in our “Access to Health Record Policy and Disclosure of Personal Data Procedure”.
- Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information. Where the Practice processes personal data about you on the basis of being required to do so for the performance of a task in the public interest/exercise of official authority, you have a right to object to the processing. You must have an objection on grounds relating to your particular situation. If you raise an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims
- Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
- Request your personal information to be transferred to other providers on certain occasions.
National Data Type 1 Opt-out Programme
St Catherine’s Surgery is one of many organisation working in the health and care system to improve care for patients and the public. The information collected about you whenever you use a health or care service can be provided to other approved organisations, where there is a legal basis, to help with planning services, improving quality and standards of care provided, monitoring safety, research into developing new treatments and preventing illness.
All these uses help to provide better health care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to Type 1 Opt-out your confidential patient information will still be used to support your individual care.
You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting https://www.nhs.uk/your-nhs-data-matters/.
If you have registered a National Data Type 1 Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.
If you wish to register a Type 1 Opt-out with your GP practice before data sharing starts with NHS Digital, this should be done by returning this form to your GP practice as soon as possible to allow time for processing it. If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your GP practice or call 0300 3035678 for a form to be sent out to you.
Practice Information Governance Lead
Data Protection Officer
Please contact the Practice Information Governance Lead: Paul Warren, Business Manager
Head of Information Governance and Quality Assurance: Malcolm Gandy
Information Governance Team
St Helens & Knowsley Teaching Hospitals NHS Trust
Alexandra Business Park
Or via IG@sthk.nhs.uk
Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is the body that regulates the Practice under Data Protection and Freedom of Information legislation. https://ico.org.uk/. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the. ICO at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510