Privacy Notice

Higham Hill Medical Centre Privacy Notice

What is a Privacy Notice?

This privacy notice, which is a requirement of General Data Protection Regulation (GDPR), gives a better explanation on how we use any personal information we collect about you when you register with us. Also this privacy notice is part of our commitment to ensure that we process your information/data fairly, transparently and lawfully.

Who are we governed by?

The legislations/guidances we are governed by include but not exhaustive to:

· General Data Protection Regulation (GDPR) - this include Data Protection Act 2018 within this regulation.

· Caldicott Report 1997

· Access to Health Records Act 1990

· Freedom of Information Act 2000

· Health and Social Care Act 2012, 2015

· Public Records Act 1958

· Computer Misuse Act 1990

· The Common Law Duty of Confidentiality

· The Social Care Record Guarantee for England

· NHS Confidentiality Code of Conduct

· Information Security Management – NHS Code of Practice

· Records Management – Code of Practice for Health and Social Care 2016 · Department of Health –

· Information Commissioners Office – · Care Quality Commission – · NHS England –

Also our doctors are regulated and governed by professional bodies including numerous royal colleges and the London Deanery.

What Information will be collected and how will it be collected?

The information that would be collected about you would include, but not restricted to: personal details, past and current medical history, results of x-rays and blood tests, and information from people who previously treated and cared for you, such as health professionals and relatives.

Also sensitive information (also known as Special Category) such as race, beliefs, whether you have a disability, health issues, allergies and etc. will be collected. This would give us a better picture, so that staff that are directly treating you,

can deliver and provide appropriate treatment and care plans to care for you effectively.

Information will be collected via registration forms and when the medical records are received from your previous GP. Also, your telephone calls will be recorded on our telephone system.

How will we use your information?

We may ask for and hold personal confidential information about you, which would be used for direct patient care as per “Articles 6(1)(e) and 9(2)(h)” of the GDPR. For example improve your care, plan new services and develop new treatments and prevent diseases.

We recognise your rights under UK Law collectively known as “Common Law Duty of Confidentiality”. This is a law formed from past court cases decided by judges. The law is applied by reference to previous cases, so common law is based on precedent. The overall position is if information is given in a situation where it is expected that a duty of confidence applies, then that information cannot be disclosed with the information provider’s consent.

The below two circumstances, where it is not practical to obtain your explicit (written) consent, we are informing you through this notice, which is referred as a Privacy Notice, under the Data Protection Act.

In order to comply with its legal obligation, this practice contributes to national clinical audits and may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012, as per “Articles 6(1)(c) and 9(2)(h)” of GDPR.

Also, this practice contributes in medical research and may send relevant information to medical research databases, such as the Clinical Practice Research Datalink, when the law allows, under GDPR Article 9(2)(j), and when research is carried out for the public interest, under GDPR Article 6(1)(e).

How Confidentiality is maintained?

Everyone working under Higham Hill Medical Centre has a Common Law Duty of Confidentiality and the Data Protection Act (General Data Protection Regulation (GDPR) and will include Data Protection Act 2018 within this regulation) to make sure information is secure, as per Article 32 of the GDPR. Information that you provide us will only be used for purposes to which you consented to, inform you how it is used and will allow you to decide if and how your information can be shared.

Confidentiality is maintained through induction training for new staff and mandatory annual training for all our staff. We never leave unattended confidential information lying around; we always return them to a secure place after use. Your electronic records are kept in a password protected system. Also, your records are never taken off premises. If an access request is made for your records, we would confirm your ID and your consent.

Categories of Recipients of the Processed Data

The practice discloses personal data to the following categories of recipients:

· NHS Trusts/Foundation Trusts

· GPs

· NHS Commissioning Support Units

· Independent contractors, such as pharmacists, opticians

· Private Sector Providers

· Voluntary Sector Providers

· Ambulance Services

· Clinical Commissioning Groups

· Social Care Services

· Education Services

· Fire and Rescue Services

· Police and Judicial Services

· Third party services providers, such as IT System management, information security payroll providers.

Processors of personal data

In order to deliver the best possible service, the practice contracts Processors to process personal data, including patient data on our behalf.

When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:

· Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.

· Delivery services (for example if we were to arrange for delivery of any medicines to you).

· Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Dealing with requests regarding your confidential Information

From time to time, we may receive requests from non-NHS organisations (including, though not restricted to: social services, the police, solicitors and private sector providers) asking to share information about you. However, we will not disclose any health information to them without your explicit (written) consent (via hand written letter given to practice or via non-NHS Organisation).

However, there are exceptional circumstances, where disclosure of confidential information is lawful (Articles 6(1)(c) and 9(2)(h) of GDPR) which are:

· Where the disclosure is in the public interest; and

· Where the law requires the disclosure of information, such as a court order.

Risk Stratification

This practice performs computerised searches of all your records to identify patients who may be at an increased risk of certain conditions and diagnoses and need hospital or other healthcare services e.g. therapists or specialist Information is collected from this practice and other NHS/Non-NHS organisations to help provide appropriate advice, investigations, treatment, therapies and care.

Invoice Validation

This is an important process because it involves using your NHS Number to check with CCG, who is responsible for paying your treatment and to check whether your care has

been funded through specialist commissioning, which NHS England would pay.

Section 251 of NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes. Thereby this process makes sure organisations that are providing your care are paid correctly.

Your rights to withdraw consent for us to share your information

You have the right to refuse/withdraw your consent to sharing information at any time. This right applies unless the staff can demonstrate compelling, legitimate grounds for processing your information.

“How the NHS and care services use your information

Whenever you use a health or care service, such as attending a Practice consultation, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided

• research into the development of new treatments

• preventing illness and diseases

· monitoring safety

• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit On this web page you will:

· See what is meant by confidential patient information

· Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

· Find out more about the benefits of sharing data

· Understand more about who uses the data

· Find out how your data is protected

· Be able to access the system to view, set or change your opt-out setting

· Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

· See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time by using the following website:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation is currently compliant with the national data opt-out policy.

Your right to access your medical record

You have the right to view your medical record for free of charge. You also have the right to have inaccurate information corrected, where a note would be written/typed in the record to explain what needs to be corrected. Please enquire more at reception.

How long information is retained

Your records will be retained in line with the Record Management NHS Code of Practice for Health and Social Care. For more information, please use the link:

Other Privacy Notices

We will have privacy notices made available on our pamphlet and websites: NHS Choices and

If you have a Question and Your Right to make a Complaint.

We encourage people to bring their concerns and/or questions to our attention and we take them seriously. You can submit your complaint on our website or write to the address shown above. We try our best to meet the high standards of collecting and using personal information to give you the best direct patient care.

If you still remain dissatisfied with practice’s decision following your complaint, you may wish to escalate to our Data Protection Officer, Ms Radha Muthuswamy,

Higham Hill Medical Centre

260 Higham Hill Road


London, E17 5RQ

You have the right to complain to the Information Commissioner if you are unhappy with the Data Protection Officer’s response.

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow, Cheshire SK9 5AF

Their website is

The information commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the practice.

Changes to the Privacy Notice

This Privacy Notice would be reviewed and updated monthly to ensure it is complaint with the GDPR.

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website