GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. This comes into practice on May 25th.
The main changes are:
Practices must comply with subject access requests.
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous.
- There are new, special protections for patient data.
- Compliance must be actively demonstrated, for example it will be necessary to:
Keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and have data protection policies and procedures in place.
- A legal requirement to report certain data breaches.
- Designation of Data Protection Officers
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
At Durnford Medical Centre our preferred way of keeping in touch with all our patients is through a text messaging service called MJOG which is run through a secure N3 network and used by GP surgeries and hospitals throughout the country. Through MJOG we are able to remind patients of surgery appointments reducing DNA’s, reporting patient’s satisfaction when visiting the practice and also notifying patients of any health promotion clinics.
Within May all patients with a mobile number recorded at the practice will receive a text message stating to press START to continue using this service. As explained this is very secure and it is Durnford Medical Centre preferred method of contacting our patient. You are able to opt out of this at any time if you wish.
GDPR Patient Leaflet
Practice Privacy Notice (PPN)
Under General Data Protection Regulations (GDPR) you have a right to understand what the GP Surgery holds on you and how we will use your personal information. GDPR is new legislation/law that gives you more rights over your personal data and came into force across the UK on 25th May 2018.
Your rights are as follows:
This is your GP surgery that holds your personal data and decides on how to use the data it holds.
GP Surgery Stamp
Durnford Medical Centre
113 Long Street
Legality, Transparency and Fairness
In using your data there may be times when we have to seek your consent to use the data but on other occasions we may need to use your data to comply with our NHS contract, compliance with a legal obligation, to safeguard your vital interest, carry out tasks of public interest or to comply with our official authority.
You have a right to understand how your data is used by the surgery in a clear and transparent manner and have the right to access your information free of charge as long as it doesn’t become excessive.
You have the right to request correction of any inaccurate information held on you.
Under the Data Protection Act (2018) children from age 13 will have the right to consent to their own services and how the Surgery engages with and provides them care (no need to engage with parent or guardian under DPA(2018) but directly with the child)
Data collected on you will be limited to what is required for the Surgery to comply with its duty to you and the NHS to deliver healthcare.
Your data may be shared with other agencies that work with the GP surgery. These will include the local Out of Hours
Service (BARDOC), 7 Day GP Services, Hospitals, Pharmacy’s,
Community Nurses, Ambulance services and others who may need to be involved in your care. The Surgery may need to share your data for the purposes of medical research.
Information shared will be limited to what is required to continue providing ongoing care.
Once in place a boroughwide IT system allowing safe sharing of information across the health and social care services called Graphnet will ensure safe sharing of your data to enhance the care you receive.
In certain circumstances you will have the right to object to your data being shared.
The data the surgery holds will be relevant, adequate and limited to what is required for the Surgery to fulfil its duty.
Data held will be up to date. Any inaccurate information should be brought to the attention of the Surgery to ensure the inaccuracies are rectified.
Your data will be kept in line with NHS requirements. The
Surgery will retain records from birth to death. Following
death the NHS may destroy your records after 10 years
Integrity and Confidentiality
The Surgery complies with NHS rules on keeping your data safe and secure. The surgery IT system that stores your data is EMIS Web and is one of the NHS approved GP computer systems. The surgery also has internal systems in place to ensure that the premises are secure and staff appropriately trained to comply with confidentiality with regard to your data. When sharing your data with other agencies the Surgery complies with NHS rules on safe transfer of information.
The Surgery has taken the appropriate steps to comply with GDPR. The surgery has appointed a Data Protection Officer (DPO) to ensure the surgery complies with the GDPR legislation and you can contact the DPO by email:
There is more information available on GDPR on the surgery website.
Should you have concerns about any aspect of the way in which your data is held or used by the Surgery you can contact the Practice Manager at the Surgery (address as above). If you are not satisfied you can contact the Information Commissioners Office (ICO):
Information Commissioner’s Office (ICO)
Tel: 01625 545700
Covid-19 and your information - Updated on 24th April 2020
Supplementary privacy note on Covid-19 for Service Users
This notice describes how we may use your information to protect you and others during the
Covid-19 outbreak. It supplements our main Privacy Notice
The health and social care system is facing significant pressures due to the Covid-19
outbreak. Health and care information is essential to deliver care to individuals, to support
health and social care services and to protect public health. Information will also be vital in
researching, monitoring, tracking and managing the outbreak. In the current emergency, it
has become even more important to share health and care information across relevant
Existing law which allows confidential patient information to be used and shared
appropriately and lawfully in a public health emergency is being used during this outbreak.
Using this law, the Secretary of State has required NHS Digital; NHS England and
Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health
organisations and GPs to share confidential patient information to respond to the Covid-19
outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the
period of the outbreak, unless there is another legal basis to use the data. Further
information is available on gov.uk here and some FAQs on this law are available here
During this period of emergency, opt-outs will not generally apply to the data used to support
the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws, your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient
information including health and care records with clinical and non-clinical staff in other
health and care providers, for example neighbouring GP practices, hospitals and NHS 111.
We may also use the details we have to send public health messages to you, either by
phone, text or email.
During this period of emergency, we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and
care organisations and other bodies engaged in disease surveillance for the purposes of
protecting public health, providing healthcare services to the public and monitoring and
managing the outbreak. Further information about how health and care data is being used
and shared by other NHS and social care organisations in a variety of ways to support the
Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather
data from across the health and care system to inform the Covid-19 response. This includes
data already collected by NHS England, NHS Improvement, Public Health England and NHS
Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity
data as well as data provided by patients themselves. All the data held in the platform is
subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may
need to collect specific health data about you. Where we need to do so, we will not collect
more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the
top of this page will be amended each time this notice is updated.