GDPR stands for ‘General Data Protection Regulation’ and is a piece of legislation that will supersede the Data Protection Act (1998). It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests.
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous.
- There are new, special protections for patient data.
- The Information Commissioner’s Office must be notified within 72 hours of a data breach.
- Higher fines for data breaches – up to 20 million euros.
Subject Access Requests
The General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing.
You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified.
You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.
If you wish to have access to your medical records, please contact the surgery.
If you have reviewed your medical record (you can apply to do this on-line, see the Online Services tab) and wish to object or request a change to the information we hold please download a copy of our 'Patients Right to Object Form' here.
Once completed you need to return the form to the practice in person, bringing a recognised form of photo-ID, such as a passport or driver's license with you, so we can verify your identity.
We define consent as “any freely given specific and informed indication of wishes by which the data subject signifies their agreement to personal data relating to them being processed.”
This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
Individuals also have the right to withdraw their consent at any time.
The changes in GDPR mean that we must get explicit permission from patients when using their data, which is information that relates to a single person, such as diagnosis, name, age, earlier medical history etc.
One of the considerations patients may make is about how their personal data is used and specifically whether it is shared, with consent, and under strictly controlled circumstances, with professionals outside the practice.
One of the requirements of this legislation is that all organisations that hold personal data, whether that be data concerning patients, customers or employees, must make their policies and processes around personal information available in the form of a Privacy Notice.
You can find our practice privacy notice here.
Your confidentiality is very important to us, all NHS staff are bound by law and a strict code of confidentiality and we have strict controls in place to protect your information. The Surgery’s Caldicott Guardian, Dr Andrew Fellows, is responsible for ensuring patients' confidentiality is respected.
The GDPR also requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office (ICO) website and the practice is registered with them.
Our Data Protection Officer is Caroline Simms.
Our Data Controller, responsible for keeping your information secure and confidential is Dr Andrew Fellows