As data controllers, GPs have fair processing responsibilities under the Data Protection Act and GDPR law 2018. This means ensuring that your personal confidential data is handled in ways that are safe, transparent, and what you would reasonably expect.
We have a duty to:
- Maintain full and accurate records of the care we provide to you
- Keep records about you confidential, secure, and accurate
- Provide information in a format that is accessible to you (ie. in large type if you are partially sighted)
We will not share information that identifies you for any reason, unless:
- You ask us to do so
- We ask, and you give us specific permission
- We must do this by law
- We have special permission for health or research purposes
- We have special permission because the interests of the public are thought to be of greater importance than your confidentiality
If you believe the practice has breached any of your Data Protection Rights, you have the right to complain to the UK Supervisory Authority as below.
Cheshire SK9 5AF
Tel: 01625 545745
The Data Protection Act
The Data Protection Act gives you the right to know what information is stored about you. It puts responsibility on the practice to make sure we handle personal information responsibly and that we protect the privacy of you as an individual. The Act covers personal information that is stored on computer, paper, email, and any other storable media. You can at any time ask us what we use your information for, you can ask for a copy of any information we hold about you, and you can ask us to correct any information which you believe is inaccurate.
If you wish to make a request for a copy of your personal information you must write to [insert name] (Service Delivery Lead). The Practice will need to verify your identity to ensure we are not giving out someone else’s personal information to another person. The Practice is allowed to make a charge for photocopying your medical record. The Practice is obliged to get the information to you within 40 days.
By law we do not have to supply personal information where dealing with the request would involve excessive time and expense, or where information includes sensitive personal information and disclosing this may harm the individual concerned. We do not need to supply personal information where the information is required for crime prevention or taxation purposes or where information includes details about another individual. If at any time another public body made a request to us for information about an individual then we would first check that this body has authority under the Data Protection Act or that you had given your consent to them to ask for this information.
Freedom of Information Act (FOI 2000)
Anyone anywhere in the world can make a request to the practice for information that we hold and have recorded in any form and the practice is obliged to inform the applicant in writing whether it holds the information. If we do hold the information requested then we must this to the applicant within 20 working days. We are not obliged to comply with repeated requests for information. Anyone writing to us for information they think we may hold must describe clearly the information they are requesting. The practice can charge a reasonable fee for photocopying and postage; where we need to charge a fee we will inform the applicant of the costs before providing the information. We do not have to supply the information until the fee has been received.
Exemptions under the FOI 2000
Some types of information are exempt from the requirement of what must be made available. These include personal information which comes under the Data Protection Act 1998 and some information where disclosure would harm the commercial interests of the public body or a third party.
All information concerning patients is confidential, from the most sensitive diagnosis to the fact of having visited the surgery at all or being registered at the practice. A breach of confidentiality constitutes gross misconduct and may result in that member of staff’s dismissal, subject to the provisions of the practice’s disciplinary procedure.
The reason for a strict code of confidentiality in relation to patients is that in general practice staffs are in possession of, or have access to, personal health information about individuals. This must remain confidential unless the patient provides informed consent for its release. In a limited number of circumstances, the doctor responsible for the patient’s care may decide that particular information should be disclosed without consent.
This would be justified, for example, in cases where disclosure was in the patient’s interest, but it was impossible, or medically undesirable, to seek his or her consent. Another example would be a situation where the doctor decided that he or she had an overriding duty to society to disclose information because a serious crime had been, or was very likely to be, committed. However, such rare decisions are the doctor’s and under no circumstances must staff make a decision to disclose patient information.
The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person. All doctors have a strict code of confidentiality and any breach of it by their staff could lead to disciplinary action being taken against the doctor by the General Medical Council. All patients can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when somebody is at grave risk of serious harm).