GDPR Privacy Notice for Patients

How Edinburgh GP uses your information to provide you with healthcare

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.

This privacy notice applies to personal information processed by or on behalf of the practice.

Edinburgh GP Ltd, data controller (Ref number: ZB545933) is required to have a legal basis when using personal information and will be responsible for and be able to demonstrate compliance with the UK General Data Protection Regulation (UKGDPR), Data Protection Act 2018, and in accordance with General Medical Council Professional Standards which protect your privacy and ensure that your personal information is processed fairly and lawfully.

About the personal information Edinburgh GP uses

Any information Edinburgh GP collects will be for specific, explicit, and legitimate purposes and adequate, relevant, and limited to what is necessary in relation to ensure you receive the correct healthcare services. Furthermore, information will be accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that when personal data are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.

This information is collected from:

  • you as the patient when booking an appointment or enquiring by; telephone, email, website, in person or following you completing a ‘Patient Medical History Registration Form’
  • health insurers by phone or email, if they are booking an appointment on your behalf
  • your employer, by email if they are booking an appointment on your behalf, or if there is a contractual agreement for a service(s) we provide to your company
  • by the doctor at your consultation appointment
  • a family member by phone, email or through the website if they are booking an appointment on your behalf

Your information will be stored indefinitely. As detailed on https://ico.org.uk/for- organisations/advice-for-small-organisations/frequently-asked-questions/data-storage- sharing-and-security/ under ‘What data protection responsibilities do I still have, even if my business is closing down?’ It reads, the British Medical Association requires GPs to retain patient records for set periods of time. In accordance with the British Medical Association, the minimum length of retention of GP records in Scotland are to be kept “For the patient’s lifetime and 3 years after the patient’s death”.

Information will be processed in a manner that ensures appropriate security of the records, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Edinburgh GP has a legal duty to keep personal health information secure and confidential. All information is recorded electronically and only accessible to qualified individuals.

What personal information is collected

Personal information includes facts (e.g. treatment and tests you have had) and opinions (e.g. any concerns you or the doctor might have about your medical health). To provide the best possible care for you, accurate and comprehensive personal information is required.

The following records are kept and updated regularly:

  • personal information and contact details, including your name, date of birth, address, email address, NHS GP and Next of Kin.
  • medical history (e.g. past and/or current medical conditions and medications), family history and lifestyle.
  • information about appointments
  • treatments and their costs
  • any proposed care, including advice we give to you and referrals you might need
  • details of any consents required
  • correspondence with any third-party providers that relates to your care, such as other healthcare providers, laboratory results and your employer (where applicable)

UKGDPR singles out some types of personal data as likely to be more sensitive and gives them extra protection which is referred to as ‘special category data’:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data revealing trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation

Some of the protected characteristics outlined in the Equality Act are also classified as special category data such as:

  • disability
  • pregnancy
  • gender reassignment

We seek explicit consent from you to hold special category data.

Our purpose for using personal information

We use personal information to enable us to provide appropriate healthcare services for patients, for administration purposes such as reminding you of appointments, and maintaining our accounts and records.

We have a legal obligation to hold and record accurate personal health and data records for each of our patients. In accordance with Article 6 paragraph 1(c) of UKGDPR – “processing is necessary for compliance with a legal obligation to which the controller is subject”.

The relevant basis in UK law is set out in the Data Protection Act 2018, in schedule 1 condition 2. This condition covers the following purposes:

  • preventive or occupational medicine
  • the assessment of an employees working capacity
  • medical diagnosis
  • the provision of health care or treatment
  • the provision of social care (this is likely to include social work, personal care and social support services)
  • the management of health care systems or services, or social care systems or services
  • The above is in accordance with Article 9 paragraph 2(h).

Sharing personal information with others

Depending on the situation, and with your consent, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law. This could include with:

  • your own NHS GP
  • another medical provider, such as a Specialist
  • a laboratory
  • a health insurer
  • your employer

Your rights

  • You have the right to access your own personal information
  • You have the right to obtain information held
  • You have the right to rectification of information
  • You have the right to object processing of information

How to contact Edinburgh GP’s Data Controller

Name: Dr David Richardson
Address: 2 Randolph Place, Edinburgh, EH3 7TQ Phone Number: 0131 202 5454
E-mail: [email protected]
Website: www.edinburghgp.co.uk

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel.: 0303 123 1113
Email: [email protected]
Website: www.ico.gov.uk