The Data Protection Act 1998 (DPA) and the General Data Protection Requirements 2018 (GDPR) requires a clear direction on policy for the security of information within the Practice.
The following is a Statement of Policy which will apply:
- The Practice will maintain its registration as a Data Controller with the Information Commissioner’s Office (ICO) http://www.ico.gov.uk/ which is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The Practice is committed to the security of patient and staff records.
- All data breaches will be reported to the statutory authorities within laid down time frames.
- The Practice will display a poster in the waiting room which explains to patients the Practice policy.
- The Practice will make available a leaflet on Access to medical Records and Data Protection Your information: What you need to know for the information of patients.
- The Practice will take steps to ensure that the individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, data protection legislation principles, working securely procedures, and the application of best practice in the work place.
- The Practice will respect and act on requests by patients within statutory timelines to correct misleading or incorrect data held within records.
- The practice will undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
- The Practice will maintain a system of “Significant Event Reporting” through a no blame culture to capture and address incidents which threaten compliance with data protection.
- Data protection issues will form part of the Practice general procedures for the management and review of risk.
- Specific instruction will be documented with confidentiality and security instructions and will be promoted to all staff.
My Care Record
We need to hold personal information about you on our computer system and in paper records to help us look after your health needs; your doctor is responsible for their accuracy and safe-keeping. Please help us keep your records up to date by informing us of any changes to your circumstances.
Doctors and staff in the Practice have access to your medical records to enable them to do their jobs. From time to time information may be shared with other involved in your care if it is necessary. Anyone with access to your record is properly trained in confidentiality issues and is governed by both a legal and contractual duty to keep your details private. We may also share your information with our “Partner Organisations”. For more information please ask at reception for the “How we use your health records” leaflet.
My Care Record allows health and care professionals directly involved in your care, access to information about you:
All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.
In some circumstances we may be required by law to release your details to statutory or other official bodes, for example if a court order is presented, or in the case of public health issues.
In other circumstances you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.
To ensure privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you. Information will not be disclosed to family, friends. Or spouses unless we have prior written consent, and we do not leave messages with others.
You have a right to see your records if you wish. Please ask at reception if you would like further details and our patient information leaflet. You will need to complete a Subject Access Request form. Your normal/registered GP will be asked to authorise this request. In some circumstances a fee may be payable, if the the request is deemed excessive, or repetitive.