Data Protection, Confidentiality & Privacy
This privacy notice explains why Amersham Vale Training Practice collects information about you, how we keep it safe and confidential, and how that information may be used.
Updated: 23/09/2020 Next review date: 23/09/2022
How we Use your Health Information
The practice complies with data protection and access to medical records legislation. Your record is used to provide your doctor, nurse or other healthcare professional with accurate information to assess your health and decide together with you, appropriate care for you. It will be used to ensure:
- Your care is safe and effective,
- To provide further medical treatment for you e.g. from district nurses and hospital services.
- To help you get other services e.g. from the social work department. This requires your consent.
- When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.
Where required your explicit consent will be sought before any such sharing takes place in respect to your confidential or sensitive information. You have the right to withhold consent to share your information but be aware that this may adversely affect the care you receive. Always consult your GP or relevant health professional before deciding to withhold consent to sharing your information, as they will be able to advise you on the possible outcomes of this decision.
If you do not wish anonymous information about you to be used in such a way, please let us know.
Reception and administration staffs require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.
Everyone working for or on behalf of the NHS has a legal duty to protect your confidential information in accordance with the NHS Constitution, Code of Practices, the Data Protection Law and the Common Law duty of Confidentiality.
Much of the information held about you may be confidential, such as records kept by health professionals you are seeing, services you use or treatment you receive.
You have a right to privacy and confidentiality and it is important that these rights are respected
You have a right to object to your information being shared.
If you do not wish your health information shared you have two options:
Type 1 Opt-out: medical records held at your GP practice
You can tell your GP practice if you do not want your confidential patient information held in your GP medical record to be used for purposes other than your individual care. This is commonly called a type 1 opt-out. This opt-out request can only be recorded by your GP.
If you choose a Type 1 opt-out, please inform us in writing.
Type 2 Opt-out: information held by NHS Digital
A Type 2 opt-out is an objection that prevents an individuals personal confidential information from being shared outside of NHS Digital, that is used for research and planning.
Previously you could tell your GP surgery if you did not want NHS Digital to share confidential patient information that is collected from across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the national data opt-out. Type 2 opt-outs that have been recorded previously have been automatically converted to national data opt-outs.
Compliance with the law
However, ultimately it is your choice as to whether you wish to use our website.
Sending Photos/Images to your GP
With the increased use of online and remote consultations, there may be some occasions where we ask you to send us an image of your area of concern. To protect both our patients and our team, we adhere to strict guidelines about the request, receipt, storage and deletion of any images we ask you to send us.
By law, we cannot receive any images of sensitive areas of any patients under the age of 18. For patients over the age of 18, the law is different and images can be sent but only with the full consent of the patient. However, we would usually agree a different method of consultation if this was your area of concern.
You are not permitted to send any images to us without the express request of the clinician and this request will be documented in the medical record, including the type and location of the authorised image. Any images sent without express permission or that exceed the permission given will be deleted and may be subject to further action.
By sending photos to us you are consenting to them being stored as part of your secure electronic record using the EMIS Web clinical system, which is used by GP Practices all over the UK to securely store patient’s medical records.
To minimise risk to the patient we advise images be sent via AccuRX text messaging technology or via eConsult in preference to being emailed to the practice. Where images are emailed to us we transfer them to patient’s secure EMIS Web record and delete them from our practice email account.
Where and how are photos stored?
Where images are emailed to us we transfer them to patient’s secure EMIS Web record and delete them from our practice email account.
AccuRx data (including photos) is hosted on Microsoft Azure servers in their London Data Centre. All data sent is encrypted when in transit (when it is sent) and at rest (when it is stored). AccuRx follows the Microsoft Azure NHS Blueprint for Platform-as-a-Service web applications, specifically designed for NHS services. Patient images – along with other patient data – are kept in line with the Records Management Code of Practice for Health and Social Care 2016. These require AccuRX to hold records on behalf of GP practices until 10 years after a patient has died. However, we would delete the data earlier than suggested by this code if we are informed that the condition of Article 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies: “that the circumstances in which the processing of personal data is carried out… by or under the responsibility of a health professional or a social work professional”.
Can AccuRx access patient photos?
This is not routinely possible. However, as with other record systems, AccuRX are required to be able to access patient data in exceptional circumstances to fulfil our legal obligations as a data processor, such as assisting the data controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. If such access is required, only designated AccuRx staff can access the data we store on the London Microsoft Azure Data Centre servers. Extensive controls are in place, a full audit trail is kept, and no staff member would view any photos as part of this process.
Is accuRx NHS approved?
AccuRx are an NHS Digital approved supplier.
What security credentials does AccuRx have?
AccuRx has successfully completed NHS Data Security and Protection Toolkit assurance (under NHS ODS code 8JT17), and both the Cyber Essentials and the Cyber Essentials Plus* certification.
AccuRx are fully compliant, which is for manufacturers of health IT software such as accuRx, and we have been assured by NHS Digital against this standard.
Is AccuRx GDPR compliant?
Amersham Vale Practice Data Protection Impact Assessment of AccuRX for photo use is available on request.
We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records.