Welcome. Your GP practice and other organisations involved in your care and treatment collect information about you and share it into the Surrey Care Record. This Privacy Notice is for use by these organisations. It tells you about how that information may be used and how it is kept confidential. It also confirms your rights concerning your health and social care data.
The purpose(s) of the sharing:
The Surrey Care Record is an Electronic Health Record (EHR) linking system that brings together patient/client’s information across health and care systems in a secure manner, giving a real-time summary of your information which is held within a number of local records.
Benefits of such a system are:
- Improved quality of care – information about your care will be instantly available to clinicians for more accurate diagnosis and on-going treatment. Duplication of tests will be avoided.
- Improved patient safety – there will be greater visibility for your health and social providers about your current medications, allergies and adverse reactions.
- Reduced delays in care – test results will be readily available reduces patient waiting time.
The categories of personal information we share:
Personal information (or Personal Data) means any information about individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data). The Personal Data that is shared includes:
- Identifying Data: Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number, NHS Number and Hospital ID
- Special categories of Personal Data: Racial or ethnic origin, Physical/mental health or condition. For example, blood test results, MRI scan results, etc.
However, not every element of your information is part of the joint record. Examples of the sensitive information that will be left out include fertility treatment records, domestic violence and criminal records.
What is the lawful basis for the sharing?
The processing (sharing) of Personal Data for these purposes is permitted under Article 6(1) (e) of the General Data Protection Regulation:
- Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The processing (sharing) of special categories of Personal Data via the SyCR system is permitted under Article 9 (2) (h) of the General Data Protection Regulations:
- Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
What we use your Personal Data and special categories of Personal Data (known as or sensitive personal) for:
The Personal Data that we share will be used by the partners to provide you with the best possible direct care delivery.
Organisations we share your personal information with:
Personal Data will only be shared between the health and care organisations which have signed the Surrey Heartlands Information Sharing Agreement and authorised data processors for the SyCR. These currently include:
We soon expect other health and social care organisations to be sharing / accessing data via the SyCR including:
What is the Surrey Care Record (SyCR)?
A record of care is held on each partner’s secure clinical system (local record). Graphnet, a supplier of healthcare systems has designed a secure system. This system integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to a health or social care professional when required for the purpose of direct care.
How will the information be made available?
The information is accessed in real time and on-demand and presented as a read only view; meaning that the Personal Data from a partner’s local record is not changed. The data remains within each Partner’s database and users are allowed read-view access only. Access to your data depends on the professional having access in their own clinical systems, so professionals can only see information regarding patients that are being referred for treatment or have been treated by them.
How long do we keep your record?
As SyCR is only used to share, rather than store, data contained within a local record, the retention of data is set by individual partners who follow the NHS Records Management Code of Practice for Health and Social Care 2016.
How we keep your personal information safe and secure?
We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential
Our appropriate technical and security measures include:
- complying with Data Protection Legislation;
- encrypting Personal Data transmitted between partners;
- implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
- completion of the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
- use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Authority Personal Data under the Surrey Care Record (SyCR) system are auditable against an individual;
- ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.
What are your rights?
Under the Data Protection Legislation, you have the right to:
- be informed of our uses of your data (the purpose of this document);
- request copies of your personal information and to use these for data portability;
- request rectification of any inaccuracy in your Personal Data or special categories of Personal Data;
- restrict the processing of your personal information where the accuracy of the data is contested or, where the processing/sharing is no longer needed;
- not be subject to automated decision making or profiling. There is no automated decision making or profiling in SyCR; and;
- complain about our handling of your data to our data protection officer or to the regulator.
NHS Surrey Heartlands Clinical Commissioning Group (the CCG) co-ordinate requests relating to the SyCR and you should therefore contact the CCG’s Information Governance Team by email at firstname.lastname@example.org if you wish to exercise your rights.
How can I access the information you keep about me?
To access your Personal Data you should contact the CCG’s Information Governance Team by emailing them at email@example.com
If you believe that the data receive in response to the request contains errors, you should contact the relevant partner’s Data Protection Officer (details of these will be provided to you with our response).
How can I object to my data sharing via SyCR?
You also have the right to object of sharing Personal Confidential Data via SyCR (the right to object to processing). However the NHS strongly recommends the sharing of data and real world experience demonstrates that it leads to higher quality and safer care. An objection to sharing your information will mean that your data will not be shared for any kind of direct care, including extended hours GP access and emergencies. We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.
If you chose to object, we may still need to share data for your care, but it will be using less immediate methods such as email. For example, with SyCR, your GP can refer you to a hospital consultant who can then see all the data they may need, but if you are objecting they can only see what the GP put on the email.
If you do wish to object, you should therefore contact your GP practice or the other organisations involved in your care and understand what it means for you. If you choose to object:
- You may have to answer questions repeatedly because your full history may not be available to the care professional assessing you.
- Decisions about your care may take longer, even in emergency situations, as history needs to be confirmed.
- Some medical tests may get repeated unnecessarily e.g. if you had a blood test with your hospital consultant, your GP may not be able to see this.
Right to complain:
You can get further advice or report a concern directly to:
In the first instance – the CCG’s Data Protection Officer (via email at firstname.lastname@example.org).
You also have the right to contact the UK’s supervisory authority (Information Commissioner’s Office) by:
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
- Email: https://ico.org.uk/concerns/handling/
Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital:
The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation.
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.
NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.
Reviews of and Changes to this Privacy Notice
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.
This version was last updated by the CCG’s DPO on the 07/09/2020