Privacy Policy
This document provides information relating to how GP ADHD handles your personal information. The information that we hold is confidential and often sensitive in nature. Any personal information we hold about you is stored and processed under our data protection policy, in line with The Data Protection Act 1998 (in force on the date this statement became operational) and the General Data Protection Regulation (Regulation (EU) 2016/679) adopted on 27th April 2016 and enforceable from 25th May 2018.
Information is retained in line with Department of Health recommendations. Information on a child will be kept until their 25th birthday or 26th if the young person was 17 at the conclusion of treatment, or 8 years after death. Medical records of adult patients are retained for a period of seven years.
This document also provides extra details to accompany specific statements about privacy that you may see when you use our website (such as cookies).
- Contact details of the practice for the data controller:
Dr Chris Schramm, c/- Fulbourn Health Centre, Haggis Gap, Fulbourn, Cambridge CB21 5HD
- Contact details for the data protection officer:
Dr Chris Schramm, c/- Fulbourn Health Centre, Haggis Gap, Fulbourn, Cambridge CB21 5HD
- The purposes for processing the data and the legal basis for processing the data
Processing is for direct patient care in accordance with the Health and Social Care Act 2012 Articles 6(1)(e) and 9(2)(h) – other legal bases when processing for reasons other than direct care include a direction under the Health and Social Care Act 2012 – where disclosures are a legal requirement the lawful basis and special category condition for such processing are: ‘...for compliance with a legal obligation...’ (Article 6(1)(c)) and Article 9(2)(h) ’...management of health or social care systems...’; In the face of an objection from a patient, in many cases we would be likely to be able to demonstrate ‘compelling legitimate grounds’ for continued processing for the safe provision of direct care and processing which is necessary for compliance with a legal obligation.
We rely on legitimate interests as the lawful basis for processing patient data.
GP ADHD has applied the three-part test to demonstrate that we have fully considered and protected individual’s rights and interests.
The three-part test as applied to GP ADHD
Purpose – the provision of medical care
Necessity – without processing data we cannot provide safe medical services to the patient
Balance – We respect the interests & fundamental rights and freedoms of our patients which require the protection of personal data
- Information about with whom data is shared
We hold demographics about our patients (name, date of birth, email, telephone number, postal address, school details and GP details).
We keep clinical records of consultations with patients, which can include sensitive information such as current difficulties, concerns and risks.
We attach copies of letter from consultants, psychometric testing and blood results in the medical records.
This information is kept solely for the provision of medical care for our patients.
Information is strictly personal between ourselves and the patients. Any communication with outside agencies will usually be to secondary care medical services as an integral part of medical care provision to the patient.
- Where we keep the information
GP ADHD is designed to be as paperlight as possible.
We prefer that all documents are sent electronically.
Patient information is stored in the Electronic Medical Record system called Semble. This is a password protected database requiring two factor access and complies with General Data Protection Regulations.
Access to the data is on a need to know basis.
- Our patients have the right to access their medical record and to have inaccurate data corrected
All of our patients have a right to see full contents of their medical records at no cost.
Request should be made in writing or by email rather than verbal.
We reserve the right to remove any information specifically relating to a third party – for example a separate letter with confidential information about another patient.
In this situation the patient asking for release of all records will be notified of any omissions.
We will reply within one month
We reserve the right to refuse or charge for requests that are manifestly unfounded or excessive.
If we refuse a request, we will give a full explanation
In case of conflict you have the right to complain to the supervisory authority and to a judicial remedy.
You must do this without undue delay and at the latest, within one month.
What happens in the event of a data breach?
To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards. In the unlikely event of a data protection breach the Data Protection lead, Dr Chris Schramm will notify the Information Commissioner’s Office (ICO) so that their procedures can be followed.
Breaches which carry any risk to data subjects must be reported to the ICO within 72 hours, together with a summary of the nature of the breach, the steps taken to reduce the risk to data subjects and measures to prevent the breach from happening again. We will also notify all individuals whose data may have been accessed to alert them to the breach and any potential risks.
- Retention periods
Our medical records are retained until death of the patient or request to delete data by the patient
- Complaints
Our patients are entitled to lodge any complaint with the Information Commissioner’s Office(ICO). If they feel that their rights have been breached.
- Consent
GP ADHD does not ask formal consent from patients for the use of an electronic medical record (this is stated clearly to all patients on booking appointments).
Similarly, we do not formally ask for permission to share clinical information (eg when formally referring or conducting a case discussion with a consultant psychiatrist).
Information is kept solely for the provision of medical care for our patients.
Information is strictly personal between GP ADHD and the patients.
Any communication with outside agencies is will usually be to specialist medical services as an integral part of medical care provision to the patient.
This is in line with the official guidance.
Explicit consent under the GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality.
The GDPR creates a lawful basis for processing special category health data when it is for the provision of direct care that does not require explicit consent.
A common example of when consent can be implied is when a patient agrees to a referral from one healthcare professional to another. In these circumstances, when the patient agrees to the referral this implies their consent for sharing relevant information to support the referral (unless the patient objects).
The only exception to the above would be - Where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation.