Privacy notice: How we use your information (patients)

Under UK legislation, primarily the UK General Data Protection Regulation (GDPR) and Data Protection Act (2018), gtd healthcare utilises and processes your information on the following bases:

Article 6 (1)

(c) Legal obligation: the processing is necessary to comply with the law, e.g. directions under the Health and Social Care Act 2012 or disclosures under public health legislation.

(e) Public task: the processing is necessary to perform a task in the public interest or for our official functions as a provider of healthcare services.

Some of the information gtd healthcare gathers and retains is considered personal and sensitive, which under GDPR is classed as special category data. In addition to health-related information, this may include information about an individual’s: race, ethnic origin, religion, sexual orientation. This is processed under:

Article 9 (2)

(b): processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

(j): processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes.

Where a request for personal confidential data from an insurance company, solicitor or employer is received, this will be processed under the lawful basis and lawful condition of explicit consent under both Articles 6(1)(a) and Article 9(1)(a) where, the individual has given clear consent for us to process their personal data for a specific purpose.

For further information on the lawful basis on processing, please visit the ICO website.

The team of professionals caring for you will keep records about your treatment, and the care and services provided to you, both on paper and electronically, including the recording of telephone contacts with the service. The amount and variety of information we have about you will be dependent upon which of our services you have used. For example, our GP practices will hold much more of your information than our urgent care services.

Information held may include:

• Personal details such as name, address, date of birth, ethnicity and religion, NHS number, next of kin and contact details (telephone/email)
• Contact we have had with you e.g. GP, hospital admissions, outpatients/clinic appointments and home visits
• Notes and reports by health and social care professionals about your health
• Details and records about your treatment and care
• Results of X-rays, laboratory tests, and any other tests
• Relevant information about people who care for you and know you well
• Basic details about associated people e.g. children, partners, carers and relatives

Information is used for the following purposes:

• To provide you with care/treatment and care plans, both now and in the future, ensuring that appropriate information is available to all those who treat you medically and care for you professionally.
• To ensure your care is safe and effective.
• To support you in managing your own care and work with health and social care professionals to ensure there is no decision made about you without your involvement.
• Where you have consented, to involve your relatives/representatives in your care.
• Where you have consented, to contact you directly.
• To train and educate staff e.g. clinical placements. Identifiable information may be used for this purpose.
• To assess and improve the quality and type of care you receive.
• To support the investigation and management of complaints, incidents or legal claims.

Everyone working within gtd healthcare has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

We will only ever share your information if it is in the best interest for your care. In some cases we work with other organisations to provide onward care for our patients; where appropriate, we may share information with them. In addition, we will also share information with the following specific main partner organisations:

• Local GP practices;
• Hospitals that are involved in your care;
• Ambulance services;
• NHS 111;
• Community healthcare providers, e.g. district nurses, health visitors, etc.

You may receive care from other people as well as the NHS, for example, social care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

• social care services;
• education services;
• local authorities;
• voluntary and private sector providers working with the NHS.

We will not disclose any information that identifies you to anyone outside of those providing your care without your express permission unless there are exceptional circumstances, such as:

• when there is serious risk of harm to yourself or others;
• the duty to share your information outweighs the obligation of confidentiality;
• the immediate need to protect national security;
• there is a permission granted under div 251 of the NHS Act 2006(1);
• a court issues an order to release your information;
• where there is another statutory or legal basis for disclosure.

In addition, to support our GP practices' administrative processes we utilise the services of external providers who assist with document management (Nova) and the processing of some of the requests for information received (Medi2Data) e.g. data subject access requests and medical reports.

Different sharing agreements may apply in different areas.

Greater Manchester

The Greater Manchester (GM) Care Record

Primary care

Cardiovascular Disease Prevention Audit

To support us in providing you with the best and most appropriate healthcare, we may collect personal data about you from other sources, including:

• your next of kin or other family member;
• other doctors, clinicians and healthcare professionals;
• hospitals, clinics and other healthcare providers;
• your employer when they provide information;
• translators and interpreters;
• any health professional or organisation who provides information for the continuity of your care;
• information from a local authority or the police.

GP Connect

We use a service called GP Connect to support your direct care. GP Connect allows authorised health and social care workers in a variety of care settings to access their patients' GP records.

At gtd healthcare, we may use GP Connect to:

• view your GP care record and associated documents to ensure that we have your up-to-date medical information to provide you with the safest and most appropriate healthcare;
• send documents to other care settings, e.g. to provide a summary of your contact with us to your GP or other healthcare provider involved in your care;
• manage appointments, e.g. book an appointment for you with your GP or emergency department.

Legal basis for sharing this data

For your personal data to be shared or processed, an appropriate legal basis needs to be in place and recorded. The legal bases for direct care via GP Connect are the same as the legal bases for the care you would receive from your own GP or another healthcare provider.

• For processing personal data: Article 6.1 (e) of the UK GDPR: Processing is necessary for performing a task carried out in the public interest or in exercising official authority vested in the controller.
• For the processing of special category data (which includes your medical information): Article 9.2 (h) of the UK GDPR: Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Your rights

The legal bases used for your care with GP Connect is the same as those in other direct care situations, so your legal rights regarding this data under UK GDPR will also be the same. Further information is available here.

Opting-out of GP Connect

If you do not wish your information to be shared using GP Connect, you can opt-out by contacting your GP practice.

Further information about GP Connect is available here.

We need to be able to move electronic information from system to system, extracting data, processing and modifying it for the next system. Occasionally, tests will need to be made on the data, sometimes with our system suppliers, to check that it has been transferred correctly. This will only be done under carefully controlled conditions.

All information that we process on individuals is managed in line with the Records Management Code of Practice for Health and Social Care; GP records are currently retained until the death of the patient. No records that we hold related to individuals are processed outside of the United Kingdom.

Accessing your information

You have the right of access to your own records and you may authorise by consent, a third party to seek access on your behalf, for example a solicitor. A person appointed by a court to manage your affairs may also make an application on your behalf.

Children over 16 and those under 16 who are deemed to have capacity to understand the significance of disclosing their records, may apply. Parents of such children have no automatic entitlement to their children's records.

Patients registered with our GP practices are able to have some limited access to their records via the web as well as being able to make appointments and order repeat prescriptions. Please speak to your gtd practice directly to make the necessary arrangements.

If you require more detailed GP records you should apply directly to the practice, please click here for contact details. For any of our other services, requests should be directed to our head office via gtd.governance@nhs.net. gtd will aim to provide the information to you within one month of your request; where this is not possible, we will provide you with an explanation for any delay, omissions or refusals.

Although it is not necessary, you may find one of the forms below useful for applying for access to your records:

• Adult - GP practice records
• Child - GP practice records
• Adult - out-of-hours / urgent care records
• Child - out-of-hours / urgent care records

Contact details for gtd healthcare's GP practices are available here.

Access may be denied or limited where a healthcare professional deems giving you the information may cause serious harm to you or others, or would disclose details of third parties to which you are not entitled, and they have not consented to the disclosure.

Keeping information up-to-date

gtd healthcare has obligations under GDPR to keep information we have generated about you accurate and up to date. If you consider that any part of the information held in your record is inaccurate, you can apply in writing to have this amended providing evidence as to the correct details. If we agree that the information is incorrect, the alteration will be made. If we are not satisfied that the information is incorrect, a note will be made of the information you consider is inaccurate. You will be given a copy of either the correction or the note.

If we hold information about you that originated from another organisation that you consider to be inaccurate, you should contact that organisation directly. You will be advised of the process to be followed by that organisation.

Right to object

Under GDPR individuals have a general right to object to the processing of their data in certain circumstances. However, where the data processed by gtd is carried our under a lawful basis, this right does not apply. Where data has been processed based upon your consent, this consent can be withdrawn at any time, e.g. sharing of your records with your solicitor to which you had previously provided consent but subsequently withdraw consent.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process to help organisations to identify and minimise the data protection risks. gtd healthcare has DPIAs for any processing that is likely to result in a high risk to the data security and protections rights of individuals.

Aside from describing the nature, scope, context and purposes of the processing, these also detail whether the information being collected:

• Complies with privacy-related legal and regulatory compliance requirements;
• The risks and effects of collecting, maintaining and sharing of personal and sensitive information;
• The security and processes in place for handling information to alleviate any potential privacy risks.

DPIAs are available to members of the public upon request via the contact details below.

If you have any queries or complaints in relation to any of the information provided within this privacy notice, please contact:

• Tel: 0161 337 3465
• Email: gtd.dataprotection@nhs.net

Further information

The Information Commissioner is the regulator for privacy and information rights legislation. For further information, please visit the Information Commissioner's Office (ICO) website.

Contact details

• Tel: 0303 123 1113

If you need help to understand the information in this leaflet, require it in another format (for example Braille), or in another language, please speak to a member of staff who are currently providing your care.

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Cookies are used minimally on this website for site usage analytics. You may delete and block all cookies from this site, but some parts of the site may not work as expected.

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the website. For this purpose, we use Google Analytics.

"This website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above."

We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this and we will make it clear when we collect personal information and will explain what we intend to do with it.

For more information on enabling and disabling cookies please visit About Cookies.

Necessary cookies

The following cookies are necessary to our site functioning.

Necessary accessibility cookies

The following necessary cookies allow the functions within our accessibility toolbar to work optimally.

Additional cookies

The following third-party cookies are used for analytical and media purposes.

If you do not accept use of these additional cookies, some third-party media content - such as YouTube, Vimeo or Google Maps - may not load on this website.

Analytics cookies

In order to help us to improve the content, format and structure of this website we record and analyse how visitors use the using Google Analytics.

You can read Google’s extensive information on data practices in Google Analytics.

You can opt-out of Google Analytics on our website by denying additional cookies or by using the Google Analytics Opt-out Browser Add-on.

Embed cookies

We may use embeds from YouTube, Google Maps or Vimeo on our site to display content. That content uses the following third-party cookies. Where possible, we will use privacy-oriented settings to ensure as few cookies as possible require consent.

These additional cookies that remain, and the content from which they stem, will not display on the site unless you choose to ‘Accept additional cookies’.