Cwm Taf Morgannwg University Health Board
ACCESS STANDARDS 2019
A new set of standards were announced by the minister for Health and Social Services in March 2019 that are aimed to raise and improve the level of service for patients in Wales from their GP practices.
These standards are set out below:
· Patients receive a prompt response to their contact with a GP practice via the telephone
· Practices have the appropriate telephone systems in place to support the needs of people avoiding the need to call back multiple times and will check that they are handling calls in this way
· Patients receive bilingual (Welsh & English) information on local and emergency services when contacting the practice
· Patients can use a range of options to contact their GP practice and to make an appointment
· Patients are able to email a practice to request a non-urgent consultation or a call back
· Patients are able to access information on how to get help and advice
· Patients receive the right care at the right time in a joined up way that is based on their needs
· Practices understand the needs of their patients and use this information to anticipate the demand on its service
PRIVACY STATEMENT, Practice 2
Purpose of providing this privacy information
This privacy notice tells you what to expect when you, and sometimes others, provide your personal information to us. It sets out what information we collect about you and why we collect it, how the information may be used, who it may be shared with and how we will protect it and keep it confidential.
The notice explains what rights you have to control how we use your information, our legal basis for processing it and how you can access it. We also explain who to contact if you have any questions and how to contact them.
Practice 2 is the Data Controller for the personal information we process, unless otherwise stated. There are many ways you can contact the Practice, including by phone, email, and post. Further details can be found on our webpage. Practice 2 Keir Hardie Health Park | Welcome to Practice 2 Online (wales.nhs.uk)
Why do we need information about you?
All Health and Social Care organisations that provide you with care are required by law to maintain records about your health and any treatment or care you have received.
The Practice collects and holds information for the purpose of providing healthcare services to our patients and running our organisation, which includes monitoring the quality of care and planning the care that we provide our patients.
To do this we may collect information about you which helps us:
We may keep your information in written form and/or in digital/electronic form. The records will include basic details about you, such as your name and address. They may also contain sensitive information about your health such as outcomes of assessments. All information about you is treated confidentially and only shared as described in this Privacy Notice.
What information do we collect about you?
We hold different types of information about you which forms part of your medical record and is mainly held to ensure you receive the best possible treatment and care. For example,
Personal information may include:
We may also hold your email address, marital status, occupation, oversees status, place of birth and preferred name or maiden name.
Sensitive personal information also called Special Category data may include:
Where do we collect your information from?
The information we hold about you is collected through a variety of sources, including, but not limited to:
How will we process your information?
To ensure you receive the best possible care, your records are used to facilitate the care you receive. For example, the Practice may need to share your information with other health and care services who will provide you with direct care and treatment, i.e. when referring you to a Consultant in hospital for specialist treatment. g
Information held about you may be used to help protect the health of the public and to help manage the NHS. It may also be used in National Screening Programmes, medical research and clinical audits. For National Data Collection requirements, safeguarding and legal requirements. Where necessary it may be used for the security and safety of our staff and our premises.
In some cases, you can object to your personal information being shared with other healthcare providers but you should be aware that this may, in some instances, affect your care as important information about your health might not be available to healthcare staff in other organisations. If this limits the treatment that you can receive then the Practice staff will explain this to you at the time you object.
We will not share your information with any third parties for the purpose of direct marketing.
What legal basis do we use to process your personal information?
When we process your personal information, we will only do so where there is a legal basis. Much of our processing relates to your direct care and treatment:
Where we have a specific legal obligation that requires the processing of personal data, the legal basis will be:
Where we process special category data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR.
Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition will be:
Where we process your personal data for the purposes of research, the legal basis for doing so will be:
Where we are processing special category personal data for purposes related to research, the legal basis will be:
The Practice may also process personal data for the purpose of, or in connection with, legal proceedings, including prospective legal proceedings, for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights.
Where we process personal data for these purposes, the legal basis for doing so will be:
Where we process special category personal data for these purposes, the legal basis for doing so will be:
On occasions, we may need to share your information with law enforcement agencies or to protect the wellbeing of others. For example, to safeguard children or vulnerable adults.
Where we process personal data for these purposes, the legal basis for doing so will be:
Where we share special category personal data for these purposes of safeguarding, the legal basis for doing so is:
Who are the partner organisations we may share your information with?
In order to deliver the best possible service, the Practice may share your information, where required, with other NHS bodies such as other GP Practices and hospitals. The information that makes up your record is also essential to help these organisations provide you with the best possible care.
All organisations that we work with are subject to strict data sharing and/or processing agreements which set out how data will be used and forms part of their contractual obligations.
The organisations we may share your information with are:
We will never share your information without establishing the legal basis to do so, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it.
Our guiding principle is that we are holding your records in strictest confidence; we are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.
Third party processors
The Practice may use carefully selected third party service providers. When we use such a service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep your data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
Further details regarding specific third-party processors can be supplied on request by the Practice.
What rights do you have when we process your information?
The United Kingdom General Data Protection Regulation (UK GDPR) provides several rights to individuals. The practice must generally respond to requests in relation to you exercising any of these rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met by the provision of this privacy information, and similar information when we communicate with you directly; at the point of contact.
Right of access
You have the right to obtain a copy of the personal information that we hold about you and other information specified in the UK GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information your request is where, in the opinion of an appropriate health professional, disclosure would be likely to cause serious harm to you, or somebody else’s physical or mental health. See the ‘How can you access your information?’ section for further details.
Right to rectification
You have the right to ask us to rectify any personal information that we hold about you that you consider is inaccurate.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal information about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the information.
Right to restriction of processing
You have the right to request that we restrict processing of personal information that we hold about you. You can ask us to do this, for example, where you contest the accuracy of the data.
Right to data portability
This right is only available where the legal basis for processing under the UK GDPR is consent, or for the purposes of a contract between you and the Practice. For this to apply the information must be held in electronic form. The right is to be provided with the data in a commonly used electronic format.
Right to object
You have the right to object to the processing of your personal information about you on the grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
Rights in relation to automated individual decision-making including profiling
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy information, and ensure that you have an opportunity to request that the decision involves personal consideration.
Right to complain to the Information Commissioner
You have the right to complain to the Information Commissioner if you are not happy with any aspect of the Practice processing your personal information or you believe that we are not meeting our responsibilities as a data controller.
The contact details are:
Address: Information Commissioner’s Office, Wycliffe House Water Lane, Wilmslow SK9 5AF
Phone: 0303 123 1113
Website: Information Commissioner's Office (ICO)
How can you access your information?
If you wish to see or have a copy of the information we hold about you, you can make a Subject Access Request or SAR. These requests can be made in writing, by email or by speaking to us. Alternatively, you can complete the Subject Access Request (SAR) form on our website.
Note: Please be aware when emailing information to the Practice that we cannot guarantee the security of this information whilst in transit, and that by using this facility you are accepting the risk. If you choose to email us, we recommend that you do not include sensitive information with the body of the email.
Your request should specify you are making a request to access your own information, by clearly marking your request ‘subject access request’. Providing us with sufficient information will enable us to locate your required information in a timely manner. Please date your request and provide:
Where necessary, we may require acceptable proof of identification and address consisting of one item from List A and one from List B:
All requests will be recorded and normally responded to within one month. If your request is complex or considered excessive, we may require extra time to consider your request which may take up to an additional two months. However, we will inform you if this is the case.
In most circumstances we will not charge to fulfil your request however, a reasonable fee may be charged for the administration of the request in certain instances, for example, if we think your request is manifestly unfounded or excessive or where further copies of information are requested.
The Practice is the data controller for the health records of Patients registered with us. Where an individual is not currently registered with a GP or is deceased, then these records are held by NHS Wales Shared Service Partnership (NWSSP). Please visit the NWSSP website for further information.
How do we maintain your information?
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2022.
We hold and process your information in accordance with the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). In addition, everybody working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
The Practice will keep your information in-line with our Records Management Policy.
How can you help us to maintain your records?
Change of contact details
It is important that you tell the person treating you if any of your details such as your name, address and contact telephone number have changed or if any of your details are incorrect in order for this to be amended.
Please inform us of any changes so our records for you are accurate and up to date.
Mobile numbers and text messaging
If you provide us with your mobile phone number, we may use this to send you reminders about your appointments, responses to your online queries, health screening questions, test results and information about the services we provide.
You are responsible for ensuring the Practice has your most up to date mobile number.
Please let us know if you do not wish to receive reminders on your mobile.
Email address
Where you have provided us with your email address, we may use this to send you responses to your online queries and information about the services we provide. Please be aware when emailing information to the Practice that we cannot guarantee the security of this information whilst in transit, and that by using this facility you are accepting the risk. If you choose to email us, we recommend that you do not include sensitive information with the body of the email.
If you do not wish to receive communications by email, please let us know.
Notification and data protection certification?
Data Protection legislation requires organisations to register a notification with the Information Commissioner’s Office to describe the purposes for which they process personal and sensitive information.
This Practice is registered as a data controller with the Information Commissioner’s Office (ICO). A ‘data controller’ determines the purposes and means of processing personal data.
Our registration can be viewed online in the public register at:
http://ico.org.uk/what_we_cover/register_of_data_controllers
Complaints
If you have concerns or queries about how we process your personal information, please contact the Practice direct or our Data Protection Officer in the first instance.
Practice Information Governance Lead
Practice Manager
Data Protection Officer
Under UK Data Protection legislation, the Practice is required to appoint a Data Protection Officer (DPO). This role is essential in facilitating the Practice accountability and compliance with data protection requirements.
The Practice DPO is: Practice Manager
Purpose of providing this privacy information
This privacy notice tells you what to expect when you, and sometimes others, provide your personal information to us. It sets out what information we collect about you and why we collect it, how the information may be used, who it may be shared with and how we will protect it and keep it confidential.
The notice explains what rights you have to control how we use your information, our legal basis for processing it and how you can access it. We also explain who to contact if you have any questions and how to contact them.
Mandy Mahoney is the Data Controller for the personal information we process, unless otherwise stated. There are many ways you can contact the Practice, including by phone, email, and post. Further details can be found on our Practice Details webpage.
Complaints
If you have concerns or queries about how we process your personal information, please contact the Practice direct or our Data Protection Officer in the first instance.
Practice Information Governance Lead
Practice Manager
Data Protection Officer
Under UK Data Protection legislation, the Practice is required to appoint a Data Protection Officer (DPO). This role is essential in facilitating the Practice accountability and compliance with data protection requirements.
The Practice DPO is: