Orion PCN Patient Privacy Notice

We are part of the Orion PCN which is a network of GPs and health and care organisations established to provide integrated services to the local population. Members of the network are:

1. WESTCOTES GP SURGERY (ONE) - 2 Westcotes Dr, Leicester LE3 0QR

2. DR S SHAFI – BRITON STREET SURGERY, 5 Briton St, Leicester LE3 0AA

3. COSSINGTON PARK SURGERY - Belgrave Health Centre, 52 Brandon St, Leicester LE4 6AW

4. AYLESTONE HEALTH CENTRE - 15 Hall Ln, Aylestone, Leicester LE2 8SF

5. WESTCOTES GP SURGERY (TWO) - 2 Westcotes Dr, Leicester LE3 0QR

6. WEST END MEDICAL PRACTICE – Westcotes Health Centre

By operating as a network, we are able to provide a more comprehensive set of services, provided by local clinicians and health and care providers. These services currently include:

· Enhanced Care in Care Homes

· Structured Medication Reviews

· Social Prescribing Service

· Enhanced Access 

· Covid Vaccination Clinics 

· Research

Where necessary and relevant to support your direct care, we will share your confidential patient information with members of our network to support safe, efficient and effective care and treatment.

To enable us to be able to provide the additional services and tailored treatment we sometimes need to share data from your GP health records with the other organisations involved in the delivery of these.   

This includes:

· Other GP Practices within the PCN – which may employ staff involved in delivering the services

· University Hospital Leicester NHS Trust – our local Hospital

· Community nursing services

· Leicestershire Partnership Trusts 

· Leicester City Council – which provide social care services for patients of practices within the PCN

· Leicestershire Partnership Trust – which provide mental health services for patients of practices within the PCN

· Ambulance Services – which provide emergency care services for patients of practices within the PCN

· Voluntary Sector Providers (with your consent)

· Clinical system provider (SystmOne allows health and social care providers who are involved in delivering care to you (either currently or in the future) to benefit from being able to access your electronic health record, to support them with making a fully informed decision about the care you require. The practices have set their allowed list of providers which includes: University Hospitals of Leicester, Leicestershire Partnership Trust, LOROS, Derbyshire Health United, Leicester City Council, Leicestershire County Council and Rutland County Council).

We will only share identifiable data about you with organisations that could be involved in determining and / or providing your care and treatment.  Your data will only be shared with health and social care professionals who are working under a contractual duty of confidentiality.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

· Data Protection Act 1998 and General Data Protection Regulation 2016

· Human Rights Act 1998

· Common Law Duty of Confidentiality

· Health and Social Care Act 2012

· NHS Codes of Confidentiality, Information Security and Records Management

· Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies

We will use data which you cannot be identified from when we are undertaking the planning and commissioning of local health and care services.  This ‘de-identified data’ is effectively anonymised in accordance with the Information Commissioner’s Office Code of Practice, a summary of which is available at ico.org.uk/anonymisation_code_summary (PDF).

If you are not happy for your health data to be shared with the organisations detailed above, then you can object to this.  To do so you should contact your registered Practice so they can discuss the potential impact this could have on your care and treatment.

If you do not wish for your de-identified data to be used for planning and commissioning of PCN services you are able to opt-out of this via the National Opt-Out – please see the NHs website for further details:  www.nhs.uk/your-nhs-data-matters

If you have provided us with your mobile telephone number, we may use this to send you text reminders about your appointments or health screening information that may be carried out. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

GP connect service

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised clinicians such as GPs, NHS 111 clinicians, care home nurses (if you are in a care home), secondary care trusts and social care clinicians are able to access the GP records of the patients they are treating via GP connect. 

The NHS 111 service (and other services determined locally e.g., other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do. 

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:

• Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is: 

• Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information such as referrals to safeguarding teams is retained by [insert organisation name] when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

The Data Protection Act 1998 requires organizations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website www.ico.org.uk

The practices within the PCN are registered with the Information Commissioners Office (ICO).

Further information about the way in which the NHS uses personal information and your rights in that respect can be found in:

· The NHS Care Record Guarantee : http://www.nigb.nhs.uk/pubs/nhscrg.pdf

· The NHS Constitution : https://www.gov.uk/government/publications/the-nhs-constitution-for-england

· NHS Digital’s Guide to Confidentiality in Health & Social Care gives more information on the rules around information sharing : http://content.digital.nhs.uk/article/4979/Assuring-information

· An independent review of information about patients is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review, be found at: https://www.gov.uk/government/publications/the-information-governance-review

Our PCN gathers and processes personal data relating to its employees to enable us to run the business and manage our relationship with you. We are committed to being open and transparent about how we gather and use that data and to meeting our data protection obligations.

This privacy notice applies to personal information processed by or on behalf of Orion PCN when recruiting PCN and ARRS Staff on behalf of the member practices. 

This notice explains:

· Who we are, how we use your information and our data protection officer (DPO)

· What kind of personal information about you we process 

· What the legal grounds are for our processing of your personal information (including when we share it with others) 

· What you should do if your personal information changes 

· For how long your personal information is retained by us 

· What your rights are under data protection laws 

The UK General Data Protection Regulation (GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998). 

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 (DPA2018), the organisation responsible for your personal data is [insert organisation name]. 

This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights.

Member practice of Orion PCN will be the lead employer on behalf of the PCN and will be what is known as the ‘controller’ of the personal data you provide to us. Upon commencement of employment with the organisation you will be asked to supply the following personal information:

• Name

• Address

• Telephone numbers

• Email address

• Date of birth 

• Gender

• Marital status and family details

• National insurance number 

• Bank details

• Emergency contact information 

• Health information

• Vaccination and immunisation status/information

• Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments

• Information about your contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement

• Your identification documents including passport and driving licence and information in relation to your immigration status and right to work for us

• Information relating to disciplinary or grievance investigations and proceedings involving you (whether or not you were the main subject of those proceedings)

• Information relating to your performance and behaviour at work

• Training records

• Electronic information in relation to your use of IT systems/swipe cards/telephone systems 

• Your images (whether captured on CCTV, by photograph or video)

The information that we ask you to provide to the organisation is required by the business for the following reasons:

• In order for us to pay your salary

• In order for us to contact you out of hours if required

• To provide you with organisation information via email and post if required

• To have the ability to contact your emergency contacts if necessary

• To ensure we are able to inform the emergency services if your health is compromised

• To ensure that we can provide any reasonable adjustments as necessary 

• To comply with payroll, auto-enrolment and RTI responsibilities 

The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence, from forms completed by you at the start of or during employment (such as pensions benefit nomination forms), from correspondence with you or through interviews, meetings or other assessments.

This personal data might be provided to us by you or someone else (such as a former employer, your doctor or a credit reference agency and information from criminal records checks permitted by law) or it could be created by us.

Your personal data will be stored in a range of different places including in your personnel file, in the organisation's HR management systems and in other IT systems (including the organisation's email system).

Throughout your employment we will collect data and add to your personnel file i.e., appraisal paperwork, communications, absence information and changes to personnel data.

Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities).

Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.

We need to know your personal, sensitive and confidential data in order to employ you, under the General Data Protection Regulation we will be lawfully using your information in accordance with: 

• Article 6, (b) Necessary for performance of/entering into contract with you 

• Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment

This notice applies to the personal data of our employees and the data you have given us about your carers/family members.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with: 

· Data Protection Act 2018 

· The UK General Data Protection Regulations 

· Human Rights Act 1998 

· Common Law Duty of Confidentiality 

· NHS Codes of Confidentiality, Information Security and Records Management 

We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.

Our policy is to respect the privacy of our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our staff will be protected. 

All employees and sub-contractors engaged by Orion PCN are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Orion PCN, an appropriate contract (art. 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the data protection officer in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. 

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

· PCN Member practice 

· Other Primary Care Networks

· Integrated Care Systems

· NHS Commissioning Support Units 

· Clinical Commissioning Groups 

· NHS England (NHSE) and NHS Digital (NHSD) 

· Local authorities 

· CQC

· Private sector providers providing employment services

· Other ‘data processors’ which you will be informed of 

Your information may be shared internally including with [members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles].

Sometimes we might share your personal data with other organisations within our group or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests, for example [to obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service, payroll, the provision of benefits and the provision of occupational health services.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by [insert organisation name] are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art. 24-28) will be established for the processing of your information.

One of the member practice who will be employing you on behalf of the PCN will be registered as a data controller under the Data Protection Act 2018. Registration can be viewed online in the public register at www.ico.gov.uk. This means we are responsible for handling your personal information and collecting and storing it appropriately.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020

Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the Manager or the Clinical Director. We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us to resolve any issues that you raise.

· Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

· Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project) or consent to market to you, you may withdraw your consent at any time.

· Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so. 

· Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.

Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following: 

· Your request should be made to Practice Manager

· There is no charge to have a copy of the information held about you. However we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive

· We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require

· You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified and your records located

You should tell us so that we can update our records. Please contact the PCN Manager or the Practice manager of the member PCN Practice soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number). 

Should you have any questions about this privacy policy or the information we hold about you, you can:

1. Contact the organisation 

2. Write to the data protection officer for your employing practice 

3. Ask to speak to the practice manager or the PCN Manager

In the unlikely event that you are unhappy with any element of our data processing methods, do please contact the practice manager of your registered Practice in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.