Privacy Policy

Your data, privacy and the Law. How we use your medical records  

• This practice handles medical records according to the laws on data protection and confidentiality.
• We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
• Some of your data is automatically copied to the Shared Care Summary Record
• We share some of your data with local out of hours/urgent or emergency care service.
• Data about you is used to manage national screening campaigns such as Flu, Cervical cytology and Diabetes prevention.
• Data about you, usually de-identified, is used to manage the NHS and make payments.
• We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
• Your data is used to check the quality of care provided by the NHS.
• We may also share medical records for medical research. This practice is supporting vital health and care planning and research by sharing your data with NHS Digital’. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research

Direct Care

Under the National Health Service Act 2006 and the Health and Social Care Act 2012, <Add practice name here> is required by law to process your personal data to provide you with direct care. Therefore, under current Data Protection legislation (the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) the processing of your personal data is necessary under:

•  UK GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where we process special categories of sensitive information relating to your physical and/or mental health, racial or ethnic origin, etc, we do so under:

• UK GDPR Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services….”

Use of Third-Party Companies

When we use a third-party service provider to process data on our behalf, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. An example of functions that may be carried out by third parties include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient-facing services (such as our website and service accessible through the same); systems which facilitate appointment bookings or electronic prescription services; document management services etc.

Automated Decision Making

The Margaret Thompson Medical Centre uses AI, which incorporates the use of personal and special category data, for the following:

• identifying patients at risk of cancer at the earliest stage in its use of C the Signs software.

The Practice does not carry out any automated decision making where AI solely decides on what care or treatment a person should receive. A health and care professional will always make the final decision. The Practice may also use instances of AI that use automated decision making to improve efficiency, which does not use personal data.

Data Protection Officer

The Practice’s Data Protection Officer (DPO) Service is provided by NHS Informatics Merseyside, who can be contacted by emailing DPO.IM@imerseyside.nhs.uk.

Data Controller

Dr Stephen McKenzie

Margaret Thompson Medical Centre

Liverpool

L24 6TH

For more information please ask at reception or alternatively see the additional documentation in the privacy notice menu