Privacy

bosvena health logo

1          Introduction

This document applies to all practices who are part of the Three Harbours and Bosvena Primary Care Network (PCN). Where the document refers to “The PCN Practice”, “The PCN organisation” or “the practice”, the PCN and the GP Practices of “Bosvena Health”, “Fowey River Practice”, “Lostwithiel Medical Practice” and “Middleway Surgery” are being referenced.

1.1      Policy Statement

This fair processing notice explains why the GP practice collects information about you and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.).  These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology solutions to ensure that your information is kept confidential and secure.  Records which this Practice holds about you may include the following information:

  • Details about you, such as your address, carer, legal representative, emergency contact details, next of kin
  • Any contact the surgery has had with you, such as appointments, telephone, Kliniks submitted by you, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS.  Information may be used within the GP practice for clinical audit to monitor the quality of the service provided. Some of this information will be held centrally and used for statistical purposes.  Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – if this information needs to be identifiable, the surgery will always gain your explicit consent before releasing the information for this purpose.

1.2      Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention.  Information about you is collected from a number of sources including NHS Trusts and from this GP Practice.  A risk score is then arrived at through an analysis of your anonymised information using software managed by our clinical system provider and is only provided back to your GP as data controller in an identifiable form.  Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness.  If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

1.3      Medicine Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.  This service is provided by pharmacists and Technicians employed by Cornwall and Isles of Scilly Integrated Care Board (ICB).  They are bound by the same confidentiality rules as our staff are.

1.4      Stop Smoking Service

The practice offers a Stop Smoking Service.  Patients, who have expressly requested the services of our smoking cessation counsellors, will be offered counselling and other treatments with a view to ceasing smoking.  This service is provided by Smoking cessation counsellors who are employed by Cornwall County Council. They are bound by the same confidentiality rules as our staff are.

1.5      How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulations 2018 (formerly Data Protection Act 1998)
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Any visitor to the premises who will or could be exposed to your identifiable information will sign a confidentiality agreement.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

1.6      Who are our partner organisations?

  • NHS Trusts / Foundation Trusts
  • GP’s
  • Pharmacies
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Health and Social Care Information Centre (HSCIC)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

1.7      Who are our partner software suppliers / businesses?

We use a number of pieces of software and organisations outside of the NHS to facilitate your healthcare and enable our staff to contact you.

Unless otherwise stated, all of our PCN practices use the services of the organisations listed below.  They are as follows:

NameDescriptionCan employees of the organisation access patient information?GDPR statement & NHSE DSP Toolkit Link
EMIS HealthClinical system & Patient online access holds patient demographic and medical information.The servers are securely stored off-site, access is encrypted.  EMIS support staff are able to remotely connect with the consent of our staff for problem solving.https://www.emishealth.com/privacy-policy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/YGM06

KlinikKlinik provides automated digital solutions to healthcare providers to help triage and prioritize patients based on the symptoms they provideThe personal data processed by Klinik’s Medical Engine is ‘pseudonymized’ meaning that the identifiers have been removed such that you cannot be directly identified from it without using additional information, but it is still considered personal data in a legal sense.https://info.klinikhealthcaresolutions.com/privacy-notice-uk

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8KA29

CrowbytesIT SupportEngineers can remotely connect with the consent of our staff for problem solving.  Engineers attend site to resolve IT issues with the consent of our staff.https://www.crowbytes.com/wp-content/uploads/2018/07/Privacy-Policy.pdf

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8JT77

Restore DatashredShred paper on which is recorded patient or other confidential dataRepresentative comes to site and collects the shredding bins full of paper and shreds on site.https://www.restore.co.uk/Privacy-Policy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8JP88

Shred-ITShred paper on which is recorded patient or other confidential dataRepresentative comes to site and collects the shredding bins full of paper and shreds on site.Privacy Policy | Stericycle

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HY56

RPM SolutionsTelephone call recording system @ Bosvena, Fowey & LostwithielRPM Solutions support staff are able to dial in remotely with the consent of our staff for problem solving.https://rpmsols.co.uk/wp-content/uploads/2023/01/RPM-Privacy-Policy.pdf

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/J5Y8A

MDU / MPS / MDDUSIndemnity organisationsWe will sometimes send by email or discuss by phone identifiable information when the organisation is supporting a GP in a patient complaint or litigation. Information will be redacted where possible.https://www.themdu.com/privacy-policy

https://www.medicalprotection.org/home/privacy-cookies-policy

https://www.mddus.com/mddus-policies/privacy-notice

NumedNumed provides software and support for our ECG machine.Numed support staff can remotely dial in with the consent of our staff for problem solving.https://www.numed.co.uk/gdpr-statement-of-compliance

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8K845

AccuRxNumed provides software and support for SMS and video consultationsAccuRx support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.accurx.com/privacy-policy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8JT17

First DataBank (UK)FDB provides AnalyseRx and OptimiseRxOptimiseRx and AnalyseRx are systems which fully integrate with your GP Practice patient medical record.  Personal data does not leave the GP practice clinical system. Only the prescriber at your GP practice will see this information. Your personal data in respect to OptimiseRx and OptimiseRx is not shared with anyone else.https://www.fdbhealth.co.uk/privacy-notice

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HV90

ArdensArdens provides software and support for our Clinical computer system, such as templates, documents and referral lettersArdens support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.ardens.org.uk/privacypolicy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8J970

GE Healthcare (Cardiosoft)GE Healthcare provides software (Cardiosoft) and support for Bosvena’s ECG machines.GE Healthcare support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.ge.com/privacy?_ga=2.39932706.127156187.1600172086-1074354055.1600172086

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HJ92

LexacomLexacom provides software and support for Bosvena’s Dictation system.Lexacom support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.lexacomcloud.com/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8J566

CrescendoCrescendo provides software and support for Fowey, Lostwithiel and Middleway practices dictation systems.Crescendo support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://crescendosystems.co.uk/privacy-policy-2/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HN85

JayexJayex provides software and support for Bosvena Waiting Room information screen and patient calling systemJayex support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.jayex.com/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch?searchValue=jayex

LumiraDx Care Solutions (INRStar)LumiraDx Care solutions provides software (INRStar) and support which enable us to provide INR readings and treatmentLumiraDx Care Solutions support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://www.lumiradx.com/uk-en/privacy-policy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HJ69

Phoneta (KMHS)Phoneta provides Out of Hours and emergency call handling servicePhoneta staff do not have access to your personal data, including your medical record.https://phoneta.co.uk/wp-content/uploads/2020/09/Phoneta-Data-Protection-Policy.pdf

 

Agilio (Teamnet)Agilio provides software (TeamNet) and support for our Practice Intranet and staff training resourcesAgilio support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://agiliosoftware.com/policies/privacy-notices/privacy-policy/
NHS South, Central and West Commissioning Support Unit – Child Health Information Services (CHIS) Monitoring and inviting parents of new-born babies for vaccinationsPersonal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions.https://www.scwcsu.nhs.uk/legal/fair-processing-notice-child-health-information-services

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/0DF

SECASeca Analytics software integrates ECG recordings directly into our patient records.Seca support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://uk.secashop.com/privacy-policy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/I3S0L

CortriumCortrium’s Apex Software processes and records 24 hour ECG patient readings to your GP patient record.Cortrium process 24 hour ECG results.  Data is ‘pseudonymized’ meaning that the identifiers have been removed such that you cannot be directly identified from it without using additional information, but it is still considered personal data in a legal sense.https://cortrium.com/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/COR001

Help @ HandHelp@Hand manages GP social prescribing servicesHelp@Hand support staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solving.https://hand.community/privacy/
Joy AppPungo Ltd’s “Joy App”.  A social prescribing case management tool and service library.Some of your personal data is processed when you agree to a referral to the social prescribing service “Joy”.  This information is retained for a three-year period in case of re-referral.https://www.thejoyapp.com/privacy

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8KN75

GP AutomateGP Automate offers a suite of products designed to streamline and optimise the management of lab reports and other administrative tasks for the  practicesGP Automate fully integrates with your GP patient medical record.  Personal data does not leave the GP practice clinical system. Only the staff at your GP practice will see this information. Your personal data in respect to GPAutomate is not shared with anyone else.https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/Q4E1Y
Redmoor HealthRedmoor Health help manage Fowey and Bosvena surgeries Facebook social media platform by posting content and managing commentsRedmoor Health have access only to the Facebook platform, not to your patient record.  Any personal data which is available on Facebook will be visible to Redmoor Health staff.https://www.redmoorhealth.co.uk/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/T9G9I

iGPRiGPR process Medical & Insurance reports and Subject Access RequestsiGPR limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instruction and they are subject to a duty of confidentiality.https://www.igpr.co.uk/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8KG24

Devon and Cornwall Care RecordClinical System holds patient demographic and medical informationSecure Login to EMIS Now to report any problems, remote connection/dial in can be done remotely with the consent of our staff for problem solvinghttps://devonandcornwallcarerecord.nhs.uk/data-security-and-privacy/
NHS EnglandData ExtractionData is Anonymisedhttps://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/X24
DocMailData Sharing  – patients names and addressesTo send bulk invite letters to patient for flu clinics/recall letters – bulk transfer is encryptedhttps://www.cfhdocmail.com/live/privacy.aspx

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HN70

DocManDocMan processes and work-flows documents into our patient records at Fowey Surgery.Personal data is processed within the surgery environment.  Docman Support Staff can remotely connect to our computers, only with the consent of our staff, for the purposes of problem solvinghttps://www.docman.com/privacy-policy/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/8HP20

Express DiagnosticsExpress Diagnostics provides software and support for our ECG machine.Express Diagnostics support staff and recordings are transmitted electronically and interpreted and sent back by secure email (nhs.net)https://www.expressdiagnostics.co.uk/privacy-notice/

 

https://dspt.k8s-prod.texasplatform.uk/OrganisationSearch/NCL

1.8      Access to personal information / Subject Access Requests

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the GP, this can be made by email or letter (note for information from the hospital you should write direct to them)
  • We will initially offer you online access to your Detailed Coded Record. This contains your electronic medical record, and summarised paper record.  It does not contain any letters from the hospitals or other attachments on your record.  The advantage of applying for access to this record is that it updates as your medical record updates, so you will always have the most current information.
  • If the Detailed Coded Record is not adequate for your needs, we will email you a copy of your medical record. If you are not able to receive an email containing your medical record, we will print a copy for you. There may be a charge to have a printed copy of the information held about you if the administrative burden of photocopying and printing is excessive.
  • We are required to respond to you within 1 calendar month.
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located

1.9      Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the Practice Complaints Manager by email, telephone or letter. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) https://ico.org.uk/, casework@ico.org.uk, telephone: 0303 123 1113 (local rate) or 01625 545 745.

If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything.  If you have any concerns about how your data is shared then please contact the practice.

1.10   Cookies

Our practice website uses cookies to function correctly.  You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

1.11   Change of Details

It is important that you tell the person treating you if any of your details such as your name, address, contact telephone numbers or email address have changed or if any of your details such as date of birth is incorrect in order for this to be amended.  You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

1.12   Notification

The General Data Protection Regulations 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website www.ico.org.uk.

The practice is registered with the Information Commissioners Office (ICO).

1.13   Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is registered practice as appropriate from this list:

  • Bosvena Health
  • Fowey River Practice
  • Lostwithiel Medical Practice
  • Middleway Surgery

If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk, casework@ico.org.uk, telephone: 0303 123 1113 (local rate) or 01625 545 745.

1.14   Who is the Data Protection Officer?

As a public authority, we have to appoint an external Data Protection Officer (DPO).  Our DPO is Kernow Health CIC’s nominated Data Protection Officer, who is:

Umar Sabat – Data Protection Officer
NHS Cornwall and Isles of Scilly Integrated Care Board
Part 25, Chy Trevail
Beacon Technology Park
Dunmere Road
Bodmin
PL31 2FR

Email: ciosicb.dpo@nhs.net

Tel: 01726 627800.

Our DPO monitors internal compliance, provides advice regarding Data Protection Impact Assessments (DPIAs), and helps us demonstrate compliance with an enhanced focus on accountability.

Date published: 19th October, 2023
Date last updated: 23rd November, 2023