Data Protection & Medical Records

Freedom of Information

Information about the General Practioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

The practice complies with data protection and access to medical records legislation. Identifiable information about you will be shared with others in the following circumstances:

• To provide further medical treatment for you e.g. from district nurses and hospital services.
• To help you get other services e.g. from the social work department. This requires your consent.
• When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Under the 1978 Act NHSGGC has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of NHSGGC and assist in operating a comprehensive and integrated national health service in Scotland.

We use personal information to enable us to provide healthcare services for patients, data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.

NHSGGC, as data controller, is required to have a legal basis when using personal information. NHSGGC considers that performance of our tasks and functions are in the public interest. So when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which NHSGGC is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.

When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:

• for the provision of health or social care or treatment or the management of health or social care systems and services
• for reasons of public interest in the area of public health
• for reasons of substantial public interest for aims that are proportionate and respect
• people’s rights, for example research
• in order to protect the vital interests of an individual
• for the establishment, exercise or defence of legal claims or in the case of a court order.

On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this we will explain what it means, and the rights that are available, to you.

Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:

• Our patients and their chosen representatives or carers
• Staff
• Current, past and potential employers
• Healthcare social and welfare organisations
• Suppliers, service providers, legal representatives
• Auditors and audit bodies
• Educators and examining bodies
• Research organisations
• People making an enquiry or complaint
• Financial organisations
• Professional bodies
• Trade Unions
• Business associates
• Police forces
• Security organisations
• Central and local government
• Voluntary and charitable organisations

It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:

• All staff undertake mandatory training in Data Protection and IT Security
• Compliance with NHS Scotland Information Security Policy
• Organisational policy and procedures on the safe handling of personal information
• Access controls and audits of electronic systems

Access to Records

In accordance with the Data Protection Act 2018, General Data Protection Regulation (GDPR) and Access to Health Records Act, patients may request to see their medical records. No information will be released without the patient consent unless we are legally obliged to do so.

The right to be informed

We must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:

• This Data Protection Notice
• Information leaflets
• Discussions with staff providing your care

The right of access

You have the right to access your own personal information/medical records.

This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.

The right to obtain:

• Confirmation that your personal information is being held or used by us
• Access to your personal information
• Additional information about how we use your personal informationIf you would like to access your personal information

Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.

To view or obtain a copy of your records, you will have to apply in writing to the surgery. Once we have details of your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.

The right to rectification

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.

If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.

If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.

If you are unhappy about how Northcote Surgery has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.

The right to object

When Northcote Surgery is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided we can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.

The right to complain

Northcote Surgery employs a Practice Manager to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Practice Manager using the contact details below:

Practice Manager
Northcote Surgey
2 Victoria Circus
Glasgow, G12 9LD
0141 339 3211

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk.

For more information please contact the surgery.