Privacy Policy
Privacy Policy
1. Definitions
Leith Surgery is an independent contractor whose primary business is the provision of primary medical services by way of a contract with NHS Lothian, made under section 17J of the National Health Service (Scotland) Act 1978 ("the 1978 Act") as amended by the Primary Medical Services (Scotland) Act 2004 and having its main premises at 2 Duke Street, Edinburgh, EH6 8HQ.
References in this policy to "we", "our", "the surgery" and "the GP practice" refer to Leith Surgery.
References in this policy to the "website" refer to any website owned and controlled by Leith Surgery
2. About this policy
This is the privacy policy for Leith Surgery. This policy is also known as the data protection notice and it defines how we receive, store, use and share information about individuals in our role as a data controller. This policy may be updated from time to time without prior notice or any notification. The current version of this policy applies from 27th November 2023.
3. About the personal information we use
We use personal information on different groups of individuals including:
Patients
Staff
Students
Contractors
Suppliers
Complainants, enquirers
Survey respondents
Website users
Professional experts and consultants
Individuals captured by CCTV
The personal information we use includes information that identifies you like your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data; health; sex life or sexual orientation.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.
4. Our purposes for using personal information
Under the 1978 Act Leith Surgery has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the health of the people of NHS Lothian and assist in operating a comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients (including reminding you of appointments), data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.
5. Our legal basis for using personal information
Leith Surgery, as a data controller, is required to have a legal basis when using personal information. Leith Surgery considers that performance of our tasks and functions are in the public interest. So, when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations, we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
for the provision of health or social care or treatment or the management of health or social care systems and services; or
for reasons of public interest in the area of public health; or
for reasons of substantial public interest for aims that are proportionate and respect people's rights; or
for archiving purposes, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards; or
in order to protect the vital interests of an individual; or
for the establishment, exercise, or defence of legal claims or in the case of a court order.
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this, we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
6. Who provides the personal information
Individuals may provide us with their own personal information when
they give us written information in paper or electronic format, for example a registration form, a health questionnaire, a copy of their medical records or another document containing their personal information
they communicate with our staff, for example by asking us for advice, asking us to provide them with a service, or during an appointment, meeting or phone call with our staff
they submit information to us using our website
we provide them with any form of healthcare
or when another person or organisation gives us their information on the individual's behalf
When we receive your information not directly from you or your representative, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS boards and primary care contractors such as GPs, dentists, pharmacists and opticians, other public bodies eg. local authorities and suppliers of goods and services.
When we receive personal information, we decide whether or not, and to what extent, to store that information - particularly when the information is provided in a non-written way; for example, information communicated during medical appointments is usually summarised and abbreviated by the healthcare professional, personal interactions which take place in an informal way might not be documented and not all of the information we receive about our patients is relevant or reliable enough to be stored in the medical record.
7. Sharing personal information with others
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
Our patients and their chosen representatives or carers
Staff
Current, past and potential employers
Healthcare, social and welfare organisations
Suppliers, service providers, legal representatives
Auditors and audit bodies
Educators and examining bodies
Research organisations
People making an enquiry or complaint
Financial organisations
Professional bodies
Trade Unions
Business associates
Police forces
Security organisations
Central and local government
Voluntary and charitable organisations
Our patients have a right to confidentiality and, at the same time, we often need to share personal information belonging to patients with other agencies in order to provide safe and effective healthcare. When we do this, we consider whether you have already given consent; your consent can be implied or explicit. We also decide whether or not we require your consent under the common law duty of confidentiality and according to the General Medical Council guidance on confidentiality.
General principles:
Usually when we need to share your information, we will rely on our legal basis for using your personal information. Sometimes we may rely on your consent - this might be required if we consider you to have a genuine choice about whether we share your information with the person or agency concerned.
General practice primary care teams in Scotland sit within health and social care partnerships and in close liaison with other NHS Scotland services including hospitals and clinics. The primary care team, in order to provide safe and effective healthcare, need to have the option of communicating with relevant professionals when required; registered patients therefore do not have a genuine choice about this as there is no routine option to opt-out of safe healthcare processes. Our patients are, however, welcome to express preferences about their care which we can take into consideration.
When we make a medical referral for a patient, it is routine for us to share significant parts of their medical history, information about their social situation, family history, lifestyle, preferences and beliefs. Patients are welcome to tell us if they have particular personal information which they would prefer not to be shared with other professionals, and we can advise on where there are limits which this would impose on their care.
Protecting people at risk:
If you or members of the public are at risk, or
we or another responsible authority think that you or the public could be at risk, and
we think that sharing your personal information is necessary to protect against this real or potential risk, then
we will not require your consent to share your personal information with relevant agencies in a proportionate way.
Our readiness to share personal information without consent is higher when we think there could be a risk to a child or a vulnerable adult.
Our other legal obligations:
when we need to share personal information to comply with a legal obligation, we are unlikely to require your consent, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease
Medical research
the GP practice participates in the DataLoch research programme which uses public interest legal bases for the use of anonymised patient data (see section 14 below)
some other medical research involves active participation by patients and this requires explicit consent - but to allow patients the opportunity to find out about specific research projects for which they are eligible, they first have to be contacted - so we allow for NHS researchers to identify potentially eligible patients and to contact them, unless they have opted out (please see section 15 below).
8. Transferring personal information abroad
It is sometimes necessary to transfer personal health information overseas, for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.
We may use data processing companies who utilise electronic systems which are physically located overseas. Personal information in electronic format will only be physically stored or processed by companies which are approved by the Data Privacy Framework and/or located in countries with a European Adequacy Decision.
9. Retention periods of the information we hold
Within Leith Surgery we keep personal information as set out in the Scottish Government Records Management: HEALTH AND SOCIAL CARE CODE OF PRACTICE (SCOTLAND) 2020. The Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule as part of our Records Management policy detailing the minimum retention period for the information and procedures for the safe disposal of personal information.
10. How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
All staff undertake mandatory training in Data Protection and IT Security
Compliance with NHS Scotland Information Security Policy
Organisational policy and procedures on the safe handling of personal information
Access controls and audits of electronic systems
11. Joint data controllers
When your personal information is held within your GP patient record (also known as your GP medical record) we share control of your data with NHS Lothian as a joint data controller. Our joint data controller agreement with NHS Lothian is part of our contract to provide general medical services. Each of the two parties (Leith Surgery and NHS Lothian) takes lead responsibility for the personal information it itself creates and processes.
12. Use of our website
While this policy describes the use of your personal information provided to us by any means, your use of our website is subject to our website terms of use.
13. Your rights
This section contains a description of your data protection rights within Leith Surgery.
Your data is handled in accordance with the General Data Protection Regulations and the Data Protection Act 2018.
The right to be informed
Leith Surgery must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
This privacy policy
Information leaflets
Discussions with staff providing your care
The right of access
You have the right to access your own personal information.
This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
Confirmation that your personal information is being held or used by us
Access to your personal information
Additional information about how we use your personal information
We have the right to withhold certain information from subject access requests and, though there is a complex range of situations which we need to consider, this generally includes:
withholding access to information which was provided to us with a reasonable and appropriate expectation that it would not be disclosed
withholding information from subject access requests which we think could cause harm if it were to be disclosed
withholding information which potentially identifies the personal information of an individual other you, when we do not have that individual's consent and the information is not already reasonably known to you, taking into account the balance between the rights of the parties.
Although we must provide your personal information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by submitting a written request, marked as a "subject access request", to the Practice Manager at the following address:
Leith Surgery, 2 Duke Street, Edinburgh, EH6 8HQ
Telephone: 0131 554 6471
Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (thirty days). However, if your request is complex we may take longer, by up to two months, to respond. If this is the case, we will tell you and explain the reason for the delay.
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete, we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety in us doing so, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared an inaccurate version of your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.
If on consideration of your request Leith Surgery does not consider the personal information to be inaccurate then we may add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how Leith Surgery has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office.
The right to object
When Leith Surgery is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. If Leith Surgery can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
Other rights
There are other rights under current Data Protection Law, however these rights only apply in certain circumstances. For further information on these rights please visit ico.org.uk/for-the-public.
The right to complain
Leith Surgery employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information, please tell our Data Protection Officer using the contact details below.
Data Protection Officer
IT Governance
Woodlands House
74 Canaan Lane
Edinburgh
EH9 2TB
Phone – 0131 465 5444
Email: Lothian.DPO@nhslothian.scot.nhs.uk
Please note emails from your private email address may not be secure.
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk
14. DataLoch (anonymised research)
This GP practice has agreed to take part in the DataLoch research programme. Both your GP practice and NHS Lothian are the data controller for the DataLoch programme (though data is only hosted within NHS Lothian), and are working in partnership with the University of Edinburgh. The aims of the DataLoch programme are to support research for the benefit of local residents in the South-East Scotland region. A Data Sharing Agreement is in place that covers the sharing of patient data with DataLoch, and all approved research is anonymous.
In line with data protection legislation, the legal basis that permits processing of patient data is:
6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)
The DataLoch website covers the researcher data, public enquiries, and newsletter subscriptions for which the University of Edinburgh is the Data Controller: https://dataloch.org/privacy-notice
DataLoch’s purpose is to enable these data-driven health and social care innovations to improve the health and lives of the region’s population. These activities are entirely in the public interest. Patient data is not being sold to private organisations, nor is it leaving the control of the NHS.
Access to extracts of data are provided to NHS service managers and medical researchers, approved by the NHS Lothian’s Caldicott Guardian and under strict controls. The data has identifying information removed and sits in a secure IT environment.
15. Participation in research
Leith Surgery recognises that research is essential for progress in the NHS and is of considerable benefit to individual patients and the public as a whole. We therefore part of the NHS Research Scotland (NRS) Primary Care Network and we regularly take part in research studies with the help of experienced NHS staff who access patients' medical records solely for the purpose of identifying patients suitable for participation in research studies.
No personal identifiable data is removed from the NHS or provided to any researchers without specific consent from patients.
Patients have the right to opt out of being contacted about research studies. Please let the reception staff or your GP know if you wish to opt out.
If you have any questions, please ask to speak to the practice manager.