Observatory Medical Practice takes the privacy of all our patients very seriously; we are committed to protecting the privacy and security of your personal information.
We are registered with the Information Commissioner’s Office as a Data Controller under registration number Z4971026. If you have any queries or wish to make a request in relation to your information, please contact:
Observatory Medical Practice
New Radcliffe House
Oxford, OX2 6NW
As a healthcare provider, we collect, store, use and share personal and confidential information about our patients, including special category health data, in accordance with UK Data Protection laws and other applicable legislation.
To change your choices about how we contact you by phone, text or email, please contact us.
What information do you hold about me?
The healthcare professionals who provide you with care keep detailed records about your health and any treatment or care you receive. This includes information from a range of sources, including but not limited to your previous GP Surgeries, hospital clinics and A&E visits.
We are required by law to store and maintain these records in order to provide you with the best possible healthcare and to protect your safety.
In carrying out this role we may collect and hold information about you which helps us respond to your queries, monitor the quality of care that we provide, and refer you to specialist services which you might need. The health records we use may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
The categories of information which we may hold about you may include the following:
- Personal details about you, such as your name, address and next of kin
- Any contacts our staff and services (including those who process your information on our behalf) have had with you, such as phone calls, emails, appointments, clinic visits etc.
- Notes, letters and reports about your health
- Clinical images (such as photos of rashes, wounds and skin lesions)
- Details about your medications, treatment and care
- Results of investigations such as blood tests, x-rays, hospital procedures, etc.
- Relevant information from other health professionals, relatives or those who care for you
- More sensitive personal information, also known as ‘special category’ information, which includes but is not limited to information about your racial or ethnic origin, health, sex life or sexual orientation.
Our lawful grounds for processing
Data Protection Laws requires us to rely on one or more lawful ground to process your personal information. We will only use your personal data when the law allows us to. Most commonly, we will process your personal information in the following circumstances:
‘Performance of a task carried out in the public interest or in the exercise of official duty’.
We process your data to perform tasks carried out in your and the public interest and in the exercise of our official duties. We rely on the basis that it is reasonable and proportionate and we cannot achieve our health and social care objectives by any other means. For example, our healthcare professionals will record all patient consultations via our secure EMIS software and/or other secure software approved by the NHS from time to time.
‘Where necessary for the purpose of the legitimate interest pursued by us or a third party’.
The legitimate interests we rely on are:
- Processing is necessary for the purpose of providing you with health advice and care in our capacity as your General Practice and also for the purpose of ensuring regulatory compliance. If we are unable to process your personal data, we cannot provide you with our healthcare services as we will not be in a position to meet our contractual obligations with our commissioners (Oxfordshire Clinical Commissioners Group (OCCG) and local authorities), our legal obligations with UK Laws and our regulators (Care Quality Commission (CQC));
- to safeguard the health and safety of our employees, patients and premises.
‘Where we need to protect your vital interests (or someone else’s interests)’.
We rely on vital interests if we need to process your personal information to protect yours or someone else’s life in the event that you are unable to provide consent. For example, in a medical emergency your information may need to be shared with the ambulance services.
Consent means offering you real choice and control. In certain situations, we and/or a third party processor may request you to consent (or request you to consent on behalf of your child) to undertake certain medical procedures (e.g. injections, minor surgery or insertion of implants) or to send personal data including video or photographs from your phone via a secure third party NHS-approved application to our GP Practice for your care.
We may also request your consent to enroll you into clinical research studies, if you are offered the opportunity to participate in a study conducted by the third party research organisation. This may require us to process or share your data with third parties for the purpose of carrying out these activities.
These third party organisations may also request for your consent to process this information separately which may involve storing your personal data within their own systems in accordance with their own data privacy procedures. In these circumstances, your consent must be informed and given freely and may be withdrawn at any time.
How do you keep my information safe?
Your GP record is held securely in a NHS-approved system called EMIS Web, which is managed by the GP Surgery. The information in your GP record is used by the authorised health professionals providing your care locally – this may include your GP, practice/college nurse, the health professionals or administrators instructed by us in a third party data processing capacity and the healthcare professionals providing your care in the local community, such as the District Nurse, Health Visitor or Midwife teams.
Only authorised healthcare professionals and administrators with a legitimate reason to access your GP record may do so and they are legally required to protect your confidentiality.
Everyone working for our organisation is subject to a legal duty of confidentiality.
The information you provide to us is kept in confidence will only be used for lawful purposes;
- Our staff receive training on data protection and confidentiality and we follow the NHS Digital Code of Practice on Confidential Information
- The surgery ensures technical and organisational measures are in place prior to signing any Information Sharing Agreements and sharing your information with other NHS providers in Oxfordshire who may act as Data Processors on our behalf
- We make sure contracts are in place with external data processors to protect your data
- Our electronic records are backed up securely in line with NHS standard procedures and information is held in secure locations and restricted to authorised personnel
- We will only ever use or pass on information about you if we reasonably believe that the recipients have a genuine need for it
- We will not disclose your personally identifiable information to any third party who is not involved in providing your care without notifying you via our privacy policies and/or notices or obtaining your permission, unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires the information to be passed on
- We check that only the minimum and necessary amount of data is shared or accessed
- We use smartcards and passwords to protect our IT systems, to ensure that only the right people have access to your data
- We use encrypted email and storage systems on the secure NHS network, which make it harder for someone to intercept or ‘hack’ your information
- We report and manage any adverse incidents or ‘near misses’ in our secure intranet system (Clarity TeamNet) in a de-identified format and make sure we learn from them and improve
- We manage patient records in line with the Records Management NHS Code of Practice for Health and Social Care
- We only use information collected lawfully in accordance with:
- Data Protection Legislation
- Human Rights Act
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
- Health and Social Care Act 2015
- And all other applicable UK legislation.
Online access to your own health data
Patients registered with the GP Surgery can register with a choice of NHS-approved digital providers to use online services that access, use or process health information from their health record. Online services may allow you to:
- book, check or cancel appointments with a GP, nurse or other healthcare professional
- order repeat prescriptions
- see parts of your health record, including information about medicines, vaccinations and test results
- consult with healthcare clinicians remotely
- see communications between your GP Surgery and other services, such as hospitals.
These online services are provided by NHS-approved digital services providers who act as data processors or sub-processors of your data.
When you need care in other places
If you require treatment in another NHS healthcare setting, such as an Emergency Department or Hospital, the professionals treating you can give you safer and more appropriate care if some of the information in your GP record is available to them.
This information can be shared securely through two NHS systems:
- The Summary Care Record – used by NHS services across England
- The Oxfordshire Care Summary – used by NHS services in Oxfordshire only
In both cases, your information will only be accessed by authorised healthcare professionals who are directly involved in your care. Your permission will be asked before the information is accessed, unless the professional is unable to ask you and there is an important clinical reason to access it (e.g. a medical emergency).
Your Summary Care Record choices
The NHS Summary Care Record is designed to improve the care you receive in emergencies. It is used by Accident & Emergency and other NHS services to check for important information about you if you visit them in an emergency or need care when your GP Surgery is closed.
When you register with a GP Surgery in England, a Summary Care Record containing basic information is created for you automatically, unless you object to this. The standard record includes your registration details (name, address, date of birth, NHS number, etc.), your prescribed medications and your recorded allergies or bad reactions to medications. If you wish, you can ask your GP to set up a more detailed record to include your medical diagnoses, referrals, vaccinations, care plans and other details. You can also add information to the Summary Care Record yourself through the NHS website.
If you are happy to have a standard Summary Care Record you do not need to do anything, as this is created for you automatically by the NHS.
If you would like to opt out of the Summary Care Record please contact the surgery.
Your Oxfordshire Care Summary choices
The Oxfordshire Care Summary allows other NHS services in Oxfordshire to see selected information from your GP record if you use their services. This includes your:
- medical conditions and diagnoses
- recorded allergies and bad reactions to medicines
- test results, x-ray reports and health readings such as blood pressure
- prescribed medications and vaccination history
- appointments, hospital admissions, GP out-of-hours attendances and ambulance calls
- care / management plans
- correspondence such as referral letters and discharge summaries.
You will be asked for permission before your information is accessed by the healthcare professional, except in uncommon situations where you are unable to give your consent and there is an important clinical reason (e.g. in an emergency).
If you are happy to have an Oxfordshire Care Summary you do not need to do anything, as this will be created for you automatically.
If you would like to opt-out of the Oxfordshire Care Summary please contact the Surgery.
Registering with another GP Surgery in the UK
If you register with another GP Surgery in the UK, we will send your electronic and paper records to your new practice. This may involve sending your electronic record through a secure NHS system called GP2GP transfer. We do not send any patient data outside of the EEA unless explicit written consent has been provided by you. If you are moving overseas and require a copy of your health information, please request this before you move.
How long do we retain your information?
Except as otherwise permitted or required by applicable law or regulatory requirements, we will retain your personal information only for as long as we believe it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any clinical, legal, accounting or other reporting requirements or obligations.
The periods for which your health information shall be held by us and our processors will be in accordance with NHS Digital’s Record Management Code of Practice for Health and Social Care.
You may request that we delete the personal information that we hold about you. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal information. In the event that we cannot delete your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
How do you use my information?
Providing and supporting your care
We use and share the information in your GP record to support a wide range of activities relating to your healthcare. Common examples include:
- Enabling the healthcare professionals, both internally and externally who care for you to understand your health conditions, treatments and personal needs
- providing our surgery administration staff secure and confidential access to carry out various functions necessary for the performance of their role (for example booking appointments and updating records)
- referring you to other healthcare providers when you need more specialist assessments, tests or treatments
- sharing samples with laboratories and sharing your results with other professionals involved in your care
- sending your prescriptions to a pharmacy and dealing with your medication queries
- recording allergies and other important health information
- receiving reports of appointments you have attended elsewhere, e.g. at a hospital clinic or other local health service
- investigating and responding to any queries or complaints you have about your care
- texting or emailing you with information about healthcare services or treatments
- inviting you to participate in research studies, if these are relevant to your health conditions.
Improving quality and safety of care
We may use selected information from patient records to check that the care we provide is safe and to help us improve our services. Any information we use for this purpose is de-identified to protect your confidentiality. Some examples include:
- Auditing the treatment we provide, to check our care is in line with the latest recommendations
- Identifying people at risk of developing particular health conditions or who may require additional support (known as ‘case finding’)
- Recording and reviewing any adverse events or ‘near misses’, to ensure our services are safe
- Monitoring how long patients are waiting for our appointments
- Providing de-identified patient-level data and aggregated data reports to healthcare commissioners on the quality and activity of our services or the services of the healthcare providers we refer you to (NB. it may be a NHS contractual requirement for the practice and/or other healthcare providers providing you with care to share selected data about your health conditions and treatment with healthcare commissioners in a de-identified format, in order to improve the quality and governance of NHS services available to the public. Our commissioners may act as data controllers once this de-identified information has neem passed to them and the practice will no longer be responsible for or have control over this information)
- Supporting staff training and the development of services to meet patient need
Sharing with our Third Party Data Processors
From time to time, we will share your information with our third party data processors where necessary to process information on our behalf. We will decide the purpose and manner for processing and shall ensure our processors have secure technical and organisational measures in place; our data processors will operate on our strict instructions at all times and will not have any responsibility or control over the use of your data.
Our processors may include but shall not be limited to other NHS general practices and healthcare providers, South West Central Commissioning Support Unit (SWC CSU), OxFed Health & Care Ltd. (the Oxford City GP Federation), our social prescribing and ancillary care providers, clinical research organisations, University Colleges (for our Oxford University students), operational service providers and providers of our IT, electronic records, texting/messaging services and patient online access services. When necessary, our data processors may instruct their sub-processors to carry out certain functions in accordance with the instructions they have been given by the data controller.
Where your information is requested to be used for secondary research purposes, we, or our data processors will always ask your permission before releasing your information to any third parties for this purpose. You have the option to register a ‘type 1’ or ‘national’ opt-out if you do not wish for your information to be used for clinical research.
Sharing required by law
Occasionally we are required by law to share your information with other agencies. In these situations we will usually discuss this with you first, but it is sometimes not possible for us to do so. These situations are uncommon, but examples might be:
- To safeguard children or vulnerable adults who may be at risk of neglect or abuse
- for the purposes of detecting or preventing a serious crime
- to report notifiable infectious diseases to public health
- to report cases of female genital mutilation or suspected radicalisation
- if we are required to disclose the information by a court order.
The surgery will not part-take in any ‘restricted’ transfers of your information to countries outside the European Economic Area (EEA) unless an exception has been satisfied, for example explicit written and verbal consent has been provided by you.
Observatory Medical Practice is proud to be a research practice, which means that we actively support clinical research studies and activity to improve the quality of healthcare.
Research in the NHS
The NHS Constitution states that Research is a core function of the NHS. Clinical Research is a major driver of innovation and central to NHS practice for maintaining and developing high standards of patient care. Ultimately, clinical research means patients get access to new treatments, interventions and medicines. Investment in research means better, more cost effective care for patients.
In 2006 the Department of Health set up The National Institute for Health Research (NIHR) to improve the health and wealth of the nation through Research. The NIHR Clinical Research Network (CRN) was introduced to provide the infrastructure to the NHS to allow high quality research to be set up and delivered efficiently and effectively.
Observatory Medical Practice is part of a network of local practices participating in research activities under the banner of CRN Thames Valley and South Midlands. Visit their website to find our more.
The Practice may also contributes data in a de-identified form to approved research databases. It is not possible for the researchers to identify any individuals from the data we share with them through these research databases.
The Clinical Practice Research Datalink (CPRD) is a government research initiative, joint funded by the MHRA (Medicines and Healthcare products Regulatory Agency) and the NIHR, that collects de-identified coded data from GP practices in support of vital public health research. Visit their website to find out more
The RCGP Research and Surveillance Centre (RSC) is an internationally renowned source of information, analysis and interpretation of primary care data. Established in 1957, the RSC is an active research and surveillance unit that collects and monitors data, in particular influenza, from over 500 practices across England. Visit their website to find out more
What is Primary Care Research?
Primary Care refers to patient interactions with ‘front-line’ healthcare professionals including as GPs, practice nurses, pharmacists and dentists. A wide range of research studies look at:
• Promoting a healthier lifestyle
• Disease diagnosis and prevention
• Management of long-term illnesses such as diabetes or hypertension
• Prevention of future ill-health
• Treating common conditions such as tonsillitis or influenza
What are the benefits of being a research practice?
Evidence suggests that patients who receive care in research-active institutions have better health outcomes than those who are treated in a non-research environment. By joining the research community, we are actively helping to improve the standard of healthcare for our patients. It also provides an opportunity for patients to better understand their health conditions and give something back to the NHS and wider community. Sometimes it can provide access to new treatments, and brings a new dimension to practice and added skills to those involved. The practice receives funding to cover the additional costs of taking part in research (it does not come out of our own budget and so routine patient services are not affected).
How can you help and take part?
There are various ways a patient can become involved in research at the surgery:
• You may be informed about a particular study by us or our instructed data processor organisation and asked whether you would be interested in participating as part of a consultation
• you may be sent information through the post by us or our data processor organisation if we feel you may be a suitable participant
• you may read information about a current study in the patient waiting room or on the surgery website and wish to take part.
What else do I need to know?
All clinical research carried out at [enter practice] is thoroughly checked and approved by ethical committees ensuring it is appropriate and safe to perform. You will always receive clear information about what taking part in a research study would involve and will have the opportunity to ask questions and obtain further details about a study.
Your participation in research studies is entirely voluntary and can be withdrawn by yourself at any time without any explanation required.
You are under no obligation to participate in any research project, and your care and your relationship with your doctor or nurse will not be affected in any way if you decided not to take part.
If you do agree to take part in a study you will be asked to sign a consent form. This will clearly state which parts of your notes (if any) may be looked at for the purposes of the research study. Nobody from outside this practice will be given your contact details or have access to your medical records unless they act as a data processor on our behalf without your prior consent.
What if I do not wish to participate in Clinical Research?
Although the number of research studies you might be eligible for and contacted about is likely to very small, you do have the option to ‘opt-out’ and not take part if you wish to do so.
If you do not want information from your health record to be used for any purpose beyond providing your own care, such as to improve NHS care or contribute to research, we will respect your decision, but please note that in some circumstances we may still be legally required to disclose your data to third parties. You will be informed if this applies to you.
If you do wish to exercise this right, there are several options available to you (you may choose to exercise none, one or all of these opt-outs):
Type 1 Opt-Out: If you do not want the surgery to share information that identifies you for purposes beyond your direct care (for example secondary research), you can register a ‘Type 1 Opt-Out’. This prevents information from your GP record from being shared other than for your direct care. Please contact us and request a Type 1 Opt-Out form if you wish to exercise this right.
National Opt-Out: NHS Digital also collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your information to be shared outside of NHS Digital, for purposes other than for your direct care, you will need to register a ‘National Opt-Out’. To do this you will need to contact NHS Digital yourself via the online tool, https://digital.nhs.uk/services/national-data-opt-out.
Clinical Record Sharing: You can also object to having your information made available to healthcare staff through the Summary Care Record and the Oxfordshire Care Summary systems as outlined above. These two NHS record systems may be used by authorised health professionals to access your information if you need healthcare outside of the surgery. For information on how to opt out of these record systems, please contact the surgery.
General Practice Transparency Notice for sharing Data for Planning and Research (Replacement for GPES)
NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.
Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps us to understand whether the health and care system as a whole is working for patients.
In addition to replacing what GPES already does, the General Practice Data for Planning and Research service will also help to support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including coronavirus (COVID-19) and enable many different areas of research.
What are my information rights?
Data protection law provides you with a number of rights which we are committed to supporting. These rights include:
- fair processing of information and transparency over how we use your personal information;
- right to access or obtain a copy of your personal information on request in a structured, machine-readable format and have the right to transmit the information to a third party in certain situations;
- require us to change incorrect or incomplete information in certain situations unless we are required by law to maintain the original information – we will discuss this with you if necessary;
- require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- withdraw your consent/ object/ erasure of specific processing in certain circumstances;
- receive a response to any of your requests within one calendar month.
You have the right to make complaints and request investigations into the way your information is used. If you have concerns, a complaint or would like further information, please contact the surgery. For independent advice about data protection, privacy and data-sharing, you can contact:
The Information Commissioner’s Office (ICO), the UK Supervisory Authority.
Visit their website
Changes to this privacy notice