Privacy and GDPR
How we use your information to provide you with healthcare
- This practice keeps medical records confidential and complies with the General Data Protection Regulation
- Karis Medical Centre is the “Data Controller” of the information we hold for our patients
- Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
- The Practice Data Protection Officer for Karis Medical Centre is Umar Sabat from SDS MyHealthcare. He can be contacted on firstname.lastname@example.org
- If you have any queries regarding data protection, please address them to the Practice.
- We hold your medical record so that we can provide you with safe care and treatment.
- We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
- We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
- You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected
- Record sharing programmes for direct care: that allow health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions and what medications you take. This will involve the use of:
- Summary Care Record (SCR) the national record sharing programme across England. For more information see: https://digital.nhs.uk/summary-care-records
- GP Connect: updated national record sharing programme to support direct patients care, leading to improvements in both care and outcomes. For more information see: https://digital.nhs.uk/services/gp-connect
- Your Care Connected (YCC) our local data sharing programme across Birmingham, Sandwell, and Solihull. For more information see: https://midlandsyourcareconnected.nhs.uk
- Birmingham and Solihull Shared Care Record our regional record sharing programme across Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire www.livehealthylivehappy.org.uk/birmingham-and-solihull-shared-care-record
- Digitisation of Paper Medical Records: all paper records are collected, securely transported, scanned and added to the electronic medical records and destroyed after 3 months. Our current supplier is NEC, Unit 1,Charles Way, Bulwell, Nottingham, NG6 8RF. https://www.necsws.com/solutions/document-scanning
- NHS Digital: All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices. You have the choice to opt out if you wish to by downloading and completing a form (click here for opt out form) and give to reception or post to Karis Medical Centre. You can learn more about how NHS Digital uses your data here: General Practice Data for Planning and Research: GP Practice Privacy Notice - NHS Digital
- Lawful basis for processing
- GDPR Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
- GDPR Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care system.
- Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Other important information about how your information is used to provide you with healthcare
Registering for NHS care
- All patients who receive NHS care are registered on a national database.
- This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive.
- The database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
- More information can be found at: or phone general enquires at NHS Digital 0300 303 5678
Identifying patients who might be at risk of certain diseases
Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long-term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.
To summarise Risk Stratification is used in the NHS to:
- Help decide if a patient is at a greater risk of suffering from a particular condition;
- Prevent an emergency admission;
- Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
- Review and amend provision of current health and social care services.
Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are in accordance with the current Section 251 Agreement. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.
- Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
- These circumstances are rare.
- We do not need your consent or agreement to do this.
- Please contact the Practice if you require any further information.
Karis Medical Centre shares information from medical records:
- to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
- we will also use your medical records to carry out research within the practice.
This is important because:
- the use of information from GP medical records is very useful in developing new treatments and medicines;
- medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
We share information with the medical research organisations with your explicit consent or when the law allows
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object
Checking the quality of care - national clinical audits
Karis Medical Centre contributes to national clinical audits so that healthcare can be checked and reviewed.
- Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
- The results of the checks or audits can show where hospitals are doing well and where they need to improve.
- The results of the checks or audits are used to recommend improvements to patient care.
- Data are sent to NHS Digital, a national body with legal responsibilities to collect data.
- The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.
- We will only share your information for national clinical audits or checking purposes when the law allows.
- For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: or phone 020 7997 7370.
You have the right to object to your identifiable information being shared for national clinical audits. Please contact the practice if you wish to object.
How your information is shared so that this practice can meet legal requirements
The law requires Karis Medical Centre to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- plan and manage services;
- check that the care being provided is safe;
- prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.
We must also share your information if a court of law orders us to do so.
- NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
- It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
- This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
- More information about NHS Digital and how it uses information can be found at:
Care Quality Commission (CQC)
- The CQC regulates health and social care services to ensure that safe care is provided.
- The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
- For more information about the CQC see:
- The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
- We will report the relevant information to local health protection team or Public Health England.
- For more information about Public Health England and disease reporting see:
National screening programmes
- The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
- These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
- The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
- More information can be found at: or speak to the practice.
- This helps us to provide you with a good experience when you visit our website and make improvements.