The Practice uses a clinical system provided by a Data Processor called EMIS, with effect from 10th June 2019, EMIS will start storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).
The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
NHS Trusts / Foundation Trusts
GP’s
NHS Commissioning Support Units
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Ambulance Trusts
Clinical Commissioning Groups
Social Care Services
NHS England (NHSE) and NHS Digital (NHSD)
Local Authorities
Education Services
Fire and Rescue Services
Police & Judicial Services
Voluntary Sector Providers
Private Sector Providers
Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
Computer System
This practice operates a Clinical Computer System on which NHS Staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication. To provide around the clock safe care, unless you have asked us not to, we will make information available to our Partner Organisation (above). Wherever possible, their staff will ask your consent before your information is viewed.
Shared care Records
To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. You can opt out of this sharing of your records with our partners at anytime if this sharing is based on your consent.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for Hollyoaks Medical Centre an appropriate contract (art 24-28) will be established for the processing of your information.
Sharing your information without consent
We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:
• where there is a serious risk of harm or abuse to you or other people;
• safeguarding matters and investigations;
• where a serious crime, such as assault, is being investigated or where it could be prevented;
• notification of new births;
• where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS);
• where a formal court order has been issued;
• where there is a legal requirement, for example if you had committed a Road Traffic Offence.
How long will we store your information?
We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.
More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016).
How can you access, amend move the personal data that you have given to us?
Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.
Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes