Privacy Policy

Who we are

The Leeds GP Confederation is a ‘not for profit social enterprise,’ working to improve the health of the people of Leeds by strengthening and sustaining primary care.

We were established in March 2018 to represent the collective view of GP practices as providers in Leeds. The GP Confederation has evolved through shared working with the GP leadership and the existing three federations in Leeds.

We aim to improve care in Leeds, principally through applying the local care partnership model in localities but also by helping spread best practice across the city.

The name and contact details of our organisation

Name: Leeds GP Confederation

Address: 

Building 3, White Rose Park, Millshaw Park Lane, Leeds, LS11 0DL

Tel: 0113 8873899

Email: [email protected]

The contact details of our data protection officer

Our Data Protection Officer is Simon Boycott, Head of Development and Governance. He can be contacted on 0113 843 0785 or by email: [email protected]

What we do

The Leeds GP Confederation exists to:

Our commitment to data privacy and confidentiality

As a GP Confederation, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

Everyone working for Leeds GP Confederation has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

All identifiable information that we hold about you will be held securely and confidentially in secure hosted servers that pass stringent security standards.

As an organisation we provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

The categories of personal data we can access and the sources we can access them from

Details about you, such as your name, address, carers, biological gender, gender identity, ethnic origin, date of birth, legal representatives and emergency contact details are collected from you when you register with a GP practice via the GMS1 form and new patient questionnaire you fill in when you register. When you book an appointment with the Leeds Extended Access Service through your GP practice you are registered with, some of these details are added to the Leeds Extended Access Service Appointment platform, as part of the process: patient name, gender, address, telephone number, date of birth, NHS Number, and GP practice. This information is removed from the Leeds Extended Access Service Appointment Platform a few weeks after your appointment. Details of your health professional consultation are recorded on your GP Practice clinical system.

Clinicians working in the Leeds GP Confederation Extended Access Service  are able to access:

How we use your personal data (the purposes of processing)

As health professionals, we maintain some of your demographic information (patient name, gender, address, telephone number, date of birth, NHS Number, and GP practice) as part of the Leeds Extended Access appointment booking process, in order to support your care. We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. All of our staff are trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to.

For provision of direct care

In the Leeds GP Confederation, individual staff will only view what they need in order as part of managing Extended Access Service appointments, or contacting you if an appointment needs to be cancelled or rearranged.

For commissioning and healthcare planning purposes

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This Leeds GP Confederation may contribute to national clinical audits and may send non-identifiable data which are required by NHS Digital when the law allows

For research purposes:

Research data is usually shared in a way that individual patients are non-identifiable.  Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects.  The Leeds GP Confederation will always gain your consent before releasing any information for this purpose.

Where specific information is asked for you will be given the choice to opt of the audit.

For safeguarding purposes, life or death situations or other circumstances when we are required to share information:

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

When you request to see your information or ask us to share it with someone else:

If you ask us to share your data, often with an insurance company, solicitor, employer or similar third party, we will only do so with your explicit consent. Usually the requesting organisation will ask you to confirm your consent, often in writing or electronically. We check that consent before releasing any data and you can choose to see the information before we send it.

Communicating with you about your care:

We will use your information to communicate with you about your care, including but not limited to confirming appointments and reminding you about your appointments. At times we may communicate with you via SMS Message; will will assume your consent to do this but if you do not wish for us to communicate with you in this way then please let us know.

The lawful basis for the processing

We are required to tell you the legal basis that is used for the various ways we process and use your data. In order to process your personal data we must specify a lawful basis and if we process any personal  data that is deemed to be “special category” data we must also specify a separate condition for processing special category data.

The following table sets the main ways your personal data may be used and the corresponding legal basis and category of data. Each purpose is covered in more detail within this notice to explain what these mean in more practical terms.

Purpose of using personal dataLegal basis of processingSpecial category of data
Provision of direct care and related administrative purposes

 

e.g., e-referrals to hospitals or other care providers

GDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article  9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
For commissioning and healthcare planning purposes

 

e.g., collection of mental health data set via NHS Digital or local

 

GDPR Article 6(1)(c) – compliance with a legal obligation

 

 

GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

 

Special category 9(2)(i) – public interest in the area of public health

For planning and running the NHS (other mandatory flow)

 

e.g., CQC powers to require information and records

GDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice)

 

Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC)

GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

 

Special category 9(2)(i) – public interest in the area of public health

For planning & running the NHS – national clinical auditsGDPR Article 6(1)(e) – the performance of a task carried out in the public interestGDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

 

Special category 9(2)(i) – public interest in the area of public health

For researchGDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.

 

GDPR Article 6(1)(e) – the performance of a task carried out in the public interest

GDPR Article 6(1)(a) – explicit consent

GDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes
For safeguarding or other legal dutiesGDPR Article 6(1)(e) – the performance of a task carried out in the public interest

 

Regulation 6(1)(c) – compliance with a legal obligation

GDPR Article 9(2)(b) – purposes of carrying out the obligations of ..social protection law.
When you request us to share your information e.g., subject access requestsGDPR Article 6(1)(a) – explicit consentGDPR Article 9(1)(a) – explicit consent

The recipients and categories of recipients of personal data

We may share information about you with other health professionals where they have a genuine need for it to support your care, as follows.

Recipient of dataReason or purpose
Leeds Care RecordPrimary, secondary or emergency care
Summary Care Record (SCR)Secondary or emergency care
Leeds Teaching Hospitals TrustSecondary or emergency care
Other national providers of health care who you choose to be referred to, in consultation with your healthcare professionalSecondary or specialist care
Leeds & York Partnership Foundation TrustMental health & learning disability services
Mid-Yorkshire Hospitals TrustDiabetic eye-screening services
Leeds Community Healthcare TrustDistrict Nursing and other community services
NHS National Diabetes Prevention ProgrammeInformation and lifestyle education
Local Care DirectOut of Hours primary care provider
Leeds City CouncilSocial Care services
Connect Well/PEP or other similar serviceSocial prescribing
“One You”Provider of heathy lifestyle services
Forward LeedsProvider of drug & alcohol services

From time to time we may offer you referrals to other providers, specific to your own health needs- in these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

The details of transfers of the personal data to any third countries or international organisations

As Leeds GP Confederation, the only occasions when this would occur would be if you specifically requested this to occur- the Leeds GP Confederation will never routinely send patient data outside of the UK where the laws do not protect your privacy to the same extent as the law in the UK.

Retention periods for your personal data

Leeds GP Confederation temporarily retains some personal data on the Extended Access Appointments System as part of the appointment booking process. This consists of: patient name, gender, address, telephone number, date of birth, NHS Number, and GP practice. This information is automatically removed from the system a few weeks after your appointment with the Extended Access Service has taken place.

As long as you are registered as a patient with a GP surgery, your paper records are held at the practice along with your GP electronic record. If you register with a new practice, they will initiate the process to transfer your records. The electronic record is transferred to the new practice across a secure NHS data-sharing network and all practices aim to process such transfers within a maximum of 8 working days. The paper records are then transferred which can take longer. Primary Care Services England also look after the records of any patient not currently registered with a practice and the records of anyone who has died.

Once your records have been forwarded to your new practice (or after your death forwarded to Primary Care Services England), a cached version of your electronic record is retained in the practice and classified as “inactive”. If anyone has a reason to access an inactive record, they are required to formally record that reason and this action is audited regularly to ensure that all access to inactive records is valid and appropriate.  We may access this for clinical audit (measuring performance), serious incident reviews, or statutory report completion (e.g., for HM Coroner).

A summary of retention periods for medical records can be found on the BMA website

The rights available to you in respect of data processing

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing- for reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

Right to be informed

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access

You have the right of access You have the right to ask us for copies of your personal information- this right always applies. There are some exemptions, which means you may not always receive all the information we process.

The right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

The right to erasure

You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data

The right to restrict processing

You have the right to ask us to restrict the processing of your information in certain circumstances You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object

You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling.

Your rights in relation to automated processing – Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

Typically, the ones used in the practice may include:

Qrisk – a cardiovascular risk assessment tool which uses data from your record such as your age, blood pressure, cholesterol levels etc to calculate the probability of you experiencing a cardiovascular event over the next ten years.

Qdiabetes– a diabetes risk assessment  tool  which uses your age, blood pressure, ethnicity data etc to calculate the probability of you developing diabetes.

CHADS – an assessment tool which calculates the risk of a stroke occurring for patients with atrial Fibrillation

This is not an exhaustive list- other tools may be used depending on your personal circumstances and health needs, however whenever we use these profiling tools, we assess the outcome on a case-by-case basis. No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability

Your right to data portability This only applies to information you have given us- you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances

The right to withdraw consent

Because under the provisions of Data Protection Law most of the data processing activities carried out by the practice are not done under the “lawful basis” of consent you cannot withdraw consent as such, however if you are not happy with the way your data is being processed you do have the right to object and the right to ask us to restrict processing.

There is a new national opt-out that allows people to opt out of their confidential patient information being used for reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found online.

In the past, you may have already chosen to prevent your identifiable data leaving NHS Digital, known as a Type 2 opt-out. All existing Type 2 opt-outs will be converted to the new national data opt-out and this will be confirmed by a letter to all individuals aged 13 or over with an existing Type 2 objection in place. Once the national data opt-out is launched, it will no longer be possible to change preferences via local GP practices.

The right to lodge a complaint with a supervisory authority.

If you are happy for your information to be used, and where necessary shared, for the purposes described in this notice then you do not need to do anything.

Should you have any concerns about how your information is managed at Leeds GP Confederation, please contact us:

If you are still unhappy following a review by Leeds GP Confederation, you can then complain to the Information Commissioners Office (ICO) via: