Coronavirus (COVID-19): As we remain alert, please remember to bring an appropriate face covering if you are visiting the practice.

If you or a member of your household have a new continuous cough, a high temperature or a loss in or change of your sense of smell or taste,
please DO NOT come to the GP surgery unless requested to do so by a member of our team. Instead, please self isolate immediately in case you have COVID 19.
You must use the NHS 111 online coronavirus assessment and testing service or call 111 if you cannot get help online.

Coronavirus (COVID-19): As we remain alert, please remember to bring an appropriate face covering if you are visiting the practice.

Coronavirus (COVID-19): As we remain alert, please remember to bring an appropriate face covering if you are visiting the practice.

If you or a member of your household have a new continuous cough, a high temperature or a loss in or change of your sense of smell or taste,
please DO NOT come to the GP surgery unless requested to do so by a member of our team. Instead, please self isolate immediately in case you have COVID 19.
You must use the NHS 111 online coronavirus assessment and testing service or call 111 if you cannot get help online.

Coronavirus (COVID-19):

We use secure, NHS approved software to provide video consultations safely and effectively for our patients.

We use secure, NHS approved software to provide video consultations
safely and effectively for our patients.

Accessing our services – update Dec 2021

Dear patients,

We have changed the way we book our appointments in response to the latest Government guidance on COVID-19, offering a range of ways for you to safely get the help and support you need. We are open and continuing to care for our patients.

Patients who request an appointment will be assessed by telephone or online, and a clinician will determine how best to meet your care needs. You will be offered a face-to-face appointment if it is essential for you to be seen, or a video appointment if appropriate.

If you do not need to come into the surgery, you will be given appropriate self-care advice, treatment or information on what to do if you become more unwell.

Thank you for your understanding and cooperation during this time of unprecedented levels of demand on NHS services. Please treat our staff with dignity and respect.

Privacy Notice

cqc-ratings
nhs

Privacy Notice

Summary

Keeping your personal data safe is very important to us. Your personal data is stored in our secure clinical systems, and only those who are involved in delivering your care have access to your personal data.

We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services, and NHS commissioning organisations who are directly involved in providing or funding your care needs. Your data will not be shared with anyone else, unless we are obliged by law.

We do not share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

We will only share personal information about you with medical research organisations with your explicit consent, and you have the right withdraw your consent at any time.

A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

Who we are

Operose Health is the brand name for a number of companies that provide primary healthcare services across England. A full list of all the companies can be found under the title “Entities and data protection registration numbers”.

What we do

At Operose Health, we are experts in working with complex health systems to provide the very best healthcare service to our patients and services users, and to transform their quality of healthcare experience. We are part of a global healthcare family with over 30 years’ experience of delivering high quality healthcare in the most simple and seamless way to our patients and service users, and we are committed to protecting and respecting their privacy.

Our portfolio of services includes primary care, community outpatient services and referral management services. We respect your right with regards to privacy and data protection when you communicate with us through our websites, events, telephone, or attend any of our face-to-face consultation services.

Your personal data is stored in our secure clinical systems, only those who are involved in delivering your care have access to your personal data. Your data will not be shared with anyone else, unless we are obliged by law.

Sharing your personal information

We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services and NHS commissioning organisations who are directly involved in providing or funding your care needs. Your data will not be shared with anyone else, unless we are obliged by law.

We do not share your personal information with marketing and advertising companies.
We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

We will only share personal information about you with medical research organisations with your explicit consent, and you have the right withdraw your consent at any time.

A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

What is this Privacy Notice about?

A privacy notice is a statement that describes how an organisation collects, use, retain and disclose personal data, or special categories of personal data. Different organisations sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently we are required by law to provide you with the following information:

  • What information we collect and process about your
  • How we process your personal data
  • The purpose of processing
  • Recipients or categories recipients of your personal data
  • The identity of our Data Protection Officer
  • How long we retain personal information about you
  • The lawful bases for processing
  • Your rights – to view, request access copies of your personal information, or object to
    the processing of your personal information.

Types of personal information we process

At Operose Health, we process the following categories of personal information about our patients and service users:

Category Data Type
Identity data and contact details Such as name, date of birth, gender, NHS number, telephone number, postal address, postcode, email address (if provided) etc.
Support contact details Names, contact details of carers, relevant close relatives, next of kin and representatives
Special categories of personal data concerning physical, social or mental health condition. Such as medical history, diagnosis, treatments, test results, appointment, attendances, referrals, care plans, care packages, medication, medical opinions etc.
Special categories of personal with protected characteristics Such as racial or ethnic origin, religious or philosophical beliefs, genetic data, sexual life or sexual orientation data, child protection records, adoption records etc.
Aggregated data A combination of personal data, and special categories of personal data for the purpose of business intelligence and analytical services to enable us to predict future trends and plan our services.
Usage data Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our site.

What we process your personal information for

We process personal information about you in a number of ways. These include:

  • Primary uses – we process personal information concerning your health to enable our registered and regulated healthcare professionals who are directly involved in your care to provide you with the best possible direct care delivery.
    Personal information concerning your health or social care is also made available to other health or social care provider organisations who are involved in your health or social care needs to enable them to make the best-informed decision about you when you use their service.
  • Secondary usesWe process your personal information for purposes of beyond direct care in the following ways:
  • Reviewing the care we provide through clinical audit.
  • Investigating your queries, complaints and legal claims.
  • Ensuring we receive payment for the healthcare you receive.
  • Preparing statistics on NHS performance.
  • Auditing NHS accounts and services.
  • Undertaking health research, and development (with your explicit consent, and you have the right choose whether or not to be involved).
  • For business intelligence and analytical services to enable us to predict future trends and plan our services.
  • Training and educating our healthcare professionals (with your explicit consent, and you have the right choose whether or not to be involved).

Our identity and contact details

Operose Health includes the entities listed in this Privacy Notice. We can be contacted at:

Operose Health
Rose House, Bell Lane Office Village
Bell Lane
Little Chalfont
Amersham
Buckinghamshire
HP6 6FA

Our Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please write to our Data Protection Officer who can be contact at:

Data Protection Officer
Operose Health
Rose House, Bell Lane Office Village
Bell Lane
Little Chalfont
Amersham
Buckinghamshire
HP6 6FA
Tel: 01494 690 999
Email: operosehealth.dpo@nhs.net

Organisations we share your personal information with

Included below is a table of the organisations we share information about you for the purposes of direct and indirect care, split into the following categories:

Direct Medical
Care and Administration
Recipients or categories of recipients of the personal or
special categories of personal data
Purpose of the processing Lawful basis
 UK General Data Protection Regulation (UK GDPR)
– Article 6 –
– Article 9 –
 Data Protection Act (DPA) 2018
– Section 10 –
– Schedule 1 –
NHS Trusts – Hospitals, Community or Mental Health Trusts.  Personal data concerning your health is shared with NHS Trusts to enable their healthcare professionals make the best-informed decision about your health needs, and to provide you
with the best possible care if you visit the hospital for routine care and referrals.Your personal information may also be processed for local administrative purposes such as:

  • Waiting list management.
  • Local clinical audit.
  • Performance against local targets.
  • Activity monitoring.
  • Production of datasets to submit for commissioning purposes and national collections.

Your electronic GP record is the source of information that is shared.
In accordance with DPA Part 1, Schedule 1 (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment;
the provision of social care, or the management of health care systems or services or social care
systems or services.

The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Emergency Services (Ambulance trusts, police, A&E departments, out of hours
services, 111)
There are circumstances when intervention is necessary in order to save or protect a
patient’s life or to prevent them from serious immediate harm, for example, during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate.Medical professionals have a duty of care to share data in emergencies to protect their patients or other persons. In these circumstances, your GP medical record will be shared with emergency
healthcare services, the police or fire service in order to enable you receive the best treatment or service.Make pre-determined decisions about the type and extent of care you will receive in an emergency; these are known as “Advance Directives”.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”, and DPA “provisions”:

  • GDPR Article 6(1) (d) – processing is necessary in order to protect the vital interests of
    the data subject.

The processing of special categories of personal data is permitted under the
following UK GDPR “conditions” and DPA “provisions”:

Pharmacists – Medicines Optimisation Medicines optimisation looks at the value which medicines deliver, making sure they are
clinically-effective and cost-effective. It is about ensuring patients get the right choice of
medicines, at the right time, and are engaged in the process by their clinical team.Medicines optimisation enables community pharmacies to request medication electronically from our GP
Practice and view relevant information from your GP record in order to provide you with the best
medicines.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Local Authority – Social Services Operose Health Group works closely with Local Authorities to support and care for people
of all ages to deliver the best possible social care.Personal data concerning your GP medical record may be shared with Local Authorities and
Multidisciplinary Team (MDT) delivering social care in order to enable them to make the
best-informed decision about your social care needs if required.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Care Homes If you are a residence of a Care Home, personal data concerning your GP record will be
shared with your care provider and other Multidisciplinary Team (MDT) looking after you to enable
them to provide you with the best possible care needs.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Other primary care services delivered for the purposes of
direct care
Recipients or categories of recipients of the personal or
special categories of personal data
Purpose of the processing

Lawful basis

 UK General Data Protection Regulation (UK
GDPR)

– Article 6 –

– Article 9 –

Data Protection Act (DPA) 2018

– Section 10 –

– Schedule 1 –

Integrated Urgent Care Service (IUC) – covering Out of Hours and NHS
111 service
Integrated Urgent Care Service (IUC) is an urgent care service
delivered across England for the provision of a functionally integrated 24/7 urgent care access,
clinical advice and treatment service for patients. IUC incorporates NHS 111 and Out of Hours (OOH)
services, which is often referred to as an IUC Clinical Assessment Service.The purpose of IUC is to ensure that patients receive the best possible healthcare service in their
community.If you visit the urgent care centre or call NHS 111 for health-related needs, personal data in your
GP record will be shared with healthcare professionals in order to enable them to make the best the
best-informed decision about your health needs.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Continuing Health Care (CHC) NHS Continuing Health Care (CHC) is free care outside of hospital that is arranged and
funded by the NHS to support living with complex medical conditions and on-going healthcare needs
which can be delivered in the patient’s home, at their care home or in non-acute hospitals.CHC is free, unlike support from social services for which a fee may be charged, depending on your
income and savings. CHC is different from NHS Funded Nursing Care, which some people with less
complex needs living in care homes receive.If you require CHC needs personal data concerning your GP medical record will be shared with the
care home or in non-acute hospitals looking after you.Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

   Statutory
Disclosures of Information
Recipients or categories of recipients of the personal or
special categories of personal data
Purpose of the processing

Lawful basis

UK General Data Protection Regulation (UK GDPR)
– Article 6 –
– Article 9 –
 Data Protection Act (DPA) 2018
– Section 10 –
– Schedule 1-

Safeguarding Concerns – to prevent an individual, or to prevent a
serious crime 
Some members of public are recognised as needing safeguarding protection, for example
children and vulnerable adults. If an individual is identified as being at risk from harm, we have a
duty to do what we can to protect that individual, and we are bound ‘Safeguarding’ laws to do so.Where there is a suspected or actual safeguarding issue, we will share information that we hold
about you with other relevant agencies such as local Ambulance trusts, the police, A&E
departments, out of hours services, 111 or social services.The source of the information shared in this way is your electronic GP record.Children Act 1989 requires local authorities to investigate where a child is
the subject of an emergency protection order, is in police protection or where there is a reasonable
cause to suspect that a child is suffering or is likely to suffer harm.
Care Act 2014 (safeguarding adults) sets out a clear legal framework for how
local authorities and other parts of the system should protect adults at risk of abuse or neglect.
Both Acts for Parliament require local authorities to safeguard and promote the welfare of children
and adults who are in need, and to request help from specified authorities including General
Practices, NHS Trusts, Clinical Commissioning Groups (CCGs) and NHS England.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • UK GDPR Article 9 (2) (c) – the processing is necessary to protect the vital interests of
    the data subject.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provision”:
Article 9 (2) (c) – the processing is necessary to protect the vital interests of the data subject.
In accordance with DPA Schedule 1, Part 2 (18) (1a) – the condition is met where
the processing is necessary for protecting an individual from neglect or physical, mental or
emotional harm, or protecting the physical, mental or emotional well-being of an individual
.

Related Legislations:
Section 47 of The Children Act 1989.
Section 45 of Care Act 2014

The Care Quality
Commission (CQC)
The Care Quality Commission (CQC) is a regulatory body established under the Health and
Social Care Act. The CQC regulates health and social care services in England to ensure that safe
health and care are provided. The law allows CQC to access identifiable patient data/medical records
in our clinical system for the purposes of their assessment and investigation of significant safety
incident.
The data may be shared with the CQC, its officers and inspection team that visit us from time to
time.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing for legal obligation.
  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

  • GDPR Article 9 (2) (h) – processing is necessary for medical or social care treatment or,
    the management of health or social care systems and services.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Law Enforcement and Regulatory Bodies In some circumstances we may be legally required to share personal information with law
enforcements and regulatory bodies (without the consent of the data subject) such as: the Police;
Courts of Justice; HMRC and DVLA for the purposes of prevention or detection of crime; apprehension
or prosecution of offenders; the assessment or collection of any tax or duty or, of any imposition
of a similar nature.
Our GPs are obliged to notify the DVLA when fitness to drive requires notification, but an
individual cannot or will not notify the DVLA themselves, and if there is concern for road
safety, which would be for both the individual and the wider public.
We will review each request based on its merits before deciding whether to release information to
the relevant authorities.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provision”:

  • Article 9 (2) (G) – the processing is necessary for reasons of substantial public interest.
  • In accordance with DPA Schedule 1, Part 2, (10) (1c) – the condition is met where the
    processing is necessary for the prevention or detection of an unlawful act.
Medico-Legal Medico-Legal – Where a medical professional is holding personal data
for the purpose of providing medical reports in connection with legal action.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.
  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provision”:

General Medical Council
(GMC)
General Medical Council (GMC) is a public body that
maintains the official register of medical practitioners in the United Kingdom. Its primary
responsibility is ‘to protect, promote and maintain the health and safety of the public’ by
controlling entry to the register, and suspending or removing members when necessary.
Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records
for the purposes of an investigation into a doctor’s fitness to practise.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.
  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority;

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provisions”:

Related Legislation:
The Medical Act 1983

The Parliamentary and Health Service Ombudsman The Parliamentary and Health Service Ombudsman was set up by Parliament
to provide an independent complaint handling service for complaints that have not been resolved by
the NHS in England and UK government departments, where you believe they have not acted properly
or fairly or have provided a poor service. To do this, the Ombudsman will need to collect and use
information we hold about you and your complaint.
The Parliamentary and Health Service Ombudsman is allowed to use your information for the purpose of
handling your complaint under the Parliamentary Commissioner Act 1967. This legislation also
protects information obtained for the purposes of investigating your complaint.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “conditions”:

  • GDPR Article 6(1) (a) – the data subject has given consent to the processing of his or her
    personal data.
  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.

The processing of special categories of personal data is permitted under the
following UK GDPR “conditions”:

  • GDPR Article 9 (2) (a) – the data subject has given explicit consent to the processing of
    those personal data for one or more specified purposes.

You do not have the right to object to the processing of your personal information, but you have the
right to withdraw your consent.

Related Legislation:

Parliamentary Commissioner Act 1967.

NHS Counter Fraud

 

Under the NHS Act 2006, investigations into fraud in the NHS may require access to
confidential patient information.
This means that we are compelled by the law to share your data with the NHS counter fraud team where
required.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.
  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provision”:

Related Legislation:
S10
NHS Act 2006

Serious Crime Act 2007

NHS Digital – Statutory Data Collection NHS Digital is a national information and technology partner to the health and social
care system. NHS Digital use digital technology to transform the NHS and social care.NHS Digital carries out National Data collections/ extraction from the GP clinical
system. These include:
National Diabetes Audit (NDA) – A national monitoring system, auditing the care of
patients with diabetes. The data extracted for the purpose of NDA includes NHS Number, date of birth
and postcode, as well as clinical parameters related to diabetes. NDA is a mandatory data extraction
under section 259 of the Health and Social Care Act 2012, this means that
we are compelled by law to share your data
Individual GP Level Data (IGPLD) – A national monitoring system to enable NHS
Digital to provide GPs with clinical information on the care provision for their patients. The data
extracted includes the NHS number. IGPLD is a mandatory data extraction under 259 of the Health and Social Care Act 2012, this means that we are compelled
by law to share your data
FGM) – NHS Digital collects data on FGM within the NHS in England on behalf of the
Department of Health (DH). Data collected is used to produce information that helps improve NHS and
local authorities to improve on how they support women and girls who have had or, who are at risk of
FGM.
FGM Enhanced Dataset is a mandatory data extraction under section 259 of the Health and Social Care Act 2012, this means that we are compelled
by law to share your data when required.
Your electronic GP record is the source of information that is shared.
Data Retention Period
All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social
Care
The processing of personal data is permitted under the following UK
GDPR “condition”:

  • GDPR Article 6(1) (c) – processing is necessary for compliance with a legal obligation.
  • GDPR Article 6(1) (e) – processing is necessary for the performance of a task carried out in
    the public interest.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition”, and DPA “provision”:
GDPR Article 9 (2) (h) – processing is necessary for medical or social care treatment or, the
management of health or social care systems and services.
DPA Section 10 (1) (c) – processing is necessary for health and social care
purposes;

In accordance with DPA Schedule 1, Part 1, (2) – health or social care purposes
means the purposes of preventive or occupational medicine; medical diagnosis; the provision of
health care or treatment; the provision of social care, or the management of health care systems
or services or social care systems or services.

Related Legislation:
S259 of the Health and Social Care Act 2012
The processing is necessary for compliance with a legal and professional obligation to which we are
subject therefore, you do not have the right to object to the processing of your personal
information.

  Processors
Recipients or categories of recipients of the personal or
special categories of personal data
Purpose of the processing Lawful basis
UK General Data Protection Regulation (UK GDPR)
– Article 6 –
– Article 9 –
Data Protection Act (DPA) 2018
– Section 10 –
– Schedule 1-
EMIS Health
SystmOne – TPP
EMIS Health
and SystmOne – TPP provide clinical systems used by Operose Health Group to securely store and
process your medical records.Information about your personal health records is stored in your GP electronic record which is
accessed by our registered and regulated health and care professionals to provide you with the very
best care.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

Docman and Docmail Docman Limited act as a Processor and provides cloud-based
storage software for electronic patient document. This includes paper letters that we receive, scan
and upload to a patient record, as well as letters that we receive in an electronic format.
Generally, Docman enables primary health care organisations capture, file, workflow, view and manage
primary care documents efficiently.
Docmail enables primary health care organisations send letters, invoices and
documents directly from computers and other portable devices.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

Webpost Webpost are hybrid mail providers certified by the NHS and help GP Practices and other
health provider with hybrid mail solutions printing letters, reminders, test results with an
integrated secure email service.
Unlike conventional mail processes we use Webpost mail service to simplify our mailing process by
printing, folding, enveloping and stamping your appointment and referral letters or other documents
before delivering them to the Royal Mail for the final mile delivery.
Your electronic GP record is the source of information that is shared.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

PS Health More than ever healthcare providers need to be able to meet the demand for referral
services and optimise operations while improving patient experience. To do this, PS Health is
commissioned by Operose Health to provide automated health referral management services to enable
the organisation to deliver a safe and effective referral management service for its patients.Operose Health e-Referral system is integrated with PS Health digital platform to automate pathways
of care and connect patients with the right clinician, service and optimise clinical triage.Personal data concerning your health is processed by PS Health to enable you to receive the best
referral service if you visit the hospital for routine care and referrals.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

Redcentric Redcentric is commissioned by Operose Health Group to deliver
telephony services (including call recording) to enable our GP Practices and
Referral Management Centres to deliver a safe and secure patient service by being more responsive to
call demand around appointments, test results and prescription delivery.When you use our services for purposes such as telephone consultation, or you just want to speak to
a healthcare professional for advice, your call may be recorded and stored as part of the health
record, to enable us to provide you with the best possible care.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

In accordance with DPA Schedule 1, Part 1, (2) – health or social care purposes
means the purposes of preventive or occupational medicine; medical diagnosis; the provision of
health care or treatment; the provision of social care, or the management of health care systems
or services or social care systems or services.

Quality Medical Solutions
UK (QMS-UK)
QMS-UK are commissioned by NHS England to provide secure data processing solutions for
two services:

  • Child Health Information Service – information relating to children’s vaccinations.
  • National Diabetic Retinal Screening Service.

Your electronic GP record is the source of information that is shared.

The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

AccuRx Video Consultation system AccuRx is an NHS Digital approved a web-based video consultation
system
allows our healthcare professionals to carry out observations during their
consultations in the same way they would during a face-to-face appointment, to provide our patients
the with the best possible care.In the video consultation, healthcare professionals are able record the observations and outcome of
the consultation in the same way as a face-to-face consultation is recorded in the patient’s
electronic record and any agreed actions are carried out.  The connection prioritises ‘peer-to-peer’
between our registered health professionals and patient’s communication device, and follows NHS best practice guidelines on health and social care cloud
security.By using video consultations, it reduces any risk in bring patients to our Surgeries especially
during the current circumstances with COVID19.
The processing of personal data is permitted under the following UK
GDPR condition:

  • GDPR Article 6(1) (e) – public interest or in the exercise of official authority.

The processing of special categories of personal data is permitted under the
following UK GDPR “condition” and DPA “provision”:

Details of data linkage with other datasets

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Clinical Commissioning Groups within our geographical areas are responsible for processing de-identified and linked data under this category, on our behalf. We ensure that the Processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Data retention period

All records held by Operose Health will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care 2020 and supplemented by our Records Management Standards.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.

The details of transfers of the personal data to any third countries or international organisations

We do not transfer personal data to any third countries or international organisations.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These legislations require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

Our appropriate technical and security measures include:

  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems.
  • The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
  • A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
  • Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.

Cookies

Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our websites.

We use the following cookies:

  • Strictly necessary cookies: These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas of our websites.
  • Analytical/performance cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies: These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site more relevant to your interests. We may also share this information with third parties for this purpose.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

Except for essential cookies, all cookies will expire after 12 months.

What are your general rights?

Where information from which you can be identified is held, you have the:

  • Right of access to view or request copies of the record
  • Right to rectification of inaccurate personal data or special categories of personal data
  • Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
  • Right not to be subject to any automated individual decision-making
  • Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
    • data is processed by automated means, and
    • you provided consent to the processing or,
    • the processing is necessary for the fulfilment of a contract.

Right to object

In line with the Data Protection Legislation, you do not have the right to object to the processing of your personal information where:

  • The purpose of the processing is for direct provision of care or safeguarding concerns. As a primary care and community health provider, we have legitimate compelling grounds under the Health and Social Care Act 2012 to process your personal information for the purposes of direct care delivery, and to prevent an individual from harm, or to prevent a serious crime. This include personal information concerning your health which we share with other GP Practices, NHS acute or mental health Trusts, social services, community health providers and pharmacists who are also involved in your care.
  • The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police, Courts of Justice, HMRC and DVLA.

You do not have the right to object to the processing of your personal information for risk stratification for indirect care purpose such as understanding the local population needs and plan for future requirement.

You have the right to opt-out of:

Right to erasure (right to be forgotten)

Your right to erasure (right to be forgotten) applies where you had given ‘consent’ to process your personal data and later withdrew the consent. Right to erasure does not apply to the extent where the processing of your personal health data is necessary for:

  • Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of official authority vested on us;
  • medical purposes and/or for reasons of public interest in the area of public health;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • the establishment, exercise or defence of legal claims.

Exercising your right or gaining access to the data we hold about you

By contacting us at the address below, you can exercise your rights at any time, or request to see or have copies of personal information we hold about you:

Data Protection Officer
Operose Health
Rose House, Bell Lane Office Village
Bell Lane
Little Chalfont
Amersham
Buckinghamshire
HP6 6FA
Email:
operosehealth.dpo@nhs.net

Right to complain

If you are dissatisfied with the way we process your data, please contact us and we will try to resolve your complaint. You also have the right to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

Tel: 0303 123 1113 or 01625 545 745

Web form: https://ico.org.uk/global/contact-us/

Entities and data protection registration numbers

Entity Name Data Protection Registration Number
Operose Health Limited ZA269280
AT Medics Limited Z9497012
AT Learning Limited ZA792188
AT Technology Services Limited ZA239650
Primary Care Partners Limited ZA688561
Operose Health Corporate Management Limited Z2932107
Operose Health (Group) Limited Z9518807
Operose Health (Group) UK Limited Z1159942
The Practice Surgeries Limited Z1159956
Chilvers & McCrea Limited Z7794195
The Practice U Surgeries Limited Z4783305
Phoenix Primary Care Limited Z1273035
Phoenix Primary Care (South) Limited Z3383510
Top