Accessibility

Pearl Medical Practice

Pearl Medical Practice, Wembley Centre for Health & Care, Ground Floor, 116 Chaplin Road, HA0 4UZ

TelTelephone: 0208 795 6180

Out of hours: 0300 130 3015

Coronavirus (COVID-19) response transparency notice – (up-dated 25 February 2021)

Tuesday, 29 September 2020

Purposes for which we may process your data

The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).

Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.

To support the healthcare response to COVID-19, NHS Digital has been directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to:

  • establish information systems to collect and analyse data in connection with COVID-19; and
  • develop and operate IT systems to deliver services in connection with COVID-19

COVID-19 Public Health Directions 2020

  • internal

COVID-19 Public Health NHS England Directions 2020

  •  internal

We may also be requested by the NHS in Scotland, Wales and Northern Ireland to collect, analyse and disseminate data for them, including information about residents of these countries.

Examples of some of the purposes for which NHS Digital may process personal data under the COVID-19 Directions and in response to these requests may include processing personal data for the purposes of:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
  • understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
  • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
  • delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services
  • research and planning in relation to COVID-19

Examples of some of the specific work we have done and how we have used data for COVID-19 purposes

  • internal

The controller of your personal data

Under the General Data Protection Regulation 2016 (GDPR), NHS Digital is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. We are also a joint controller with the person who has directed or requested us to do this work. This may be the Secretary of State for Health and Social Care, NHS England or an NHS body in Scotland, Northern Ireland or Wales.

Where we share data, NHS Digital is usually the sole controller, unless we have been directed to share the data by the Secretary of State or NHS England, in which case we will be joint controllers.

Our legal basis under GDPR

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation and we are allowed to do this under Article 6 (1)(c) of GPDR.

Where we process personal data as part of our statutory functions, including where requested by other bodies, for example. by the NHS in Scotland, Wales or Northern Ireland, this is part of our public task. We are allowed to do this under Article 6(1)(e) of GDPR.

Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), where it is necessary for healthcare purposes (Article 9(2)(h)), where it is necessary for public health purposes (Article 9(2)(i)) or where it is necessary for scientific research or statistical purposes (Article 9(2)(j)).

We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.

More information can be found in the Who we share your data with section.

Types of personal data we process

The types of personal data we may process in response to COVID-19 include:

  • demographic data – your name, date of birth, sex, NHS number and your contact details such as your address, telephone numbers and email address
  • health information – information relating to your health and the care you have been provided – this may include information about medical conditions, treatments, prescription information, care episodes, hospital admission and discharge information, test results, including tests relating to COVID-19, information on whether you are self-isolating
  • information collected as part of our online services which we need to help maintain the security and performance of our website and also to help us understand how our services are used so that we can make improvements. This may include information such as your IP address, technical log events, the type of browser you’re using and the actions you took when using these services

We will only process the minimum data necessary to achieve our purposes.

How we obtain your personal data

Collecting personal data from you directly

We may collect personal data from you directly, in which case we will tell you at the time the purposes for which we will use your data in a privacy or transparency notice.

Examples of where we have done this for COVID-19 purposes are the Isolation Note Service and the service to Get text messages from the NHS about coronavirus. We will not collect more information than we require, and we will ensure that any personal data collected is treated with the appropriate safeguards.

Collecting personal data from other organisations

We may also collect personal data from other organisations, including health and social care organisations, for example from Public Health England, NHS Trusts, GP Practices, Local Authorities, NHS England, the Department of Health and Social Care and other government departments.

Usually we do this by issuing the organisation with a Data Provision Notice. This requires or requests those organisations to provide us with data where this is necessary for us to perform our functions under the Health and Social Care Act 2012.

Examples of our Data Provision Notices

  • internal

Who we share your data with

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

The Health Service (Control of Patient Information) Regulations 2002 allow confidential patient information to be used and shared appropriately and lawfully in a public health emergency and are being used during this outbreak.

Using these regulations, the Secretary of State has issued legal notices requiring NHS Digital, NHS England and Improvement, Arms-Length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use patient information.

Details of legal notices requiring organisations to share information

  •  external
  • Coronavirus (COVID-19): notification to organisations to share information

NHS Digital also has a number of legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes.

We may, therefore, share your personal data using these powers, or under the legal notice mentioned above, with other health and care organisations for the purposes of your individual care and treatment or for planning, commissioning and research purposes.

We may also share your personal data with approved researchers, including for the purposes of carrying out clinical trials. We will only share your data with other organisations where this is lawful and and in line with data protection law.

Types of organisations we may share your data with

The types of organisations we may share your data with include:

  • the Department of Health and Social Care and other government departments, as part of the government response to coronavirus
  • NHS England
  • Public Health England
  • GPs
  • Clinical Commissioning Groups
  • Local Authorities
  • other NHS, health, or social care organisations
  • NHS bodies in Scotland, Wales and Northern Ireland
  • research bodies, such as universities and hospitals

We may also share your information with organisations who process personal data for us on our behalf. They are called Processors. Where we use Processors we have contracts in place with them which means that they can only process your personal data on our instructions. Our Processors are also required to comply with stringent security requirements when processing your personal data on our behalf.

We will also publish data we have obtained for COVID-19 purposes which is anonymous, so that no individuals can be identified from that data. This will enable NHS and other organisations to use this anonymous data for statistical analysis and for planning, commissioning and research purposes as part of the response to coronavirus.

Examples of data we have published as part of our response to COVID-19

  • internal

How long we keep your personal data for

We will only retain your personal data for as long as is necessary for the purposes for which we obtained it and in accordance with the following:

Records Management Code of Practice for Health and Social Care 2016

  • internal

NHS Digital’s Records Management Policy

  • asset

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

Where we store the data

NHS Digital only stores and processes your personal data within the United Kingdom.

Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK. Some of our Processors may process your personal data outside of the UK. If they do we will always ensure that the transfer outside of the UK complies with data protection laws.

Your rights over your personal data and further information

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information, and what choices and rights you have, see How we look after your health and care information and our General transparency notice.

We may make changes to this transparency notice. If we do, the date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change.

The purposes for processing your personal information

Researchers from across the UK, led by the University of Oxford, produced a risk prediction model called QCovid® as part of a clinical research project. This combines a number of factors such as age, sex registered at birth, ethnicity, BMI and specific health conditions and treatments to estimate the risk of a person catching and becoming seriously unwell with coronavirus.

NHS Digital has been asked by the CMO to use QCovid® to identify people in England who may be at high risk of becoming seriously unwell from coronavirus, but who have not currently been identified as high risk (clinically extremely vulnerable).

NHS Digital has therefore developed the COVID-19 Population Risk Assessment, which uses QCovid® and patient data held in existing NHS Digital datasets, to identify those people with relevant factors or health issues, to assess their risk. NHS Digital generates risk assessment results for each of these people. Those with a result above an agreed threshold set by the CMO in consultation with senior clinicians, are considered to be potentially high risk (clinically extremely vulnerable).

A cautious approach has been taken, so there is a chance that a person’s risk is lower than the risk assessment has indicated. This is because, where data was missing from the NHS Digital datasets, the risk assessment uses default values which may overestimate a person’s risk. This cautious approach is to reduce the risk of underestimating people’s risk and excluding them from the group who will be added to SPL. This approach was agreed by the CMO as clinically the most appropriate to ensure that those people who may be at high risk can receive advice and support on how to protect themselves and can be prioritised for a coronavirus vaccination.

People who are identified as potentially high risk (clinically extremely vulnerable) will therefore be prioritised for coronavirus vaccination and will be added to the SPL, which is maintained by NHS Digital.

The QCovid® Calculation Engine and the COVID-19 Population Risk Assessment are each registered as medical devices with the Medicines and Healthcare products Regulatory Agency (MHRA).

Read more about the COVID-19 Population Risk Assessment and QCovid®, including the research behind it, the data it uses and how it works.

Types of personal information we are processing

In order to identify people who may be at high risk of catching and becoming seriously unwell with coronavirus, we process the following information about relevant people in England:

  • NHS Number
  • date of birth
  • sex registered at birth
  • ethnicity
  • height, weight and Body Mass Index
  • postcode (to identify a Townsend deprivation score, a well-known way of measuring deprivation based on data from the 2011 Census)
  • information about whether you live in your own home, are homeless or resident of a care home (based on your address)
  • health related data (in the form of condition codes held in central NHS records), including data about certain:
    • cardiovascular diseases
    • respiratory diseases and treatment
    • metabolic, renal and liver conditions
    • neurological and psychiatric conditions
    • autoimmune and haematological conditions
    • immunosuppressants, cancer conditions and treatments

Get a full list of health conditions and treatments.

Whose data we are processing

Only information about the following people is processed:

  • people aged 19-100 who could potentially meet the threshold for being considered potentially high risk (clinically extremely vulnerable)
  • people who have not previously been identified by existing SPL processes

Records for people who have already been identified as CEV and who are therefore already on the SPL are not included. Records of people who have previously been removed from the SPL by their GP or hospital doctor are also not included.

Our legal basis to process your personal information

NHS Digital has been directed by the Secretary of State for Health and Social Care (secretary of state) under s254 of the Health and Social Care Act 2012 (2012 Act) to collect and analyse data for coronavirus (COVID-19 purposes) under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).  This includes identifying people who are potentially high risk (clinically extremely vulnerable) by using the COVID-19 Population Risk Assessment.

We are therefore joint controllers under the UK General Data Protection Regulation (GPDR) with the secretary of state for the personal data we are processing for this purpose.

Under the UK General Data Protection Regulation (GDPR), NHS Digital is processing your personal data:

  • under Article 6(1)(c) – Legal Obligation – under the COVID-19 Direction
  • under Article 9(2)(g)  – because we consider that this processing is necessary for reasons of substantial public interest, to identify those individuals who are most at risk of catching and becoming seriously unwell from coronavirus in order to provide them with advice on how to protect themselves and to prioritise them for the COVID-19 vaccination
  • under Paragraph 6, of Part 2 of Schedule 1 of the Data Protection Act 2018 – Statutory and Government Purpose – under the COVID-19 Direction.

Who we share your information with

GP practices (GPs) and hospitals will receive information about their own patients who have been identified as potentially high risk (clinically extremely vulnerable) by the COVID-19 Population Risk Assessment through the SPL.

GPs will also be able to securely access information held by NHS Digital about their own patients who were assessed as part of the COVID-19 Population Risk Assessment but not identified as high risk (clinically extremely vulnerable), in order to review their risk assessment results.

Clinicians can add or remove a patient from the SPL at any time and will continue to review whether patients are clinically extremely vulnerable an ongoing basis, according to their clinical judgement and when a patient requests this.

How long we keep your personal data for

Data will be processed until the expiry of the COVID-19 Directions which is currently 31 March 2022 (unless extended).  Data shall be retained for 8 years from the expiry of those Directions in accordance with the Records Management Code of Practice for Health and Social Care 2016 and the NHS Digital Records Management Policy.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information, our general transparency notice and our Coronavirus (COVID-19) response transparency notice

We may make changes to this transparency notice. If we do, the ‘last updated’ date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change.

 

Practice Information

Pearl Medical Practice

Pearl Medical Practice, Wembley Centre for Health & Care, Ground Floor, 116 Chaplin Road, HA0 4UZ

Practice Opening hours

The practice is open during the following times:

Monday09:00-18:30
Tuesday09:00-18:30
Wednesday09:00-18:30
Thursday09:00-18:30
Friday09:00-18:30
SaturdayClosed
SundayClosed

Practice News

DEADLINE FOR REGISTERING YOUR OPT-OUT

DEADLINE FOR REGISTERING YOUR OPT-OUT IS  This collection will start on 1 September 2021.  If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out. This collection will start on 1 July 2021 so if you do not want your data […]

General Practice Data for Planning and Research data collection

 General Practice Data for Planning and Research data collection The purpose of the data collection is to support the provision of general practice data for planning and research. All data collected will be pseudonymised by GP system suppliers on behalf of their GP practices before the data is sent into NHS Digital, the national custodian […]