September 2023

The Purpose of Lisburn City Practice

Our purpose is to provide General Medical Services to the patients on our list. We also have a role to
play as an educational and training Practice, with links to Queen’s University, Belfast to help with
educating medical students.

We make a commitment to our patients that we will endeavor to protect their information and use it
appropriately and responsibly.

Data Controller and Data Protection Officer

Lisburn City Practice is the Data Controller. It is the Controller’s task to set the standard in terms of
looking after the data we collect. Dr V Cupples is the Data Protection Officer, tasked with
recommending changes to policies and being a point of access for patients. If you have any questions
about this Data Protection Policy, or would like to access your records, please contact the practice in
writing.

Updating the Policy

This policy will need to be changed from time to time. We will keep an updated version on our website
and we invite you to re-check it periodically. We will alert you to any significant changes with notices
on our website, posters around the Practice and on the right-hand side of prescriptions.

Legal Basis

The legal basis for the Practice collecting, using and sharing our patients’ medical data is provided in
two ways. Article 9 of the GDPR legislation explains that information that is more sensitive requires
special category status. For us that status is covered by Article 9(h)

(h) processing is necessary for the purposes of preventive or occupational medicine, for the
assessment of the working capacity of the employee, medical diagnosis, the provision of health or
social care or treatment or the management of health or social care systems and services on the
basis of Union or Member State law or pursuant to contract with a health professional and subject to
the conditions and safeguards referred to in paragraph 3;

Our right to collect, use and share health data is covered by Article 6 – it is the official purpose of our
organisation.

There are also times when it is our legal obligation to share medical information, for example, with the
DVA or the PSNI.
Because of the nature of our work, we do not require specific consent from patients to carry out our
usual activities with health data.

However, there are times when we require specific consent to share information, for example if an
insurance company or solicitor requests medical information about a patient.

We may also process data for medical research but it is unlikely we would do so without asking for a
patient’s specific consent, if the data can be identified to a particular patient.

Patients do have the right to object to their data being processed in certain circumstances, but the
Practice may argue that there are compelling or legal grounds for the processing.

Keeping your records up to date

GDPR requires that the information we keep is kept up to date. We rely on our patients to tell us if
they have moved house, or had medical treatment abroad. For our part, we will update your medical
records at each consultation with a doctor or a nurse (either face to face, or by telephone), and with
any relevant information we receive from hospital, community or social services providers (eg new
diagnoses, change in circumstances)

These are the ways we collect health data

• New babies being registered with the Practice – a form from the Registrar of Births, Deaths
and Marriages signed by a parent or legal guardian

• Other patients joining the Practice – medical records forwarded to us by the BSO from
previous GPs or other healthcare providers

• Existing patients

• Computerised medical records added to by GP during consultations

• Letters received from other health service providers, eg hospitals, private
consultants, community services etc which are scanned into patient records
• Patient notes added to patient records as a means of internal communication eg
passing on requests for medications
• Medical notes added to by administrative staff, pharmacists, nursing staff
following consultations or telephone calls
• Requests for patient’s medical records or reports for solicitors, insurance
companies etc
• Reports written by GPs including reports written for solicitors, insurance
companies, government departments etc
• Copies of referral letters sent to other providers of medical services, eg hospitals,
private consultants, community services etc

• People who we share your health data with

• Other medical professionals eg referrals to hospitals, private consultants,

community services
• Electronic Care Record (ECR) – prescribing and allergy information is included in
the ECR from patient records in the Practice. Patients should be asked to give
their consent each time the ECR is accessed unless consent has been given for
one year. Consent may not be required if records need to be accessed in the
best interests of the patient or for a legal reason. ECR data is shared over the
 health service in Northern Ireland but there is no access to GP consultation
records.
• Business Services Organisation (BSO)- holds the central database of patients in
Northern Ireland and we send changes to patient data online to them eg change
of name or address. When patients leave the Practice or die, their full notes are
returned to the BSO
• Clinical Computer System supplier (EMIS) – we might send patient specific data
to them if we need them to fix a particular IT problem that relates to that patient
• BSO Fraud Office and doctors working with them. The Practice has a Probity
Visit once every 3 years and the BSO has access to patient specific data to
check that claims made to the NHS for services the Practice has provided are
legitimate.
• Northern Ireland Medical and Dental Training Agency – medical representatives
check the standard of record keeping as part of their three-yearly visits to assess
our suitability as a training practice
• Students from Queen’s University Belfast. The Practice is a Queens Medical
School Teaching Practice and we regularly have medical students attending the
Practice. As part of their educational experience, they may see patients (with the
patient’s consent) and record their consultations on the computer, or they may
undertake audit work
• Government Departments – the Practice, by law in most cases, responds to
requests for health data from government departments including:-
• Blue Badge Scheme
• Department for Communities
• Department for Infrastructure
• Department of Justice
• Occupational Health
• Driver and Vehicle Agency
• Capita for PIP Claims
• The Appeals Service
• PSNI for Firearms and Explosives licensing

• Pharmacies – if you have arranged for a pharmacy to collect your prescriptions, or

asked us to fax an emergency prescription, or have asked us to provide prescriptions
to a company eg for stoma care products.

• Northern Ireland Screening Services including:

• Bowel Cancer Screening

• Cervical Cancer Screening
• Aortic Aneurysm Screening
• Breast Cancer Screening
• Diabetic Retinopathy Screening

• Solicitors and Insurance Companies or Agents – but only with a patient’s express
consent

 Postal sort – to print and post patient letters

 IGPR - We use a processor, iGPR Technologies Limited (“iGPR”), to assist us

with responding to report requests relating to your patient data, such as subject
access requests that you submit to us (or that someone acting on your behalf
submits to us) and report requests that insurers submit to us under the Access to
Medical Records Act 1988 in relation to a life insurance policy that you hold or
 that you are applying for. iGPR manages the reporting process for us by
reviewing and responding to requests in accordance with our instructions and all
applicable laws, including UK data protection laws. The instructions we issue to
iGPR include general instructions on responding to requests and specific
instructions on issues that will require further consultation with the GP
responsible for your care

What to do if you don’t want your information shared

Please tell us if you don’t want your information to be shared – either in some or all circumstances.
We can make a note on your record that will ensure that your records can only be accessed by a
health professional in the Practice (ie no administrative staff will be able to look at your records) or we
can block your health data so that it can’t be accessed by other health service bodies eg Electronic
Care Record

Transferring your data outside the EEA

The Practice does not transfer data outside the EEA

How long do we keep patient information?

We keep paper records for the lifetime of our patients, or until they leave the Practice, at which time
they are transferred to the BSO. We archive computer records for patients who have left or died but
their records remain accessible on our system.

Your rights under the General Data Protection Regulations

1. The right to be informed

This Policy will be available to access in the Practice and on our website. It will be updated
periodically when there are changes to the way we deal with your data or new services come online

2. The right of access

Individuals have the right to access their personal data and a request can be made verbally or in
writing. We have one month to respond to a request and in most circumstances we cannot charge a
fee.

3. The right to rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it
is incomplete. We have one month to respond to a request and in some circumstances we may refuse
this request.

4. The right to erasure

The GDPR introduces a right for individuals to have personal data erased. Individuals can make a
request for erasure verbally or in writing and we have one month to respond. The right is not absolute
and only applies in certain circumstances. For legal reasons, we will not remove information from
patient records, but will note that the patient has requested erasure and the reason.

5. The right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data. This is not an
absolute right and only applies in certain circumstances (please see above-What to do if you don’t
want your information shared).
An individual can make a request for restriction verbally or in writing and we have one month to
respond.

6. The right to data portability

This right only applies to information an individual has provided to a controller. In our case this is
usually the information provided on a New Patient Questionnaire

7. The right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain
circumstances, including an absolute right for data being used for direct marketing. The Practice does
not undertake direct marketing of any sort.
In some cases where the right to object applies we may be able to continue processing if we can
show that we have a compelling reason for doing so, for example, GPs will need to process your
medical data in order to treat you.
An individual can make an objection verbally or in writing and we have one calendar month to
respond.

8. Rights in relation to automated decision making and profiling.

The GDPR has provisions on:
• automated individual decision-making (making a decision solely by automated means
without any human involvement); and
• profiling (automated processing of personal data to evaluate certain things about an
individual). Profiling can be part of an automated decision-making process.
The Practice does not undertake any type of automated decision making or profiling.

9. How do we keep your information secure?

The BSO is responsible for providing data processing services to General Practice which they know
to be secure. They provide EMIS WEB, our clinical computer system, and Apollo, our document
scanning solution. They provide Health & Social Care internet facilities which provide secure email
links between NHS organisations and secure access to the internet.
There is facility to access the processing systems remotely (eg working from home). Secure systems
are set up for remote access.
Within the Practice, access to processing systems is by individual logins and passwords. Every
member of staff has a paragraph in their Contract of employment requiring them to maintain patient
confidentiality in all aspects of their work.

Complaints about how we handle your personal data

In the first instance, please speak to us so that, if possible, we can fix the problem. If you are not
happy with our response you can lodge a complaint with the Information Commissioner’s Office. The
ICO is the UK’s data protection regulator and you can contact them online at
www.ico.org.uk/concerns or by calling 03031231113.