Privacy notice: Referral Support Service
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about how we use your data.
This version was last updated by the GP Data Protection Officer on the 13 July 2023.
The purpose of this notice is to inform you of the way in which NHS Surrey Heartlands Integrated Care Board (ICB) uses information (including personal data) about you when we are providing Referral Support Services (RSS) for GP Practices. In this notice we will explain:
- Who we are and what we do
- The types of information we hold about people
- Who your information may be shared with
- How this information will be used and why we need to do this
- How your information will be kept secure and confidential
- How you can access a copy of the information we hold about you
- How you can object to the way we use this information
- The lawful basis for us to process your data
- What other rights you may have in relation to this information
- Data Protection Officer contact details
- How long we will keep your information
- How you can complain about the way your information is used
- Where to go if you require further information.
This guidance applies to users of Referral Support Services provided by NHS Surrey Heartlands ICB only.
This information is sometimes known as a ‘Privacy Notice’ or ‘Fair Processing Notice’ and it is a legal obligation under data protection legislation that we provide you with this.
We will review this information regularly and update it as required - so we would recommend that you check this webpage regularly to ensure that you remain informed about the way in which we use your information.
Who we are and what we do
The Referral Support Service (RSS) manages GP Practice referrals for further care and is provided by NHS Surrey Heartlands Integrated Care Board (ICB) on behalf of GP Practices in the following areas:
- Guildford and Waverley
- North West Surrey
- Surrey Downs
- East Surrey
A full list of Practices for which the ICB provides RSS services is available on the Surrey Heartlands website.
The RSS supports GPs to manage referrals by:
- Providing a central point for GP referrals;
- Supporting patients to book appointments and providing a range of times and clinicians for patients to choose from;
- Providing a central point of contact for patients.
Your GP will share your personal information with us in order that we can contact you and so that we can provide you with an appropriate referral for further healthcare.
The types of information we will use
To provide the RSS service the ICB will need to use the following types of data for individuals registered with GP Practices:
- Personal data - as defined by data protection legislation (including first and last name, address, telephone number, and NHS Number).
- Special categories of personal data - as defined by data protection legislation (including details of your physical and mental health that are held by your GP Practice).
- Non-Identifiable Personal Data – this includes:
- ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym. This information could potentially be used to identify you, if it was processed outside of the ICB and/or added to other information, so we ensure that we have robust controls in place to manage how this is used;
- Anonymised data – you cannot be identified from this, even if it is added to other information.
Who your information will be shared with
To deliver the RSS the ICB may share your personal data with other organisations, so that they can deliver health and care services to you.
This includes those to which you may be referred – e.g., Acute (Hospital) Trusts, GP Federations, your GP Practice, and community services providers.
How this information will be used
When delivering the RSS, the ICB acts as a Data Processor for your personal data and processes the data on behalf of your GP Practice, which is the Data Controller.
Referrals are processed either by a Clinician or by the Administration Team within the RSS, who are supported by clinicians with detailed knowledge of local healthcare services.
Personal data will be collected, recorded, and stored by the ICB for the purposes of direct healthcare. This data is used to contact you and so the ICB can refer you to a clinically appropriate service for further care.
This data will be securely transferred from your GP Practice to the ICB by an electronic system called the NHS E-Referral Service. This system is provided and managed centrally by NHS England to ensure that your referral is safe, secure, and only accessed by those people who need to see it.
Your data will be held securely on the E-Referral Service and on the computer system used by the RSS Team at NHS Surrey Heartlands ICB.
The lawful basis for us to process your data
Data protection legislation requires that we explain the lawful basis for us processing personal data. The activity involving personal data is carried out under the following lawful basis detailed within the General Data Protection Regulation (GDPR):
Where personal data is used Article 6(1)(e) applies as the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. Your GP Practice has official authority to provide direct healthcare for you as they have been commissioned to do this by NHS England and the ICB – please refer to the Privacy Notice on your Practice’s website for further information.
Where special categories of personal data (health data) are used Article 9(2)(h) applies as the “processing is necessary for the purposes of … the provision of health or social care or treatment or the management of health or social care systems and services.”
The Common Law Duty of Confidentiality is satisfied by an implied consent process (implied consent is where the person could reasonably expect their data to be used in this way and has not objected).
How you can object to your personal data being shared with the ICB
If you do not want your details to be shared by your GP with NHS Surrey Heartlands ICB, please let your GP know during your consultation, or contact your GP Practice Reception Team. Alternative options will then be discussed with you. Your objection may be over-ridden if it has a negative impact on your care and treatment. If this happens, the reasons for this will be explained to you.
How you can access a copy of the information held about you
You have the right to access a copy of the information we hold about you. Please contact your GP Practice to request a copy of your information held by the ICB for the RSS as all information is passed back to your GP Practice.
What other rights you may have in relation to this information
Everyone has rights regarding how their information can be used – please see below for further information and contact your GP Practice with any requests.
You have the right to be informed, which is met via this Privacy Notice and other information provided by your GP Practice.
You also have the following rights and you should contact your GP Practice if you wish to exercise these:
- You have the right to have your information corrected if it is not accurate. Please let your GP Practice know if you think the information we hold about you is not correct;
- You have the right to erasure and to request your information is deleted. We will do this if we or the GP Practice no longer require it for the purpose it was provided or to meet applicable contractual, regulatory or legal duties. Please note that this right does not apply to health data.
The ICB does not undertake any solely automated individual decision-making (e.g., making a decision solely by automated means without any human involvement) as part of providing the RSS.
Data Protection Officer Contact Details
Your GP Practice is the Data Controller for all data processed as part of the RSS. You can contact the Data Protection Officer Support service which supports Surrey Heartlands GP Practices by email at firstname.lastname@example.org
How your information will be kept secure and confidential
The ICB ensures that we keep your information (including personal data) secure and handles this in accordance with the 10 Data Security Standards arising from the National Data Guardian’s review, based around the following areas:
- People - ensure individuals undertaking work for the organisation are equipped to handle information respectfully and safely, according to the Caldicott Principles;
- Processes - ensure the organisation proactively prevents data security breaches and responds appropriately to any incidents or near misses;
- Technology - ensure technology used is secure and kept up to date. We demonstrate our compliance with the Data Security Standards via our annual NHS Data Security and Protection Toolkit submission.
Where ICB processing of personal data may potentially have significant negative impact on people we follow a privacy by design and default approach and will ensure that the Data Controller(s) undertakes a detailed Data Protection Impact Assessment to ensure that data protection and confidentiality related risks are identified and suitably mitigated.
How long we will keep your information for
All data on the NHS e-Referral Service will be deleted by your GP Practice in accordance with retention schedules and in line with their policies and procedures. All providers of NHS services have regard to the Records Management Code of Practice when determining how long to retain information.
Information temporarily stored on ICB systems (i.e., folders on ICB shared drives accessible to only the RSS Team) where the data has a short retention period will be securely destroyed by the ICB on behalf of Practices once it has reached its retention period.
How you can complain about the way your data is used
If you wish to complain about the way we use your information we would ask that you initially raise this to your GP Practice, as the data controller – please see their website for further information on how to do this.
However, you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by:
- Visiting their website: www.ico.org.uk
- Telephoning them on 0303 123 1113
Where to go if you require further information
For additional information on how your GP Practice uses your data please refer to the Privacy Notice on their website.
For additional information on how NHS Surrey Heartlands ICB RSS uses your personal information and ensures your privacy, please see the ICB’s ‘How we use your information’.
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.
This version was last updated by the GP Data Protection Officer on the 13th July 2023.
If you would like any information on this notice translated into another language or alternative format such as large print, Braille, audio, or British Sign Language, please contact Surrey Heartlands.