Practice Policies & Patient Information
Data Protection Notice for Children and Young People
Who are NHS Lothian?
NHS Lothian are in charge of making sure that everyone who lives in our area have somebody to help them when they are sick. We do this by making sure there are hospitals, with doctors and nurses to look after you.
Why do we need to know things about you?
So we can help you when you’re not feeling well. We’ll ask you questions when you come to see us, or we might talk to some of the adults you know, like your mum and dad or your school. Sometimes we might need to give you medicine or take special pictures of your bones (it’s ok, it doesn’t hurt) and we keep this information in a book all about you called your Health Record. Some of the things you tell us will be written down on paper and some of them will be on a computer. In your record we keep:
- Your name, where you live and how old you are
- Who you live with and who looks after you
- What care we have given you
- Any photographs we take of you
- Results and scans of your body like X-Rays
We always keep your information private.
The things you tell us are private, like a secret, and most of the time we are not allowed to tell anyone else unless you (or your mum and dad) say it’s ok first. If we do talk to anyone about you without your permission, it will only be when it’s really important; to look after you, make you better, or keep you safe. We might tell:
- A police officer or somebody in your school who helps to keep you safe.
- Other people who look after you, such as a doctor or nurse in a different hospital or at your GP Practice.
- A researcher – Sometimes we need to use your information so doctors and nurses can learn new ways to make you and other people like you better – this is called research. When we do this, we remove things like your name, age and where you live so no one will know it’s about you.
The rules for looking after your records.
As we have private information about you, there are lots of rules that we need to obey – rules about how long we are allowed to keep your information, about how to stop anyone from taking it without permission, and about making sure that your record has information about you that is true. You are allowed to see all the information we have about you, and you can do this in different ways – you can ask your mum or dad to help you, or a different adult that you trust like your doctor or a teacher at school. There will usually be a form that you have to fill in, and you can get a copy of this form by asking somebody when you are in the hospital or by using the following contact details:
- Tel: 0131 242 3041 or 0131 242 3042
- Email: sarteam@nhslothian.scot.nhs.uk
Do you have any questions that you want to ask us?
If you want to ask us any questions about your records, then we have a special person called a Data Protection Officer. Their job is to make sure that everybody follows the rules and keeps your information private, so if you think that somebody has broken the rules, or if you have any other questions about the information we hold on you, then you can contact them as follows:
- Tel: 0131 465 5444
- Email: dpo@nhslothian.scot.nhs.uk
GP Data Protection Notice
Data Protection Notice
The following notice applies from 29th November 2024.
- About Ormiston Medical Practice
This practice is an independent contractor providing primary medical services by way of a contract with NHS Lothian, made under the National Health Service (Scotland) Act 1978 (the 1978 Act). It is one of the organisations which form part of NHS Scotland (NHSS).
- About the personal information we use
We use personal information on different groups of individuals including:
- Patients
- Staff
- Contractors
- Suppliers
- Complainants, enquirers
- Survey respondents
- Professional experts and consultants
- Individuals captured by CCTV
The personal information we use includes information that identifies you like your name, address, date of birth and postcode.
We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.
The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys.
- Our purposes for using personal information
Under the 1978 Act Ormiston Medical Practice has the statutory responsibility to provide or arrange for the provision of a range of healthcare, health improvement and health protection services. We are given these tasks so that we can help to promote the improvement of the physical and mental health of the people of NHS Lothian and assist in operating a comprehensive and integrated national health service in Scotland.
We use personal information to enable us to provide healthcare services for patients (including reminding you of appointments), data matching under the national fraud initiative; research; supporting and managing our employees; maintaining our accounts and records and the use of CCTV systems for crime prevention.
- Our legal basis for using personal information
Ormiston Medical Practice, as data controller, is required to have a legal basis when using personal information. Ormiston Medical Practice considers that performance of our tasks and functions are in the public interest. So, when using personal information our legal basis is usually that its use is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us. In some situations, we may rely on a different legal basis; for example, when we are using personal information to pay a supplier, our legal basis is that its use is necessary for the purposes of our legitimate interests as a buyer of goods and services. Another example would be for compliance with a legal obligation to which Ormiston Medical Practice is subject to, for example under the Public Health etc (Scotland) Act 2008 we are required to notify Health Protection Scotland when someone contracts a specific disease.
When we are using more sensitive types of personal information, including health information, our legal basis is usually that the use is necessary:
- for the provision of health or social care or treatment or the management of health or social care systems and services; or
- for reasons of public interest in the area of public health; or
- for reasons of substantial public interest for aims that are proportionate and respect people’s rights; or
- for archiving purposes, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards; or
- in order to protect the vital interests of an individual; or
- for the establishment, exercise, or defence of legal claims or in the case of a court order.
On rare occasions we may rely on your explicit consent as our legal basis for using your personal information. When we do this, we will explain what it means, and the rights that are available, to you. You should be aware that we will continue to ask for your consent for other things like taking part in a drug trial, or when you are having an operation.
- Who provides the personal information
When you do not provide information directly to us, we receive it from other individuals and organisations involved in the delivery of health and care services in Scotland. These include other NHS Boards and primary care contractors such as GPs, dentists, pharmacists and opticians, other public bodies e.g. Local Authorities and suppliers of goods and services.
Sharing personal information with others
Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following:
- Our patients and their chosen representatives or carers
- Staff
- Current, past and potential employers
- Healthcare social and welfare organisations
- Suppliers, service providers, legal representatives
- Auditors and audit bodies
- Educators and examining bodies
- Research organisations
- People making an enquiry or complaint
- Financial organisations
- Professional bodies
- Trade Unions
- Business associates
- Police forces.
- Security organisations.
- Central and local government.
- Voluntary and charitable organisations.
We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.
iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.
Transferring personal information abroad
It is sometimes necessary to transfer personal health information overseas for example if you require urgent medical treatment abroad. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with NHSScotland Information Security Policy.
Retention periods of the information we hold
Within Ormiston Medical Practice we keep personal information as set out in the Scottish Government Records Management Code of Practice for Health and Social Care. The Code of Practice sets out minimum retention periods for information, including personal information, held in different types of records including personal health records and administrative records. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule as part of our Records Management policy detailing the minimum retention period for the information and procedures for the safe disposal of personal information.
How we protect personal information
We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:
- All staff undertake mandatory training in Data Protection and IT Security
- Compliance with NHS Scotland Information Security Policy
- Organisational policy and procedures on the safe handling of personal information
- Access controls and audits of electronic systems
Your rights
This section contains a description of your data protection rights within Ormiston Medical Practice
The right to be informed
Ormiston Medical Practice must explain how we use your personal information. We use a number of ways to communicate how personal information is used, including:
- This Data Protection Notice
- Information leaflets
- Discussions with staff providing your care
The right of access
You have the right to access your own personal information.
This right includes making you aware of what information we hold along with the opportunity to satisfy you that we are using your information fairly and legally.
You have the right to obtain:
- Confirmation that your personal information is being held or used by us
- Access to your personal information
- Additional information about how we use your personal information
Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.
If you would like to access your personal information, you can do this by submitting a written request to the Practice Manager at the following address:
Ormiston Medical Practice
Tynemount Road
Ormiston
East Lothian
EH35 5AB
Telephone: 01875 610248
Email: clinical.s76211@nhs.scot
Please note, emails from your private email address may not be secure.
Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However, if your request is complex we may take longer, by up to two months, to respond. If this is the case, we will tell you and explain the reason for the delay.
The right to rectification
If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected.
If it is agreed that your personal information is inaccurate or incomplete, we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended.
If for any reason we have shared your information with anyone else, perhaps during a referral to another service for example, we will notify them of the changes required so that we can ensure their records are accurate.
If on consideration of your request Ormiston Medical Practice does not consider the personal information to be inaccurate then we may add a comment to your record stating your concerns about the information. If this is case we will contact you within one month to explain our reasons for this.
If you are unhappy about how Ormiston Medical Practice has responded to your request for rectification we will provide you with information on how you can complain to the Information Commissioner’s Office, or how to take legal action.
The right to object
When Ormiston Medical Practice is processing your personal information for the purpose of the performance of a task carried out in the public interest or in the exercise of official authority you have the right to object to the processing and also seek that further processing of your personal information is restricted. Provided Ormiston Medical Practice can demonstrate compelling legitimate grounds for processing your personal information, for instance; patient safety or for evidence to support legal claims, your right will not be upheld.
Other rights
There are other rights under current Data Protection Law however these rights only apply in certain circumstances. For further information on these rights please visit ico.org.uk/for-the-public.
The right to complain
Ormiston Medical Practice employ a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information, please tell our Data Protection Officer using the contact details below.
Data Protection Officer
Information Governance
Woodlands House
74 Canaan Lane
Edinburgh
EH9 2TB
Phone – 0131 465 5444
Email: Loth.DPO@nhs.scot
Please note emails from your private email address may not be secure.
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk
Please note emails from your private email address may not be secure.
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at https://ico.org.uk/your-data-matters/how-to-make-a-data-protection-complaint/
Our ICO registration number is Z1687077
- Translation Service/ Accessibility
If you require a translation service, please find details to enquire below.
Interpretation and Translation Service
NHS Lothian Staff Bank
Comely Bank Centre
13 Crewe Road South
Edinburgh,
EH4 2LD
Telephone: 0131 536 2020 option 5 option 5
Email: loth.staffbankits@nhs.scot
- DataLoch
For further information regarding NHS Lothian DataLoch Programme please go to https://dataloch.org/
- Invitation to take part in research
Research is essential for progress within the NHS. Ormiston Medical Practice may invite you to take part in a research study. Ormiston Medical Practice do this with the support of specialist NHS staff who identify eligible patients from their medical record.
No data is provided to researchers without specific consent from patients.
Patients have the right to opt out of being contacted about research studies. Please let the reception staff, practice manager or your GP know if you wish to opt out.
GP Patient Statement
DataLoch
NHS Lothian takes patient confidentiality extremely seriously and has a well-deserved reputation for robust governance processes. We would never act to compromise patient data.
Every day, medical research and innovation is carried out by researchers across the UK using data that has been recorded during a patient’s treatment and is processed to ensure their identities are not revealed. This practice, which analyses symptoms, treatments and outcomes has allowed great strides and advances to be made in developing lifesaving treatments in many specialties, including cardiac care and also COVID-19. Without this research, breakthrough treatments and vaccines would be impossible.
DataLoch’s purpose is to enable these data-driven health and social care innovations to improve the health and lives of the region’s population. These activities are entirely in the public interest. Patient data is not being sold to private organisations, nor is it leaving the control of the NHS.
Access to extracts of data are provided to NHS service managers and medical researchers, approved by the NHS Lothian’s Caldicott Guardian and under strict controls. The data has identifying information removed and sits in a secure IT environment.
Where is the data held by DataLoch? And how is it kept secure?
DataLoch currently holds data from NHS Lothian only. All personal health data remains securely within NHS Lothian, and identifiable data is not accessible to researchers.
DataLoch builds on the existing model set up as the Lothian Regional Safe Haven. In line with data protection legislation, DataLoch has a Data Protection Impact Assessment. This is being continually reviewed and updated as any changes are made to how DataLoch operates, and as additional data partners join.
There is a robust governance model in place. Any projects applying to work with DataLoch have a full review, including members of the public, to ensure strict criteria are met.
DataLoch have a Public Reference Group, open to new members, who help to guide and inform the team’s approach and processes.
What is the DataLoch project?
DataLoch is a collaboration between NHS Lothian and The University of Edinburgh. In future, Local Authorities and NHS health boards in South East Scotland will be invited to participate and that will help generate insights and innovation in health and social care.
DataLoch will
- bring together health and social care data for the region
- work with experts in health and social care to understand and improve this data
- provide safe access to de-identified data for academics, clinicians and innovators to help them solve the challenges that really matter.
Who can you contact if you have concerns, want further information, or wish to be involved further?
Data Concerns NHS Lothian DPO – Loth.DPO@nhslothian.scot.nhs.uk
Further information – DataLoch website
If you are interested to join the DataLoch Public Reference Group please contact dataloch@ed.ac.uk
August 2021
GP Support Letter
Why are your GP practices now unable to do everything they once were?
General Practice across the country has been struggling for years. However it has now reached a critical situation with less money, less doctors and less staff to meet the growing needs of the Scottish population. So how did we get here?
In 2017, the Scottish Government recognised this and promised to introduce a new contract, starting in 2018 and to be fully implemented within 3 years. At the time, the then Health Secretary Shona Robison MSP (now Deputy First Minister) said “We equally recognised the fundamental challenges faced by general practice, not least growing workload and increasing risk”.
Unfortunately, for the first time in the history of the NHS, large parts of this contract have not been implemented. Even worse, when Health Boards haven’t been able to spend the money that they were given to employ additional pharmacists and other professionals to support General Practice, the money has had to be returned to Scottish Government rather than being able to be spent supporting your local practice.
Scottish Government promised transitional payments to practices to recognise the non-delivery of this contract, but then withdrew that funding, even after some practices had already used the money for additional cover.
There have been many further challenges both local and national since then;
- Over half of the practices in Lothian have recently received huge bills for their facilities from NHS Lothian, over and above what they were already paying. This will amount to £1.6 million per year across the practices affected and, without any additional funding coming into practices, it’s likely this will lead to reduced staffing, with fewer appointments and longer waits to be seen.
- All practices in Lothian are impacted by Scottish Government not funding an increase in compulsory pension contributions. This is only occurring in General Practice in Scotland as English and Welsh Governments have already committed to paying this, and there is funding in place for all staff in hospitals. Again, this comes out of the funding available to practices to pay for administrative staff, nurses and doctors.
- Many people don’t know that the funding for practices comes through a national formula and doesn’t reflect how many times patients are seen. Practices are paid the same whether you are seen once or a hundred times per year. In 2017, the Scottish Government recognised that it wasn’t sufficient and promised to move towards a new funding model. This still hasn’t happened, and the funding uplifts have been substantially below inflation since then.
- The average patient used to contact their practice 3-4 times per year. This has increased to 6-7. The reasons for this are multiple and include more elderly, more people with illness (often multiple) and more treatment options. The large growth in waiting lists has also had a big impact, with GP appointments being taken up with ongoing management whilst awaiting definitive procedures.
- We all know how much energy costs have risen over the last couple of years and with insufficient funding to cover this, again this money comes out of the services practices can provide.
- Part of the funding which comes from government every year is earmarked for non-GP staff pay rises e.g. receptionists, nursing staff, practice managers. This has always matched what was given to staff working elsewhere in the NHS. But for the first time last year, the Scottish Government decided to break this link, meaning practices had to fund the shortfall or risk losing staff.
- The number of GPs in Scotland is falling. As part of the 2017 contract the Scottish Government promised that numbers would rise by 800, however when doctors in training are excluded from the figures, the numbers are actually reducing! Since 2013, the GP WTE (whole time equivalent) workforce has fallen by 5.35% – a fall of 196.7 WTE GPs. In that same time period, the number of practices has fallen by 9%, average list sizes have increased by 18% and the total patient population has increased by 7%. 42% of practices in Scotland report at least one GP vacancy. The number of GP partners has reduced by 14% between 2012 and 2022. In the last 20 years the ratio of GPs to hospital consultants has halved, despite many things which used to be done in hospital now commonly being done in practice, and this reflects the falling share of the NHS budget spent in General Practice.
- In many areas, practice buildings are too small and are outdated. Unfortunately, Scottish Government has now cancelled all funding for new builds, leaving many working out of buildings no longer fit for purpose. Scottish Government has also withdrawn sustainability loans, a scheme to reduce the risk for GPs who own their building. This leads to financial loss which again impacts on the services they can deliver.
- With less staff and more work, better IT would help improve efficiency. Our IT is cumbersome and unreliable which often impacts on the care of our patients, increasing inefficiency and damaging staff morale. We are the only country in Britain still using paper prescriptions – this alone costs a huge amount of clinical, administrative and patient time.
- In order to make systems better we need time to learn and develop. We used to receive ten half days per year to work with our teams on making practices better for everyone. The support for this was withdrawn by NHS24 and Scottish Government have done very little to reintroduce any form of reliable support.
Incredibly, despite all that we have just described, your practice remains absolutely committed to provide the best service that it can.
However, if you’re not satisfied with the service you receive, look beyond the practice and instead hold those with the power to improve matters to account. Scottish Government needs to do more to directly support General Practice, the bedrock of the NHS. Please contact your MSP. Their contact details can be found at Members of the Scottish Parliament (MSPs) | Scottish Parliament Website
Ormiston Medical Practice
May 2024
Rights and Responsibilities
Under the NHS, you have the right to the following:
- Be Registered with a Medical Practice
- Receive a range of treatments from a General Practitioner
- Have your treatment explained to you
- Have a relative or friend with you, and have access to an interpreter or signer
- Confidentiality
- Have access to emergency medical care
- Refuse to be treated in front of students or be involved in medical trials
- Receive treatment regardless of race, religion, gender, income, disability or medical condition
- Ask for a second opinion, and complain without discrimination
- Have access to your medical records under the Access to Medical Records Act (1990)
You also have responsibilities and can help yourself and our team by doing the following:
- Be on time for appointments – Please note that if you are 10 minutes late for your appointment you may be asked to reschedule this
- Cancel your appointment if you cannot keep it
- Switch off mobile phones whilst on Practice premises
- Follow the medical advice given by the healthcare professional
- Check that you have been given the correct prescription
- Take care with medicines
- Share responsibility for your health
- Tell us or any hospital that you are attending if you move home or change your telephone number
- Use emergency services responsibly
- Treat healthcare staff politely – abuse may result in you being asked to register elsewhere
- Suggest to us how we can improve our care and services