We will sometimes use a mailing company called DocMail to handle bulk mailings to patients. Typically this is for bulk mailings such as the invitations to attend the flu clinics where it is difficult to accommodate the administrative work involved without affecting our ability to serve patients.

This is permissible under guidance from both the Information Commissioner’s Office (ICO) and the Department of Health (DoH) subject to the provisions of the Data Protection Act

Please find below some more information about DocMail and how we work with them to ensure that we protect our patients’ personal data at all times.

1.1 What is Docmail?

DocMail is provided by CFH Total Document Management Ltd a secure print and mailing company which provides print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. throughout the UK.

The system can be found online at www.docmail.co.uk and requires a secure user name and password for us to log on and upload our letters and address lists to create the printed output for dispatch to Royal Mail. The system allows us to upload a letter template and mailing data for the patients we want to write to via a secure web portal.

1.2 The Data Protection Act (2018) (DPA)

Drayton Medical Practice and DocMail are both fully compliant with the Data Protection Act.

The Information Commissioners Office issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions that must be met for it to be compliant.

An organisation that processes personal data is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor.

The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor.

Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle.

Further extracts from the guidance are reproduced here and the entire document is available on the ICO website.

Drayton Medical Practice has strictly adhered to this guidance in setting up the partnership with DocMail.

• Drayton Medical Practice remains the data controller and as such has the responsibility for ensuring compliance with the provisions of the Act. We are not able to pass on those responsibilities to DocMail whose role is that of a data processor.
• There is a written contract between Drayton Medical Practice and CFH – Total Document Management Ltd in addition to the standard terms of business that are published on the DocMail website.
• That contract stipulates that DocMail can only act in accordance with instructions from Drayton Medical Practice i.e. they can only print and mail letters in accordance with data provided by us. They are not able to do anything else with that data.
• The contract also creates a legal requirement for DocMail to act in accordance with the seventh principle of the Data Protection Act.
• The Partners of Drayton Medical Practice have satisfied themselves that DocMail have provided sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out.
• The partners have taken, and will continue to take, reasonable steps to ensure that DocMail are compliant with these security measures.
• No data will pass outside of the European Union

1.3 Data Security and Protection Toolkit

DocMail regularly completes the Data Security and Protection Toolkit, the latest results can be found on the DSP Toolkit Website.

1.4 Other Approvals

DocMail is also approved by the following:

• Government Procurement Service for Hybrid Mail – which allows all government organisations to use DocMail
• 67 Primary Care Trusts for Medical Studies have approved the use of DocMail. 500,000 medical studies packs were sent in 2011 across 200 surgeries
• Caldicott Guardian across a number areas have approved the use of DocMail when asked
• Ethics Committees have approved the use of DocMail by surgeries for use in medical studies

1.5 Accreditation’s & Security Policies

In addition to the credentials listed above, I have been supplied with DocMail’s Corporate Policies and certifications as detailed below..

• ISO 27001:2005 Information Security Management System Certificate
• CFH Site Security Policy
• CFH Information Technology Security Policy
• Information Security Policy

1.6 Process

The data file provided to DocMail will only contain enough data to enable them to fulfil the contract. This means that it will include name and address details and, where appropriate, the date and time of an appointment as well as the name of the clinician you will be seeing or the name of a clinic you will be attending eg Flu Clinic or NHS Health Check. We will of course exercise the same discretion in writing the letters as we would if we were printing and posting them at the surgery.

The letters will be delivered to your address by Royal Mail in the normal way. The letters will carry the DocMail logo and the return address on the reverse side. This address does not identify the letter as having come from a doctor’s surgery.

DocMail delete the personal data 28 days after the mailing.

If you have any questions or require further information about this please ask to speak to the Practice Manager.

DPA Seventh Principle

Schedule 1 of the Data Protection Act (2018) lists eight principles of data protection. The seventh principle is of particular importance where an organisation uses a third party to process data.

The seventh data protection principle provides that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Information Commissioner’s Office provides the following guidance to organisations seeking to use a third party to process data on its behalf.

Where a data controller chooses to use a data processor, paragraphs 11 & 12 of Schedule 2, DPA introduces additional obligations on the data controller as follows:

11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle

a. choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

b. take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless:

a. the processing is carried out under a contract:

i. which is made or evidenced in writing, and

ii. under which the data processor is to act only on instructions from the data controller, and

b. the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Your practice takes privacy seriously and we want to provide you with information about your rights, who we share your information with and how we keep it secure.

Please use the links below to find more information about the practice and data protection.

• Our Data Protection Videos
• Your Information
• Children and Young People
• What We Do with Your Information
• What Else Do We Use Your Information For?
• Sharing When Required by Law
• Information Rights
• Case Finding and Profiling
• Information Technology
• Keeping Your Information Safe
• How Long Do We Keep Your Information?
• Our Use of Eclipse
• Norfolk Primary Care Networks
• Practice Processing Activities
• Practice Processors
• Privacy Notice for Secondary Use of Data

All GP Practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver GP services to patients at each practice.

To ask more regarding our GP earnings please contact the surgery stating your reason for the request.

We have completed our annual Infection Control Statement.  The statement is available to view or download below:

Annual Infection Control Statement

All patients registered with Drayton Medical Practice have a named GP.

What does ‘accountable’ mean?

The new contract requires the named accountable GP to be responsible for the co-ordination of all appropriate services required under the contract and ensure they are delivered to each patient where required. However, this does not mean that they will be the only GP or clinician who will provide care to that patient. These responsibilities will be carried out within the opening hours of the Practice and do not change the way you currently access care outside these hours.

This is largely a role of oversight, with the requirements being introduced to reassure patients that they have one GP within the practice who is responsible for ensuring that this work is carried out on their behalf.

Does the requirement mean 24-hour responsibility for patients?

No. The named GP will not:

• take on vicarious responsibility for the work of other doctors or health professionals.
• take on 24-hour responsibility for the patient, or have to change their working hours. The requirement does not imply personal availability for GPs throughout the working week.
• be the only GP or clinician who will provide care to that patient.

Will GP practices write to patients to inform them of their named GP?

No. However, practices are required to inform patients of their named GP at the next appropriate interaction.

Newly registered patients should be notified of their named accountable GP when the register.

If you have forgotten or  would like to know who your named GP is please ask one of our reception team when you are next in the surgery.

Can patients choose their own named GP?

Patients will be allocated a named GP on the based on who they historically were registered with. However, if a patient requests a different named GP, reasonable effort will be made to accommodate their preference.

Do patients have to see their named GP when they book an appointment?

No. Patients can, and should, feel free to choose to see any GP or nurse in the practice in line with current arrangements. If their preferred choice of GP or nurse is not available, an alternative will be offered. As all patients have an electronic medical record this ensures that all clinicians in the Practice have access to the most accurate and up to date information.

Download Non-NHS Fees information

If you would like to take part in research studies and COVID-19, please visit www.bepartofresearch.nihr.ac.uk.

Did you know that findings from research studies are used by your GP, nurse or other health professional to enable them to offer you the most appropriate care?

Anyone registered with this practice could help shape the future of health care by considering and helping with research projects that you may be invited to participate in.

You may be approached by a member of this practice to help participate in a research project. Please consider patient information about the research carefully. This information may be sent to you or given to you by your nurse or doctor or other health professional to consider.

This practice is part of a network of General Practices in the East of England who host medical research on a regular basis. The network is called Primary Care Research Network – East of England.

Participation in any research is voluntary. You may refuse to take part in research without it affecting your usual medical care. All network research has been approved by a research Ethics Committee and has Primary Care Trust approval. The network is one of the United Kingdom Research Networks and is supported by funding from the Department of Health.

Research and Information we hold about you

There are two ways in which your information may be used for research purposes:

1. We might write to you asking to participate in a research project – we are often approached to take part in “recruiting” studies where a research team wants us to recruit some patients for them. In these cases we generate and send the letters to you. The researchers only know about you once you have signed up and consented to be part of the project.
2. Your data might be used anonymously in a research project – this is typically when research teams are looking at trends of co-morbidities and prescriptions. At no point is any identifiable information released to the research team.

National Data Opt-out

If you wish to stop your confidential patient information being used for purposes beyond your individual care you can no longer request this via the practice.  You will to visit this website www.nhs.uk/your-nhs-data-matters where more information and the option to opt out will be given.

Purpose

Risk stratification is a process that we will use in the Practice to assist in identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission. NHS England encourages us as GPs to use risk stratification tools as part of our involvement in local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided. As well as helping us in the Practice in providing direct care support for our patients, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to manage periods of ill health and to improve the quality of the services we are able to offer you. The CCG will not have access to any information that identifies any individuals.

How we use your information in relation to risk stratification

Risk stratification tools use a mix of historic information about our patients such as age, gender, diagnoses and patterns of hospital attendance and admission as well as data other data collected in within the Practice. We will send details from your records to the Risk Stratification Supplier who will be working on our behalf. They will immediately convert the information into a format that does not identify you but it will have a key to enable it to be linked to other data and also to enable the Practice to re-identify the information when we need to do so in order to provide care for you.

NHS Digital also provides information to the Risk Stratification Supplier about hospital attendances. This will in a format which does not directly identify you but which can be linked to the data about you from our Practice.  Both sets of information are then liked in the risk stratification system.

The risk stratification system uses a formula to analyse the data to produce a risk score. These risk scores are available to us as a Practice where our authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you. This will help our clinical team make better decisions about your future care, for example we may invite you in for a review or if we think you may benefit from a referral to a new service we will discuss this with you. The CCG is provided with reports containing information which does not identify you, to ensure they are commissioning and planning for the right services as required by the population we serve.

Our risk stratification supplier

On behalf of our Practice, the CCG has entered into a contract with NHS Arden and Greater East Midlands Commissioning Support Unit (AGEM CSU) as our Risk Stratification Supplier. They are accredited by NHS England to conduct this service and provide the analysis for us.

AGEM CSU will be acting on behalf our Practice, as a data processor. We have entered into an Agreement with them to ensure that the risk stratification process will be conducted in accordance with Data Protection Regulations and in accordance with NHS England’s rules for risk stratification.  This has been done to keep your data secure at all times and to protect confidentiality.

What should I do if I have further questions about risk stratification?

Please ask the Practice staff if you can speak to someone in more detail.

What if I do not information about me to be included (opt out)

If you do not wish your data to be included in the risk stratification service (even though it is in a format which does not directly identify you) you can choose to opt-out. In this case, please inform the Receptionist who will apply an opt-out code to your record to ensure that your information is not included.

Additional information

Additional information about risk stratification is also available from the NHS England website: www.england.nhs.uk

Complaints

If you have a complaint or concern about the service you have received from the doctors or any of the personnel working in this practice, please let us know, by submitting our feedback form.  We operate a practice complaint procedure as part of an NHS complaints system, which meets national criteria.

How to complain

We hope that we can sort most problems out easily and quickly, often at the time they arise and with the person concerned. If you wish to make a formal complaint, please do so as soon as possible – ideally within a matter of a few days. This will enable us to establish what happened more easily. If doing that is not possible your complaint should be submitted within 12 months of the incident that caused the problem; or within 12 months of discovering that you have a problem. You should address your complaint in writing to the Practice Manager (a form is available should you wish to use one). They will make sure that we deal with your concerns promptly and in the correct way. You should be as specific and concise as possible.

Complaining on behalf of a third party

If you are not the patient, but are complaining on their behalf, you must have their permission to do so. An authority signed by the person concerned will be needed, unless they are incapable (because of illness or infirmity) of providing this.

A Third Party Consent Form is available online.

What we will do

We will acknowledge your complaint within 3 working days and aim to have fully investigated within 10 working days of the date it was received. If we expect it to take longer we will explain the reason for the delay and tell you when we expect to finish. When we look into your complaint, we will investigate the circumstances; make it possible for you to discuss the problem with those concerned; make sure you receive an apology if this is appropriate, and take steps to make sure any problem does not arise again.

You will receive a final letter setting out the result of any practice investigation.

Taking it further

If you remain dissatisfied with the outcome you may refer the matter to: NHS England’s Customer Contact Centre.

NHS England
PO Box 16738,
Redditch,
B97 9PT

Telephone: 0300 311 2233
Email: [email protected]

The Parliamentary and Health Service Ombudsman

If you remain dissatisfied after contacting NHS Norfolk you can address your concerns to:

The Parliamentary and Health Service Ombudsman
Millbank Tower,
Millbank,
London,
SW1P 4QP

Tel 0345 0154033
www.ombudsman.org.uk

Documents to Download

The following documents are available to download should you wish to make a complaint:

• Complaints Leaflet Info for Patients
• Patient Complaint Form

The summary care record will initially consist of basic information from the patient record such as your date of birth and address, details of allergies, current prescriptions and bad reactions to medicines. Then, each time a patient uses an NHS service, more information may be added to it.

In Norfolk the majority of patients already have a Summary Care Records created, and these can be accessed – with patient consent – by the NNUH / A&E dept, the Out of Hours Services, 111 and the Ambulance Service.

Adding more information to your Summary Care Record

For more information you can visit the Summary Care Record NHS page.

To enhance your summary care record just ask our reception team or fill in one of our online forms

Additional information can be added to your SCR by your GP practice and is a summary of information about your medical history. It can include the following:

• Your long term health conditions such as asthma, diabetes, heart problems or rare medical conditions.
• Your relevant medical history – clinical procedures that you have had, why you need a particular medicine, the care you are currently receiving and clinical advice to support your future care.
• Your healthcare needs and personal preferences – you may have particular communication needs, a long term condition that needs to be managed in a particular way, or you may have made legal decisions or have preferences about your care that you would like to be known.
• Immunisations – details of previous vaccinations, such as tetanus and routine childhood jabs.

Please note: specific sensitive information such as any fertility treatments, sexually transmitted infections, pregnancy terminations or gender reassignment will not be included, unless you specifically ask for any of these items to be included.

How will additional information help me?

Essential details about your healthcare can be very difficult to remember, particularly when you are unwell. Having additional information in your SCR means that when you need healthcare, you will be helped to recall this vital information.

There are already clear benefits for your care from having medication, allergy and adverse reaction information available through your SCR. If you choose to add additional information, this can further increase the quality of your care. Additional information can also empower you if you need some help to communicate your complex care needs.

For more information about the “Enhanced Summary Care Record” please see the hscic information leaflet.

Other forms and Information

If you wish to opt out of the Summary Care Record scheme please complete our online opt-out form.

If you wish to sign up to the Enhanced Summary Care Record please use our online Enhanced Summary Care Record opt-in form.

The practice fully supports the NHS Zero Tolerance Policy. The aim of this policy is to tackle the increasing problem of violence against staff working in the NHS and ensures that doctors and their staff have a right to care for others without fear of being attacked or abused.

We understand that ill patients do not always act in a reasonable manner and will take this into consideration when trying to deal with a misunderstanding or complaint. We ask you to treat your doctors and their staff courteously and act reasonably.

All incidents will be followed up and you will be sent a formal warning after a second incident or removed from the practice list after a third incident if your behaviour has been unreasonable.

However, aggressive behaviour, be it violent or verbal abusive, will not be tolerated and may result in you being removed from the Practice list and, in extreme cases, the Police will be contacted if an incident is taking place and the patient is posing a threat to staff or other patients.

Removal from the Practice List

A good patient-doctor relationship, based on mutual respect and trust, is the cornerstone of good patient care. The removal of patients from our list is an exceptional and rare event and is a last resort in an impaired patient-practice relationship. When trust has irretrievably broken down, it is in the patient’s interest, just as much as that of The Surgery, that they should find a new practice. An exception to this is on immediate removal on the grounds of violence e.g. when the Police are involved.

Removing other members of the household

In rare cases, however, because of the possible need to visit patients at home it may be necessary to terminate responsibility for other members of the family or the entire household. The prospect of visiting patients where a relative who is no longer a patient of the practice by virtue of their unacceptable behaviour resides, or being regularly confronted by the removed patient, may make it too difficult for the practice to continue to look after the whole family. This is particularly likely where the patient has been removed because of violence or threatening behaviour and keeping the other family members could put doctors or their staff at risk.