Practice Policies & Patient Information

The Victoria Medical Centre is a large medical practice in Eastbourne, East Sussex.

The practice was founded in August 2020 due to a merger between The Green Street Clinic, Enys Road Surgery and the Bolton Road Surgery in order to operate from new, larger, more spacious and more modern purpose-built premises, allowing it to be stronger, more resilient and better placed to attract new staff and to replace retiring doctors and nurses and offer better services.

Further information about us

Caldicott and Confidentiality Policy

1.1 Policy statement

This policy explains and enforces the obligations of Caldicott, confidentiality and non-disclosure among the employees of Victoria Medical Centre. This applies to information generated, held and processed by the organisation.

Furthermore, it outlines the principles that are to be adhered to by all staff at this organisation to understand the requirement for effective controls of personal confidential data (formerly patient identifiable information).

The Caldicott principles are derived from the Dame Fiona Caldicott Information Governance Review in 2013 which now forms the Caldicott Guardian guidance from the National Data Guardian (NDG). All staff are to fully understand the requirement to adhere to the Caldicott principles which are designed to safeguard and govern the use of patient information in all health and social care organisations.

The NHS Confidentiality Policy and the NHS Confidentiality Code of Practice state that all staff working in the NHS are bound by a legal duty of confidence to protect personal information they may encounter during their work.

This is not purely a requirement of their contractual responsibilities; it is also a requirement within the common law duty of confidence. Staff are to be reminded that information classed as objective knowledge relates to the affairs of the organisation. This may include information regarding:

Partners
Contractual arrangements
Employees
Dealings
Patients
Transactions
Contractors
Policies and procedures
Business associates
Decisions
Suppliers
Technology and systems
Market information
Any other organisational confidential matter

The reputation and continuing ability of the organisation to work effectively in the position of trust and responsibility it holds (which is also reflected in the trust and responsibility held by those persons engaged by the organisation to work on its behalf) rely on confidential information being held as confidential.

Further information on the wider spectrum of confidentiality and data management and their supporting policies can be found in the Confidentiality and Data Protection Handbook.

Legislation and national guidance documents relating to both confidentiality and Caldicott can be found at Annex A. Caldicott and confidentiality, Consent, GDPR – The Perfect Practice, Information Governance and Data Security, UK General Data Protection Regulation (UK GDPR) eLearning are available in the HUB.

1.2 Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies. This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time.

For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2 Caldicott

2.1 Caldicott principles

The Caldicott Principles are as detailed within the NDG document titled The Eight Caldicott Principles.

2.2 Caldicott Guardian role

A Caldicott Guardian’s role, as outlined within the Manual for Caldicott Guardians, is a senior person within a health or social care organisation who ensures that personal information about those who use its services is used legally, ethically and appropriately and that confidentiality is maintained.

The Caldicott Guardian’s main concern is information relating to individuals and their care. Additionally, this need for confidentiality also extends to other individuals and this includes relatives, staff and others.

Further information with regard to the role of the Caldicott Guardian and who organisations need to appoint and the expected competencies can be sought in the NDG document Guidance about the appointment of Caldicott Guardians, their role and responsibilities.

2.3 Caldicott Guardian and/or Information Governance Lead

Practices are required to have their own Caldicott Guardian, and this is usually a senior clinician. This role is usually also given an additional title of Information Governance (or IG) Lead. Should a non-clinical person be appointed as the Caldicott Guardian, they should be supported by an appropriate clinician.

Further guidance on Caldicott Guardianship can be found at this Gov.uk site, although the Manual for Caldicott Guardians should be the starting point for those who are newly appointed or as a reference point for existing Caldicott Guardians.

All staff are to be aware of who the Caldicott Guardian/Information Governance lead is. This information should be added to the Responsible persons list and made freely available.

2.4 Caldicott Guardian registration

The UKCGC states that all organisations that are required to have a Caldicott Guardian should ensure their up-to-date details are on the Caldicott Guardian Register.

The register is used by NHS to store and update Caldicott Guardians’ details and by the UK Caldicott Guardian Council to facilitate contact and the dissemination of information.

2.5 UK Caldicott Guardian Council (UKCGC)

The UK Caldicott Guardian Council (UKCGC) is the national body for Caldicott Guardians within the UK. The UKCGC provides support for Caldicott Guardians and others fulfilling the Caldicott function within the organisation. The UKCGC helps to uphold the eight Caldicott principles.

3 Confidentiality

3.1 Requirement

All employees must, from the date of the commencement of employment or other form of engagement, and thereafter, observe strict confidentiality in respect of any information held by the organisation and by each individual working on behalf of the organisation. This includes dealings, transactions, procedures, policies, decisions, systems and other matters of a confidential nature concerning the organisation and its affairs.

Other than in the proper course of their duties, employees must not, either during or at any time after the termination of their employment, exploit or disclose confidential information.

In addition, employees must not, through negligence, wilful misconduct, or inadvertence, allow the use, exploitation or disclosure of any confidential information relating to the affairs of the organisation, its patients, partners, employees, contractors, business partners or suppliers.

3.2 NHS Confidential Code of Practice

All staff are to adhere to the principles of confidentiality outlined in the NHS Confidentiality Code of Practice:

Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of
Access to person-identifiable or confidential information must be on a need-to-know basis
Disclosure of person-identifiable or confidential information must be limited to the purpose for which it is required
Recipients of disclosed information must respect that it is given to them in confidence
If the decision is taken to disclose information, that decision must be justified and documented
Any concerns about the disclosure of information must be discussed with a line manager
Patients are to be informed of the intended use of their information and this organisation will adhere to the detailed requirements shown at Annex A to the code

This organisation will ensure that the requirements within the above Code of Practice are strictly followed, and that staff will immediately report any breaches of confidence or potential risks to the Caldicott Guardian or IG Lead.

3.3 Non-disclosure of information

All employees must, from the beginning of their employment with the organisation and after the termination of their employment with the organisation, observe strict confidentiality and non-disclosure in respect of any information held by the organisation, except when required or authorised to disclose such information by the organisation or by law.

It is an obligation upon all employees during employment, or engaged under other contractual arrangements, to maintain information in confidence and not, directly or indirectly, disclose it other than for the purposes it was gathered. Any such information in the possession of an individual, either in electronic format or hard copy, shall be returned to the organisation before or at the point in time that employment ceases, however such cessation occurs.

Following the cessation of employment, or other contractual engagement with the organisation, an individual must not, directly or indirectly, use for gain, discuss or pass on to others confidential information that can be classed as objective knowledge in that it has been gained during the course of their employment.

This includes information relating to that as previously listed at Section 1.1.

NOTES:

While information must not be improperly disclosed and must be used only for the purpose for which it was gathered, nothing prevents an employee or other individual making a protected disclosure under the Public Interest Disclosure Act 1998 in respect of any malpractice or unlawful conduct.
At this organisation, share personal information relating to staff is managed and stored and the same standards are applied to their information as are applied to the confidentiality of patient information.

3.4 Breach of confidential information

Any breach of confidentiality, particularly involving data, could have major negative consequences for this organisation and the individual. The organisation will therefore take the appropriate disciplinary action against any employee who commits a breach of confidentiality by reporting it to the organisation’s Data Protection Officer (DPO).

If it is a serious breach, the DPO will be bound to recommend that it is reported to the Information Commissioner’s Office (ICO) who may, in turn, institute criminal proceedings against the individual and, if found to be negligent, the organisation itself. The individual, if found guilty, will be required to pay a fine and acquire a criminal record and the organisation may be heavily fined if found guilty.

There must be no attempt to use any confidential information in a manner that may either directly or indirectly cause, or be calculated to cause, injury or loss to the organisation. Further reading can be sought from the Information Governance Breach Reporting Policy.

3.5 Third-party requests for information

Any employee approached by a third party, including any media source, and asked to make comments or provide information relating to the organisation and its affairs (or the affairs of its patients, partners, employees, contractors or any business associate) must not, under any circumstances, respond without having sought permission and guidance from the Practice Manager. The Practice Manager will then discuss the request with the partners and consider asking for assistance from the press information/media officer at the ICB.

3.6 Whistleblowing or protected disclosures

In respect of any malpractice or unlawful conduct, any employee is entitled to submit a protected disclosure under the Freedom to Speak Up Policy and Procedure (or Whistleblowing Policy). This states that protected disclosures can be made to a Partner, Practice Manager or the nominated Freedom to Speak up Guardian (FSUG).

Legislation in the UK was enacted by the Public Interest Disclosure Act 1998 to enable employees and other persons such as agency temporary workers to disclose genuine concerns, especially those that seem to involve unlawful conduct or malpractice. This also protects them from any form of victimisation arising from making such a disclosure.

Further guidance can be sought from the NHS E document Freedom to Speak Up.

3.7 Disclosing information

The GMC offers guidance in the document titled Disclosing patients’ personal information: a framework. Supporting information can also be found in Consent Guidance and the Infection Prevention Control (IPC) Handbook where Annex L provides a list of notifiable diseases that are required to be disclosed.

3.8 Protected information under the Gender Recognition Act

Section 22 of the Gender Recognition Act 2004 states that it is an offence for a person who has acquired protected information in an official capacity to disclose the information to any other person.

This is classified as protected information and is defined in Section 22(2) as information relating to a person who has applied for a Gender Recognition Certificate (GRC) under the Act, and which concerns that application (or a subsequent application by them), or their gender prior to being granted a full GRC.

While Section 22 is a privacy measure that prevents officials from disclosing that a person has a trans history, there are exemptions for medical professionals as detailed within Statutory Instrument 2005 No.635 (Section 5) provided all of the following circumstances apply:

The disclosure is made to a health professional

The disclosure is made for medical purposes; and
The person making the disclosure reasonably believes that the subject has given consent to the disclosure or cannot give such consent

3.9 Trans status

Patients should never be asked to produce a GRC to ‘prove’ their trans status. The GRC is not a requirement, and many trans people simply choose not to have one while others may not yet meet the eligibility criteria.

As a precautionary measure, it is good practice to apply the Section 5 criteria set out in Section 3.8 to all disclosures of information about the trans status of a patient. The reason being is that it may not be accurately known whether the person has a GRC or not.

Additionally, the general protocols on medical confidentiality and information governance apply to all patients whether they have a GRC or not.

NOTE:

Pride in Practice has advised that good information governance around this subject is essential because unlawful and unwarranted disclosures of a person’s trans status leave organisations open to legal proceedings and, in doing so, can have serious and unforeseen consequences in ‘outing’ trans people.

3.10 Confidentiality and non-disclosure agreement

All persons engaged to work for and on behalf of the organisation will be required to sign the confidentiality and non-disclosure agreement to be found at Annex B. A signed copy will be held on the individual’s personnel file.

Visitors to the organisation will also be expected to sign a confidentiality agreement and this document also incorporates fire safety and risk awareness for visitors. The Third-party confidentiality agreement incorporating fire safety and risk awareness for visitors can be used.

3.11 National data opt-out

The national data opt-out or (NDO-O) is a service that allows patients to opt out of their confidential patient information being used for research and planning.

NDO-O was introduced in England along with the Data Protection Act 2018 and GDPR on 25 May 2018. This followed recommendations from the NDG that patients should be able to opt-out of their personal confidential data being used for purposes other than their direct medical care.

Further reading to support the Data Security and Protection Toolkit (DSPT) can be sought from NHS E National data opt-out guidance.

3.12 Abuse of privilege

The NHS Confidentiality Policy states the following:

It is strictly forbidden for employees to knowingly browse, search for or look at any personal or confidential information relating to themselves, their own family, friends or other persons without a legitimate purpose. Action of this kind will be viewed as a breach of confidentiality and of the Data Protection Act 2018.
When dealing with person-identifiable or confidential information of any nature, staff must be aware of their personal responsibility and contractual obligations and must undertake to abide by the policies and procedures of NHS England.

3.13 Confidentiality awareness and informing

To ensure that any user of our services, our staff and potential employees are aware of the confidentiality obligations within this organisation, privacy notices are available.

The practice privacy notice explains to patients the ways in which the organisation gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.

Other privacy notices are provided for the following:

Children
Employee
Candidates applying for work

4 Compliance

4.1 Good practice

To support the NHS Code of Practice, the following actions will be undertaken to ensure that confidentiality is maintained:

Person-identifiable information will be anonymised so far as is reasonably practicable, while being mindful of not compromising the data
Access to consulting rooms, administrative areas and record storage areas will be restricted
All staff should always maintain a clear desk routine. No patient confidential information is to be left unattended in any unsecured area, at any time
All IT equipment is to be shut down at the end of the working day except any that is required to remain left on such as server equipment
Smartcards are to be removed from the computer whenever the user leaves their workstation. The Smartcard Policy details the need for, and terms and conditions of, use of the NHS Smartcard
Confidential waste is shredded or disposed of appropriately and as per the Confidential Waste Policy
Staff will not talk about patients or discuss confidential information in areas where they may be overheard

The Communication Policy provides advice on disclosing information electronically or via telephone to a patient, proxy or third party

4.2 Data Security and Protection Toolkit (DSPT)

There is a requirement to undertake an annual DSPT assessment to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information.

To demonstrate compliance, this organisation is required to submit the assessment by 30 June annually.

Further information can be found on the NHS E Data Security and Protection Toolkit webpage and the DSPT staff awareness questions for the current year’s standards to ensure the practice achieves a successful outcome for the assessment.

Further information is available within the DSPT Handbook and UK GDPR Policy.

4.3 Audit

Regular audits must be undertaken to ensure compliance. This will ensure that access to confidential information is gained only by those who are required to access it in the course of their normal duties.

At this organisation, all staff at have a responsibility to participate in such audits and to comply with the subsequent recommendations.

Audit guidance and relevant templates can be found at Annex C and Annex D. Audits can be logged and managed within Audits Manager which is a tool within The Compliance Package in the HUB.

4.4 Additional compliance tools

In addition to audit, there are further tools that can be used to support such as:

All members of the organisation will undergo annual confidentiality training
A confidentiality quiz detailing different scenarios is available at Annex E.
A poster is available here

Annex A – Legislation and guidance

The following legislation and guidance documents support both Caldicott and confidentiality:

* EU GDPR as incorporated in English law by the EU (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “UK GDPR”)

Annex B – Confidentiality and non-disclosure agreement

[To be signed by all individuals employed or otherwise engaged by the organisation] I [insert person’s name] confirm that I have read and understand the Caldicott and Confidentiality Policy and agree to abide by it.

I understand that any breach of this agreement could result in sensitive and confidential data being disclosed to the public or other interested parties and may result in my summary dismissal under the organisation’s disciplinary procedure.

Furthermore, any such conduct on my part which results in an unauthorised disclosure of confidential personal data may render me liable to being reported to the Information Commissioner’s Office (ICO). The ICO may, in turn, institute criminal proceedings against me and, if I am found guilty by a court of law, I could be fined, and this may also result in a criminal record.

Signed
Name (Printed)
Position
Date

Annex C – Audit guidance

Introduction

The purpose of a confidentiality audit is to identify if:

Any confidentiality issues exist and, if so, to detail what they are
Systems are at risk through deliberate misuse
Existing controls are adequate and provide the necessary safeguards

The audit will also review:

Local controls and processes regarding the access to, and use of, electronic data
Local controls and processes regarding the access to, and use of, manual records
Staff knowledge and awareness of their responsibilities and extant legislation regarding confidentiality

The organisation will ensure that there are appropriate confidentiality procedures in place to monitor access to personal confidential data.

Frequency

Confidentiality audits are to be undertaken through spot checks and questionnaires on a quarterly basis, and reports produced and retained for assurance purposes.

The table overleaf explains the criteria, assurances and evidence required for confidentiality audits.

It can be used to assist with ensuring that the organisation and its staff are compliant in data security and protection. It is a useful tool when carrying out an audit of confidentiality as per the Data Security and Protection Toolkit.

Report template

Annex D gives an example of a confidentiality report template.

Level	Criterion for Confidentiality Audit	Assurance Required	Source of Assurance or Evidence
1	There are documented confidentiality audit procedures in place that include the assignment of responsibility for monitoring and auditing access to confidential personal information. The procedures have been approved by senior management or committee and have been made available throughout the organisation.	Auditors require assurance that: – There are documented confidentiality audit procedures in place which include the assignment of responsibility for monitoring and auditing access to confidential personal information – The procedures have been approved by senior management or committee and have been made available throughout the organisation	– Policy on confidential patient information – Standard procedures for monitoring and auditing access to patient information – Management approval of procedures (e.g., meeting minutes or other papers recording approval) – Documented assignment of responsibilities to job roles – Corresponding job descriptions – Publication of procedures throughout the organisation
2	All staff members with the potential to access confidential personal information have been made aware of the procedures. The procedures have been implemented and appropriate action is taken where confidentiality processes have been breached.	Auditors require assurance that: – The training provided for staff who are conducting audits and investigating alerts is comprehensive, clear and unambiguous about the action to be taken – The written procedures for confidentiality audit and monitoring are implemented in the organisation – Appropriate disciplinary and remedial actions are taken where confidentiality processes have been breached – All staff members with the potential to access confidential patient information are aware of the audit procedures; and The audit procedures are widely accessible	As above, plus: – Training records for staff carrying out audits and investigations – Descriptions of training provided – Corporate security and human resources procedures – Incident log of confidentiality alerts – Reports of the subsequent disciplinary actions taken – Minutes detailing committee reviewing confidentiality issues and performance – Availability of organisation’s confidentiality, security and employment procedures to relevant staff – Methods used to make relevant current staff aware of the confidentiality audit procedures and disciplinary sanctions. This might take many forms, such as awareness sessions, as part of mandatory training, team discussions or distributions to staff – For relevant new joiners, evidence of induction training on confidentiality requirements and audit
3	Access to confidential personal information is regularly reviewed. Where necessary, measures are put in place to reduce or eliminate frequently encountered confidentiality incidents or events.	Auditors require assurance that: – The procedures for confidentiality audits and monitoring are regularly reviewed for scope and depth – Identified vulnerabilities are recorded, solutions are identified, and problems resolved; and – Staff effectiveness in relation to confidentiality audits and monitoring is maintained, e.g., by appropriate ongoing training	As above, plus: – Reports from reviewing the audit and monitoring process – Security incidents and events relating to confidentiality – Risk register including identified confidentiality vulnerabilities – Reports of procedural and/or security changes, resulting from alerts or identified risks – Updated procedures and policy from lessons learned

Section	Details	Additional Details
[Insert organisation name]	Date of audit:	Audit reference no: [01/24]
Page [1] of [2]	Summary of audit:	Name of auditor(s):
Date audit conducted:	Date audit closed:
[Insert organisation name]	Date of audit:	Audit reference no: [01/24]
Page [2] of [2]	Summary of observations:	Observation reference:
Description of observation:	Summary of agreed actions:	Reference: Action required: By whom and date:
Agreed follow-up/review:	Name and signature of auditor(s): Date closed:	Additional comments:
Name and signature of auditor(s):	Final closure date:

Annex E – Confidentiality quiz

Scenario 1:

A male patient finishes his consultation with the ANP and, as he is leaving, he asks the
reception team if it is OK for him to pick up his 16-year-old daughter’s prescription.

How do you respond?

Could there be any medication that the daughter may not want her father to see? You are not permitted to let the patient collect his daughter’s prescription without her explicit consent. You have a duty to protect confidential information. There may be contraception medication that the daughter does not want her father to know about.

Scenario 2:

A 15-year-old girl has attended a GP appointment for a review of her asthma. During the consultation she asks the GP for advice about oral contraception and, when questioned about sexual activity, she advises that she is sexually active but has not told her Mum or Dad.

Can the GP breach her confidence and, if so, why?

Yes, on child protection/safeguarding grounds. However, if the GP deems the patient has shown maturity and fully understands the consequences of her request and subsequent actions, her confidence should be upheld.

Scenario 3:

You work in a rural practice, and it is a very close-knit community with everyone helping one another. You notice your neighbour in the waiting room and after his appointment he appears upset and leaves without saying anything.

Can you check his clinical record to see if there is anything you can do to help?

No, as you have no legitimate purpose for doing so. If you were to search their record this would constitute a breach of confidentiality and a breach of the Data Protection Act 2018.

Scenario 4:

You have arranged for a patient to collect a printed copy of their medical notes for an insurance matter. You are off to lunch in five minutes and decide to leave the notes (not in an envelope) on the reception desk.

Is this appropriate?

No, you are failing to protect against improper disclosure and this goes against the NHS Code of Practice 2003. Leaving the notes in such a position means they would be visible to other staff members and patients. You must never leave patient confidential information in an unsecured area at any time.

Scenario 5:

A male patient aged 14 attends the practice and asks for a copy of his medical records.

How do you respond?

Patients under the age of 16 are entitled to see or be given a copy of their records if they have the competence to understand the nature of the request. However, they need to be deemed Gillick competent and, as such, need to be assessed by a healthcare professional before being given a copy of their notes.

Scenario 6:

You are handing over to your colleague at reception who is covering your lunch break. You tell them that earlier in the morning you were advised that a patient who had been with the practice for 55 years had passed away. You wanted to let them know as you knew they had known the patient for a long time.

Is it OK to do so?

Staff do need to know of deceased patients as this prevents unnecessary phone calls being made or letters being sent thereby causing further upset to the family of the deceased. However, staff must not talk about patients or confidential information in areas where they may be overheard.

Scenario 7:

You answer the phone, and the caller asks for the results of their latest cholesterol test.

What do you need to do?

You should ask the patient to confirm their name, address and date of birth. You can also ask them when they had the test done. Additionally, you could ask further questions to confirm the ID of the caller such as when they were last in the practice before their blood test appointment.
This helps you to ascertain whether it is the patient calling or if it is someone else. If there is any doubt, tell the caller you will ring them back.

Scenario 8:

Your practice is holding a group consultation for diabetic patients, and this is the first group consultation at your practice. The ANP calls from the meeting room upstairs and asks you to send the six patients who are waiting.

How do you do this?

All six patients would have consented to attend a group consultation but there will be other patients in the waiting room, and you need to protect the confidentiality of the patients. So, rather than saying ‘those who are here for the diabetic clinic, please proceed to the meeting room’, you could say, ‘all patients here for the group consultation, please proceed to the meeting room’.

You have called no names out nor disclosed what the group consultation is about and have therefore maintained confidentiality so far as is reasonably practicable.

Scenario 9:

You take a call from patient who wants to confirm their appointment with the visiting mental health nurse, but it is a bad line.

What do you do?

Option A: Try to confirm the patient’s details including name, date of birth, address and who their appointment is with by repeating this information to the patient.

Option B: Advise the patient that they need to call back as you are unable to hear them.

Option B – If you were to repeat everything, all the patients in the waiting area may hear you and they would know the patient’s personal details and that they had mental health issues.

Scenario 10

The father of an eight-year-old patient pops into the practice and asks for a copy of the child’s vaccination record as they are going travelling for a month in the summer. You know the parents are divorced and the child lives with Mum.

Can you give Dad a copy of the vaccination record?

Parents do not lose parental responsibility if they divorce or separate and you should allow both parents reasonable access to their children’s health records. The practice does not have to seek consent from the other parent, nor tell the other parent that they have received the request.

NB – Parental responsibility can be restricted by the courts.

Complaint procedure

If you have a complaint or concern about the service you have received from the doctors or any of the personnel working in this practice, please let us know. We operate a practice complaint procedure as part of an NHS complaints system, which meets or exceeds national criteria.

How to Complain

We hope that we can resolve most problems easily and quickly, often at the time they arise and with the person concerned. If you wish to make a formal complaint, please do so as soon as possible – ideally within a matter of a few days. This will enable us to establish what happened more easily. If doing that is not possible your complaint should be submitted within 12 months of the incident that caused the problem; or within 12 months of discovering that you have a problem.

You should address your complaint in writing to the Director for Compliance (sxicb-esx.vmccomplaints@nhs.net). They will make sure that we deal with your concerns promptly and in the correct way. You should be as specific and concise as possible.

Complaining on Behalf of Someone Else

We keep strictly to the rules of medical confidentiality (a separate leaflet giving more detail on confidentiality is available on request). If you are not the patient but are complaining on their behalf, you must have their permission to do so. An authority signed by the person concerned will be needed unless they are incapable (because of illness or infirmity) of providing this.

What We Will Do

We will acknowledge your complaint within 3 working days and aim to have fully investigated within 25 working days of the date it was received. If we expect it to take longer we will explain the reason for the delay and tell you when we expect to finish. When we look into your complaint, we will investigate the circumstances; make it possible for you to discuss the problem with those concerned; make sure you receive an apology if this is appropriate, and take steps to make sure any problem does not arise again.

You will receive a final letter setting out the result of any practice investigations.

Taking it Further

If you remain dissatisfied with the outcome you may refer the matter to NHS England, who commission local health services, or if you are still not satisfied with their response, the next step would be to contact the Parliamentary and Health Service Ombudsman (PHSO) to review how the complaint has been handled.

Complaints to NHS England

If a complainant has concerns relating to a directly commissioned service by NHS England, then the first step is, where appropriate, for complaints and concerns to be resolved on the spot with their local service provider. This is called by NHS England ‘informal complaint resolution’ and is in line with the recommendations of the Complaints Regulations of 2009.

If it is not appropriate to raise a concern informally or where informal resolution fails to achieve a satisfactory outcome, the complainant has the right to raise a formal complaint with either the service provider or the commissioner of the service NHS England.

A complaint or concern can be received by mail, electronically or by telephone using these details;
By telephone: 03003 11 22 33
By email: england.contactus@nhs.net
By post:
NHS England,
PO Box 16738,
Redditch, B97 9PT

The Parliamentary and Health Service Ombudsman:
Millbank Tower,
Millbank,
London,
SW1P 4QP
Tel: 0345 0154033

If you are not happy with the Ombudsman’s decision, then you can appeal directly to the PHSO.

Once the Ombudsman or one of their senior staff has considered the complaint and sent a response, their decision is final. Unless you raise any new issues that they consider significant to the complaint, they will not send further replies (but will still acknowledge further correspondence).

Data Protection Privacy Notice for Patients

We at Victoria Medical Centre understand the importance of keeping your personal information safe and secure. This Privacy Notice explain how we use any personal information we may collect about you. If you have any questions or concerns about it, please do contact us.

Who should I contact?

If you have any concerns about anything to do with your personal data, please contact us by writing to the Data Protection Office (DPO) at Victoria Medical Centre.

What information do we collect?

We collect information such as: personal details (name, address, contact details, date of birth, etc.); details regarding your medical history and in respect of your visits to us; correspondence, test results and notes from other health professionals; plus any other relevant information to enable us to deliver effective medical care.

What is the legal basis for collecting and using your information?

The law states we must have a legal basis for obtaining and using your personal information. We rely on the following legal bases

Contract: our contract with NHS England is to provide medical care to all of our patients, which includes you.
Consent: we may also obtain your consent to use your personal information on occasions. Remember that you have the right to withdraw your consent at any time.
Protecting your vital interests: there may be times when you are not able to provide consent, and so we may need to use your personal information to provide medical care where necessary.
Legal obligations: in certain limited situations, we are under a legal duty to disclose your personal information to other organisations.

The law also states that personal information about your health is so sensitive that it falls into a special category. In addition to the legal bases given above, we also rely on the following:

Public interest: we may need to use your personal information for the public interest, such as when there is an outbreak of a serious disease and steps need to be taken to stop it spreading
Defending a claim: we may need to use your personal information to defend a legal claim made by you or a third party

What do we do with the collected personal information?

Chiefly, it is used to provide your medical care. However, your information may be disclosed to partner organisations to help us:

Monitor and nurture the health of the general public
Reviewing the care we provide to ensure it is of the highest standard
Ensure the services we provide can meet patient needs in the future
Prepare statistics on NHS performance
Conduct health research and development
NHS accounts services and audits
Teaching and onward training of healthcare professionals
Pay your GP, dentist and hospital for the care they provide
Investigate complaints, legal claims or other incidents

Some of this information will be held centrally, but where it is used for statistical purposes, stringent measures are taken to ensure that individual patients cannot be identified.

Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units, drug companies and research institutions. This surgery is supporting vital and health care planning by sharing your data with NHS Digital.

Pseudonymisation of data may be undertaken by a third party – Legal Basis Article 9 2 (h) Health related uses.

Where it is not possible to use anonymised information, personally identifiable information may be used for essential NHS purposes. This will only be done with your consent, unless the law requires information to be passed on in any event. You will be specifically asked for consent if there is a proposal to use your records for education or research projects.

We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires information to be passed on.

Anyone who receives information from us is also under a legal duty to keep it confidential. We are required by law to report certain information to the appropriate authorities. Examples of when we must pass information on include notification of births and deaths; where we encounter infectious diseases, which may endanger the safety of others; and where a court order has been made.

Who are the partner organisations?

You may be receiving care from other people as well as the NHS. We may need to share some information about you to others involved in your care when it is in your best interests to do so.

The principal organisations are:

NHS England
NHS Trusts, including Primary Care Trusts and Hospitals
GPs
Dentists
Ambulance Service
Social Services
Education Services
Strategic Health Authorities.

Your information may also be shared with local authorities, prison liaison, voluntary sector providers and private sector providers. This sharing would be subject to strict agreements called information sharing protocols.

Do I have a choice?

Yes, of course. If you do not want your data to be used in this way, then you can opt out. If you do opt out, then we will still use your personal information to provide your individual medical care. To find out more about the use of your personal information or to register your decision to opt out of data sharing, you need to go to https://www.nhs.uk/your-nhs-data-matters/. You can change your decision at any time.

For how long do we keep your information?

We will only keep your information for as long as necessary for the purposes set out in this Privacy Notice. In any event, and in accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.

Do I have rights to access my personal information?

You have a right to see the information we hold that relates to you, and to request a copy. Please request a Subject Access request in writing and we will reply with what we will do and how this will be processed. In most cases you are entitled to receive this information free of charge, but there may be charges applied in certain limited circumstances.

You have the right to have the personal information we hold about you corrected, removed (subject to certain limitations), or transferred to another person or organisation. Again, please contact us in writing if you would like to do any of these things.

There may be references to third parties in your records. The law states that we must remove any such references that would allow that third party to be identified before we release copies. of your information. Third parties could include spouses/partners (both current and former); children; other family members; and unrelated individuals.

What do I do if I need to complain?

If you have any concerns or questions about the use of your personal information, in the first instance we would ask you to notify us in writing so it can be investigated. If you are still not satisfied with what has happened, you have a right to complain to the Information Commissioners Office. Full details of how to contact them can be found at www.ico.org.uk.

Update 2021

The Sussex Shared Care Record is being developed to provide the ability to enable appropriate and effective sharing of information for direct care purposes, through the integration of current health and care record systems, to facilitate improved outcomes for patient and service users.

Access to shared information is for the purposes of direct care by those who have a legitimate relationship with the patient or service user.

Personal information is shared with other secondary care trusts and providers in order to provide you with direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physiotherapy, community nursing, ambulance service.

In some cases patients may be required to consent to having their record opened by the third party provider before patients information is accessed. Where there is an overriding need to access the GP record in order to provide patients with life-saving care, their consent will not be required.

GP Earnings

NHS England require that the net earnings of doctors engaged in the practice is publicised, and that the required disclosure is shown below. It should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.

All GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in Victoria Medical Centre in the last financial year was £67,360 before tax and National Insurance. This is for 5 full time GP, 8 part time GPs, 0 salaried GPs and 1 locum who worked at the practice for more than 6 months.

IPC Annual Statement Report

Purpose

This annual statement will be generated each year in May in accordance with the requirements of the Health and Social Care Act 2008 Code of Practice on the prevention and control of infections and related guidance. The report will be published on the organisation’s website and will include the following summary:

Any infection transmission incidents and any action taken (these will have been reported in accordance with our significant event procedure)
Details of any infection control audits carried out and actions undertaken
Details of any risk assessments undertaken for the prevention and control of infection
Details of staff training
Any review and update of policies, procedures and guidelines

Infection Prevention and Control (IPC) lead

The lead for infection prevention and control at Victoria Medical Centre is Nathalie Allen – Practice Nurse and Kara Brown (Support) – Health Care Assistant

The IPC lead is supported by Kathleen Jewell (PM) and Rachel Gaffney (Deputy PM)

a. Infection transmission incidents (significant events)

Significant events involve examples of good practice as well as challenging events.

Positive events are discussed at meetings to allow all staff to be appraised in areas of best practice.

Negative events are managed by the staff member who either identified or was advised of any potential shortcoming. This person will complete a Significant Event Analysis (SEA) form which commences an investigation process to establish what can be learnt and to indicate changes that might lead to future improvements.

All significant events are reviewed and discussed at several meetings each month. Any learning points are cascaded to all relevant staff where an action plan, including audits or policy review, may follow.

In the past year, there have been 2 significant events raised which related to infection control. There have also been 1 complaint made regarding cleanliness or infection control.

b. Infection prevention audit and actions

The Practice conducts monthly hand hygiene spot checks on all staff employed by the Practice and audit outcomes are fedback to senior managers and actions taken to improve compliancy. The last audit conducted showed staff are compliant with washing hands and the importance of doing so however there will be campaigns run throughout the year for staff to be further educated on the spread of bacteria and the role in which they play.
Deep cleans are conducted for both sites annually in December by Nationwide Cleaning Company. The admin office and staff kitchen at Victoria Medical Centre had multiple stains from spilt liquids, the flooring will be deep cleaned with a specialist machine.
Swab samples are taken 3 monthly on services, doors, handles, couches etc. at both sites to test for bacteria. This audit will continue throughout the year and actions taken for any failed swabs.
Cleaning audits are conducted monthly by Nationwide Cleaning Company and fedback to management. Some audits were not seen on the day of the audit however Deputy Practice Manager will be liaising with Nationwide to receive all reports and action outcomes.
Clinical Curtains are changed every 6 months in all clinical rooms.
Facilities such as flooring is monitored regularly to ensure no damage to sterile areas of the buildings
Hazardous Waste audits are conducted annually for both sites via Anenta
All staff are vaccinated according to their requirements within their roles
The Practice Manages outbreaks of infections and has designated contained rooms for hazardous patients
The Practice IPC team regularly liaise with the Sussex ICB IPC team and attend regular training days
PPE (Personal Protective Equipment) is readily available for all staff
Hand sanitising stations located throughout the Practice
Staff are trained on safe handling of sharps and correct disposal
All staff are trained and reminded on the importance of reporting significant events and learning events, they are stored and recorded on Practice Index and reported on monthly at a senior management internal CQC Compliancy meeting.

The Victoria Medical Practice plan to undertake the following audits in 2024/25

Annual Infection Prevention and Control audit
Cleaning audit
Hand hygiene audit
Monthly cleaning standards audit – to be conducted by the cleaning contractor
Monthly Waste audit
Monthly Sharps bin audit
Weekly Cleaning Spot Checks

ICB IPC Contact list

Organization	Team	Email	Telephone	Out of Hours Urgent Enquiries
East Sussex Healthcare NHS Trust	IPC Team	DIS-InfectionControlTeam@nhs.net
NHS Sussex IPC Team		Sxicb.infectionprevention@nhs.net
East Sussex County Council Health	Protection Team	Health.Protection@eastsussex.gov.uk
UKHSA Surrey and Sussex HPT (South East)		SE.AcuteResponse@ukhsa.gov.uk PII Email – phe.sshpu@nhs.net	0344 225 3861	0844 967 0069

c. Risk assessments

Risk assessments are carried out so that any risk is minimised and made to be as low as is reasonably practicable. Additionally, a risk assessment that can identify best practice can be established and then followed.

In the last year, the following risk assessments were carried out/reviewed

General IPC risks
Staffing, new joiners and ongoing training – Induction programme is in place for all new joiners clinical and non-clinical and they are expected to complete their mandatory training including IPC within the first 2 weeks of employment. A pre-employment health screening is conducted by HR including the requirements for any occupational vaccines/referrals.
COSHH
Cleaning standards
Staff vaccinations – As a practice we ensure that all our staff are up to date with their Hepatitis B immunisations and offered any occupational health vaccinations applicable to their role (i.e., MMR, Seasonal Flu and Covid vaccinations). We take part in the National Immunisation campaigns for patients and offer vaccinations in house and via home visits to our patient population.
Infrastructure changes
Sharps
Water safety- Legionella: Legionella safety is managed by NANT, an external contractor alongside the Compliance team. All risk assessments, vessel purges, samples etc. are logged on the NANT Portal and any actions are rectified in the time specified. Water temperature checks are conducted weekly and logged on Practice Index and any dead ends are run every Friday to prevent any build up in un-used areas.
Clinical Curtains – The NHS Cleaning Specifications state the curtains should be cleaned or if using disposable curtains, replaced every 6 months. To this effect we use disposable curtains and ensure they are changed every 6 months. The window blinds are very low risk and therefore do not require a particular cleaning regime other than regular vacuuming to prevent build-up of dust. The modesty curtains although handled by clinicians are never handled by patients and clinicians have been reminded to always remove gloves and clean hands after an examination and before touching the curtains. All curtains are regularly reviewed and changed if visibly soiled.
Cleaning specifications, frequencies, and cleanliness: We also have a cleaning specification and frequency policy which our cleaners and staff work to. An assessment of cleanliness is conducted by the cleaning team and logged. This includes all aspects in the surgery including cleanliness of equipment.
Assistance dogs
Training: All our staff receive annual training in infection prevention and control. All clinical and non -clinical staff have completed e-learning training. IPC lead should attend quarterly IPC Lead Practice Nurse forums organised by ICB
Hand washing sinks: The practice has clinical hand washing sinks in every room for staff to use.

d. Training

In addition to staff being involved in risk assessments and significant events, at Victoria Medical Centre all staff and contractors receive IPC induction training on commencing their post. Thereafter, all staff receive refresher training annually.

All our staff receive annual training in infection prevention and control
All clinical and non -clinical staff have completed Practice Index e-learning training.
IPC lead should attend quarterly IPC Lead Practice Nurse forums organised by ICB

e. Policies and procedures

All Infection Prevention and Control related policies are in date for this year. Policies relating to Infection Prevention and Control are available to all staff and are reviewed and updated annually and all are amended on an on-going basis as current advice, guidance and legislation changes. Infection Control policies are circulated amongst staff for reading and discussed at meetings on an annual basis. They are available to all staff via the Practice Index hub which is explained to all staff on their induction to the Practice.

f. Responsibility

It is the responsibility of all staff members at Victoria Medical Centre be familiar with this statement and their roles and responsibilities under it.

g. Review

The IPC lead and Deputy/Practice Managers are responsible for reviewing and producing the annual statement.

This annual statement will be updated on or before May 2025

Signed by – Kathleen Jewell
For and on behalf of Victoria Medical Centre

Data Protection Privacy Notice for Patients

Who should I contact?

If you have any concerns about anything to do with your personal data, please contact us by writing to the Data Protection Office (DPO) at Victoria Medical Centre.

What information do we collect?

What is the legal basis for collecting and using your information?

The law states we must have a legal basis for obtaining and using your personal information. We rely on the following legal bases:

Contract: our contract with NHS England is to provide medical care to all of our patients, which includes you.
Consent: we may also obtain your consent to use your personal information on occasions. Remember that you have the right to withdraw your consent at any time.
Protecting your vital interests: there may be times when you are not able to provide consent, and so we may need to use your personal information to provide medical care where necessary.
Legal obligations: in certain limited situations, we are under a legal duty to disclose your personal information to other organisations.

The law also states that personal information about your health is so sensitive that it falls into a special category. In addition to the legal bases given above, we also rely on the following:

Public interest: we may need to use your personal information for the public interest, such as when there is an outbreak of a serious disease and steps need to be taken to stop it spreading
Defending a claim: we may need to use your personal information to defend a legal claim made by you or a third party

What do we do with the collected personal information?

Chiefly, it is used to provide your medical care. However, your information may be disclosed to partner organisations to help us:

Monitor and nurture the health of the general public
Reviewing the care we provide to ensure it is of the highest standard
Ensure the services we provide can meet patient needs in the future
Prepare statistics on NHS performance
Conduct health research and development
NHS accounts services and audits
Teaching and onward training of healthcare professionals
Pay your GP, dentist and hospital for the care they provide
Investigate complaints, legal claims or other incidents

Some of this information will be held centrally, but where it is used for statistical purposes, stringent measures are taken to ensure that individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units, drug companies and research institutions.

This surgery is supporting vital and health care planning by sharing your data with NHS Digital. For more information about this, please see the GP Practice Privacy Notice for General Practice Data for Planning and Research.

Anonymous and pseudonymised patient data will be shared for use in a population management tool, for purposes of understanding the needs of the patient population and assist in the commissioning and provision of health care. Pseudonymisation of data may be undertaken by a third party. Legal Basis Article 9 2 (h) Health related uses

We are required by law to report certain information to the appropriate authorities. Examples of when we must pass information on include notification of births and deaths; where we encounter infectious diseases, which may endanger the safety of others; and where a court order has been made.

Who are the partner organisations?

You may be receiving care from other people as well as the NHS. We may need to share some information about you to others involved in your care when it is in your best interests to do so. The principal organisations are:

NHS England
NHS Trusts, including Primary Care Trusts and Hospitals
GPs
Dentists
Ambulance Service
Social Services
Education Services
Strategic Health Authorities.

Do I have a choice?

Yes, of course. If you do not want your data to be used in this way, then you can opt out. If you do opt out, then we will still use your personal information to provide your individual medical care.

To find out more about the use of your personal information or to register your decision to opt out of data sharing, you need to go to https://www.nhs.uk/your-nhs-data-matters/

You can change your decision at any time.

For how long do we keep your information?

Do I have rights to access my personal information?

There may be references to third parties in your records. The law states that we must remove any such references that would allow that third party to be identified before we release copies of your information. Third parties could include spouses/partners (both current and former); children; other family members; and unrelated individuals.

What do I do if I need to complain?

Update 2021

Access to shared information is for the purposes of direct care by those who have a legitimate relationship with the patient or service user.

Legal Basis – The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 1 (a) Consent (c) Vital Interest and (e) Direct Care and Article 9 2 (a) Explicit Consent; 9 2 (c) Vital Interest and 9 2 (h) to provide health or social care. In some cases patients may be required to consent to having their record opened by the third party provider before patients information is accessed. Where there is an overriding need to access the GP record in order to provide patients with life-saving care, their consent will not be required.

Sedative Prescribing for Fear of Flying

Victoria Medical Centre does NOT prescribe sedatives for fear of flying. This policy decision has been made by the GP Partners and is adhered to by all prescribers working in the practice.

The reasons for this can be found below:

1) Diazepam is a sedative, which means it makes you sleepy and more relaxed. If there is an emergency during the flight it may impair your ability to concentrate, follow instructions and react to the situation. This could have serious safety consequences for you and those around you.

2) Sedative drugs can make you fall asleep, however when you do sleep it is an unnatural non-REM sleep. This means you won’t move around as much as during natural sleep. This can cause you to be at increased risk of developing a blood clot (DVT) in the leg or even the lung. Blood clots are very dangerous and can even prove fatal. This risk is even greater if your flight is greater than four hours.

3) Whilst most people find benzodiazepines like diazepam sedating, a small number have paradoxical agitation and in aggression. They can also cause disinhibition and lead you to behave in a way that you would not normally. This could impact on your safety as well as that of other passengers and could also get you into trouble with the law.

4) According to the prescribing guidelines doctors follow (BNF) Benzodiazepines are contraindicated (not allowed) in phobia. Your doctor is taking a significant legal risk by prescribing against these guidelines.

They are only licensed short term for a crisis in generalised anxiety. If this is the case, you should be getting proper care and support for your mental health and not going on a flight.

5) Diazepam and similar drugs are illegal in a number of countries. They may be confiscated, or you may find yourself in trouble with the police.

6) Diazepam stays in your system for quite a while. If your job requires you to submit to random drug testing, you may fail this having taken diazepam.

We appreciate that fear of flying is very real and very frightening. A much better approach is to tackle this properly with a Fear of Flying course run by the airlines and we have listed a number of these below.

Easy Jet
www.fearlessflyer.easyjet.com
Tel 0203 8131644
British Airways
www.flyingwithconfidence.com
Tel 01252 793250
Virgin
www.flyingwithoutfear.co.uk
Tel 01423 714900

Practice Policies & Patient Information

Help us improve our website content. How helpful did you find this page?

Thank you for your feedback.