Jump to sections using the links below
The Practice and Your Information
We take your privacy very seriously. We are registered with the Information Commissioner’s Office as a Data Controller and our registration number can be found if you search the ICO online register.
We aim to provide you with the highest quality health care.
To do this we must keep records about you, your health and the care we have provided or plan to provide to you.
Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment so that they are able to provide you with the best possible care.
Please be aware that both clinical and administrative staff will access your personal data, this allows us to manage high volumes of communication and activity.
Administrative staff are bound by confidentiality in the same way as the clinician is and will keep your information private.
These records are called your ‘health care record’ and may be stored in paper form or on computer and electronic systems and may include Personal Data;
basic details about you, such as address, date of birth, NHS number, and next of kin
as well as Sensitive Personal Data;
contact we have had with you, such as clinical visits
notes and reports about your health
details and records about your treatment and care
results of x-rays, laboratory tests etc
Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation which has a specific section related to healthcare information.
If you have any questions or wish to make a request in relation to your information, please contact us using the details on our main page or contact our Data Protection Officer at Hannah.email@example.com
Our Data Protection Officer service is provided by Kafico Ltd. When we ask for their support, we will aim to remove any reference to individual patients. Where this is not possible, we will use the minimum necessary to allow us to obtain advice and support.
What We Do With Your Information
Below is a description of the routine uses of your information;
Refer you to other healthcare providers when you need other service or tests
Discuss or share information about your health or care with other health or social care providers, including using technology such as GP Connect
Share samples with laboratories for testing (like blood samples)
Share test results with hospitals or community services (like blood test results)
Allow out of hours or extended hours GPs to look at your health record when you are going to an appointment
Send prescriptions to a pharmacy
Text patients in relation to healthcare services. See Information Technology for more information.
Samples are provided to the courier for delivery to pathology
Share reports with the coroner
Receive reports of appointments you have attended elsewhere such as with the community nurse or if you have had a stay in hospital
Produce medical reports on request from third parties such as the DVLA or your employer
Movement of Patient records to Primary Care Support England
14th April 2019: Amended to include “Discuss or share information about your health or care with other health or social care providers”
25th October 2020 Amended to include link for more information about text messaging
28th May 2021: Amended to include a link about opting out of research
What Else Do We Use Your Information For?
Along with activities related directly to your care, we also use information in ways which allow us to check that care is safe and provide data for the improvement and planning of services.
Quality / payment / performance reports are provided to service commissioners
As part of clinical research – information that identifies you will be removed, unless you have consented to being identified
Undertaking clinical audits locally to ensure safety and efficiency
Supporting staff training
Incident and complaint management
Sending practice information to other NHS bodies for national audits or research that are required by law (e.g. NHS Digital Audit Data Collection) or the Learning Disabilities Census
Local evaluations and planning activities
Sharing When Required by Law
Sometimes we will be required by law to share your information and will not always be able to discuss this with you directly. Examples might be for the purposes of detection or prevention of crime, where it is in the wider public interest, to safeguard children or vulnerable adults, reporting infectious diseases or where required by court order.
Care Quality Commission Access to Health Records
CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator.
This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.
More information about the CQC can be obtained on their website https://www.cqc.org.uk/about-us/our-policies/privacy-statement
Children and Young People
Young people from aged 13 (and sometimes younger) are allowed to make decisions about how their health information is shared.
A parent or guardian may apply for access to young person’s information.
If a young person does not consent – we may not provide access to the adult.
If the young person does not have the capacity to understand, we may provide access to the adult because it is in the young person’s best interest to do so.
Young people can ask us to keep certain parts of their information confidential.
If the young person is making decisions about their information that puts them at risk – we may notify adults with parental rights.
The practice will use third parties to provide services that involve your information such as;
Removal and destruction of confidential waste
Provision of clinical systems
Provision of connectivity and servers
Digital dictation services
Data analytics or warehousing (these allow us to make decisions about care or see how effectively the practice is run – personal data will never be sold or made available to organisations not related to your care delivery)
We have contracts in place with these third parties that prevent them from using it in any other way that instructed. These contracts also require them to maintain good standards of security to ensure your confidentiality.
Our practice may wish to use text messaging to communicate with you about practice activities or your own healthcare.
We may text you;
To send survey/questionnaires which, if they are clinical, we will save into your medical record
With a link so you can send photos to the clinician of your rash or lump for example
Ask you to update clinicians on your treatment or wellbeing
Invite you to health screenings or vaccinations
send referrals letters or summaries
Contact you if you miss an appointment e.g. at outpatients
Contact you if you are not able to answer a phone call
Send you test results or ask you to call to discuss your results
Send you general public health messages about COVID 19, flu clinics, mental health or wellbeing services
In relation to research projects, unless you have objected
You can object at any time by getting in touch with us.
If you share a mobile phone with someone, please be mindful that they may see information about your health.
We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
GP Connect is not used for any purpose other than direct care.
Updated 21st June 22 to include research projects for potential SMS
Updated 2nd July 22 to include GP Connect paragraph
Updated 22nd August 22 to include “invitations to screenings or vaccinations”
Updated 31st August 23 to include a new link to GP Connect transparency notice
Data protection law provides you with a number of rights that the practice is committed to supporting you with;
Right to Access
You have the right to obtain:
Confirmation that your information is being used, stored or shared by the practic
A copy of information held about you
We will respond to your request within one month of receipt or will tell you when it might take longer.
We are required to validate your identity including the identity of someone making a request on your behalf
Right to Object or Withdrawn Consent
We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.
Where we are using, storing and sharing your information based on explicit consent you have provided, you have a right to withdraw that consent at any time.
You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
Our Data Protection Officer will be happy to speak with you about any concerns you have.
Right to Correction
If information about you is incorrect, you are entitled to request that we correct it
There may be occasions, where we are required by law to maintain the original information – our Data Protection Officer will talk to you about this and you may request that the information is not used during this time.
We will respond to your request within one month of receipt or will tell you when it might take longer.
Right to Complain
You also have the right to make complaints and request investigations into the way your information is used. Please contact our Data Protection Officer or visit the link below for more information.
For more detailed information on your rights visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
15th September 2022 removed section indicating that requests may be processed late due to COVID-19.
Online Access to Your Health Records
What is Online Access?
What are the Benefits?
What might be withheld?
Is this a Subject Access Request?
When Will I be Able to See All My Records?
Can I Switch Online Access Off?
What if I have Complaints or Concerns about the Information I can See?
How Do We Keep Your Information Safe?
We are committed to ensuring the security and confidentiality of your information.
There are a number of ways we do this;
Staff receive annual training about protecting and using personal data
Policies are in place for staff to follow and are regularly reviewed
We check that only the minimum amount of data is shared or accessed
We use ‘smartcards’ to access systems, this helps to ensure that the right people are accessing data – people with a ‘need to know’
We use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
We report and manage incidents to make sure we learn from them and improve
We put in place contracts that require providers and suppliers to protect your data as well
We do not send your data outside of the UK without appropriate, lawful safeguards.
15th September 2022 Amended “We do not send your data outside of the EEA” to “We do not send your data outside of the UK without appropriate, lawful safeguards”
How Long Do We Keep Your Information?
In line with the NHSX Records Management Code of Practice, we will retain / store your health record for your lifetime.
When a patient dies, we will send your record to Primary Care Services England review the record and generally it will be destroyed 10 years later, unless there is a reason to keep it for longer.
If you move away or register with another practice, we will send your records to the new practice.
Your Information: Planning and Research
Information about your health and care helps the NHS to improve your individual care, speed up diagnosis, plan your local services and research new treatments.
It can also help research organisations to explore new treatments or make discoveries.
You can decide that you do not want your information to be used in this way.
There are two main options;
Option 1: Opting out of the GP Data for Planning and Research (GPDPR) Formally known as GPES.
This means you don’t want your data to be extracted from your GP clinical system and used for Planning and Research Purposes. You can opt out at any time but opting out before the end of August 2021 will mean your data is not extracted by the new process. Opting out after that date will mean that no further extractions will occur. Find out more about GPDPR.
Option 2: Opting out of NHS Digital using or sharing your health data (held by any provider, not just your GP), for Planning and Research purposes.
You can opt out at any time. Find out more about opting out of Research and Planning.
How do I Opt Out?
To opt out of your data leaving the GP Practice for Research and Planning (Type 1), just contact your GP practice by website, phone, email or post and let us know.
To opt out of your health data being used or shared by NHS Digital (Type 2), you can Call.
The phone number is 0300 303 5678 – Monday to Friday, 9am to 5pm (excluding bank holidays).
National Data Opt Out
7 and 8 Wellington Place
The practice is required to share patient information with NHS England in order to support the work being undertaken in relation to COVID-19.
The OpenSAFELY COVID-19 service provides a secure analytics service for academics, analysts and data scientists to access GP and NHS England de-identified patient data for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes (COVID-19 Purposes). The Service is currently operated by NHS England in collaboration with the Bennett Institute and The Phoenix Partnership (TPP), or Egton Medical Information Systems (EMIS) (the GP System Suppliers).
You can find out more by clicking here.
If you have opted out of your data being shared for research and planning purposes, your data will not be included.
Page added June 1st 2021
Added chapter “OpenSAFELY COVID-19” 9th July 2023
COVID-19 Research: NHS Digital
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system has been / is facing significant pressures due to the coronavirus (COVID-19) outbreak.
Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak.
In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
National Data Opt Out and NHS Digital
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
diagnoses and findings
medications and other prescribed items
investigations, tests and results
treatments and outcomes
vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see: