We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
Privacy Notice
Your Personal Information and what you need to know
This privacy notice explains why we collect information about you, how that information will be used, how we keep it safe and confidential and what your rights are in relation to this.
Why do we collect information about you?
Health care professionals who provide care to you are required by law to maintain records about your health, and any treatment or care you have received. These records help to provide you with the best possible healthcare and help us to protect your safety.
We collect and hold data to provide healthcare services to our patients and to run our organisation, including monitoring the quality of care we provide. In this role we will collect information about you to help us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form.
Our commitment to Data Privacy and Confidentiality
As a GP practice, our GPs, staff, and associated practitioners are committed to protecting your privacy and only process data in accordance with the Data Protection Legislation. This legislation requires that we only process personal data if there is a legitimate basis for doing so and that any processing must be fair and lawful.
In addition, consideration is given to all applicable Law concerning privacy, confidentiality, and the processing and sharing of personal data. This includes the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality, and the Privacy and Electronic Communications (EC Directive) Regulations.
Data we collect about you
Records which this GP Practice will hold or share about you will include the following:
- Personal Data – means any information relating to a person (‘data subject’) who can be identified, directly or indirectly, by reference to an identifier such as name, identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
- Special Categories of Personal Data – this describes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person’s sex life or sexual orientation
- Confidential Patient Information – this is information or data relating to their health and other matters disclosed to another (for example, patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003
- Pseudonymisation is the process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity
- Anonymised data is in a form that does not identify individuals and where identification through its combination with other data is not likely to take place
- Aggregated data is where statistical data about several individuals has been combined to show general trends or values without identifying individuals within the data
How do we use your information?
Information Technology makes it possible for us to share data with other healthcare organisations to provide you, your family, and your community with better care. For example, healthcare professionals in other services can access your record with or without your permission when the practice is closed. Where your record is accessed without your permission, they must have a legitimate basis in law. This is explained further in the Local Information Sharing at Appendix A.
When you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance, to help with:
- improving the quality and standards of care provided
- research into the development of new treatments and care pathways
- preventing illness and disease
- monitoring safety
- planning services
- risk stratification
- Population Health Management
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most often, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
Safeguarding of children or vulnerable adults
If we have significant concerns about children or vulnerable adults at risk of harm, we may share relevant information with other organisations involved in ensuring their safety (Police, local authorities, etc.).
Statutory disclosures
We are bound by the law to disclose information to organisations such as the Care Quality Commission, the Driver and Vehicle Licensing Agency, the General Medical Council, Her Majesty’s Revenue and Customs, and Counter Fraud services. In these circumstances, we always try to inform you before we are required to disclose, and we only disclose the minimum information that the law requires us to.
This is only permitted when there is a clear legal basis to use the information. All these uses help to provide better health and care for you, your family, and future generations. Confidential patient information about your health and care is only used where allowed by law or with patient consent.
Pseudonymised or anonymised data is generally used for research and planning so that you cannot be identified.
How long do we hold information for?
All records held by the Practice will be kept for the duration specified by Records Management Code of Practice - NHSX (opens in a new tab). Information we hold that is identified for destruction will be disposed of in the most appropriate way. Personal confidential and commercially confidential information will be disposed of by approved and secure confidential waste procedures. We keep retention schedules within our information asset registers, in line with the Records Management Code of Practice for 2021.
Individuals' Rights under UK GDPR
Under UK GDPR, the Law provides the following rights for individuals. The NHS upholds these rights in a number of ways:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (not an absolute right) only applies in certain circumstances
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Your right to opt out of data sharing and processing
The NHS Constitution states, ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’.
Type 1 Opt Out - This is an objection that prevents an individual's personal confidential information from being shared outside of their general practice except when it is being used for their direct care, or in particular circumstances required by law, such as a public health screening, or an emergency like an outbreak of a pandemic disease. If patients wish to apply they must complete a ‘Summary Care Record opt out form’ (opens in a new tab).
National data opt-out (NDOO) - The mandatory implementation of the National Data Opt-Out (NDOO) was 31 July 2022, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian Review of Data Security, Consent and Opt-Outs.
The national data opt-out replaces the previous ‘Type 2’ opt-out. Any patient who had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. For more information, go to the National data opt out programme (opens in a new tab)
To find out more or to register your choice to opt out, please visit your data matters (opens in a new tab) This web page will enable you to:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- NHS Health Research Authority (opens in a new tab) (which covers health and care research)
- Understanding Patient Data (opens in a new tab) (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Right of Access to your information (Subject Access Request)
Under Data Protection Legislation, everybody has the right to access, or request a copy of, information we hold that can identify them, including medical records. There are some safeguards regarding what patients will have access to, and they may find information has been redacted or removed for the following reasons;
- It may be deemed to risk causing harm to the patient or others
- The information within the record may relate to third parties who are entitled to their confidentiality, or who have not given their permission for the information to be shared.
Patients do not need to give a reason to see their data. And requests can be made verbally or in writing. We may ask them to complete a form to ensure that we provide the information requested.
Where multiple copies of the same information are requested, we may charge a reasonable fee for the additional copies. Patients need to provide proof of identity to receive the information. We will not share information relating to you with other individuals without your explicit instruction or sight of a legal document.
Patients also have online access to their data, they can request this via the NHS APP (opens in a new tab). (opens in a new tab)
Change of Details
It is important that you contact the surgery if any of your contact details have changed, or if any of your other contact details are incorrect, including third party emergency contact details. Please make us aware of any changes as soon as possible, so that no information is shared in error.
Mobile telephone number
If you provide us with your mobile number, we will use this to send you text reminders about your appointments or other health related information. It is within our legal duty as a public authority to keep our patients updated with important information.
We also use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at NHS App privacy notice (NHS England) (opens in a new tab) managed by NHS England.
Research opportunities: We may contact you by text message to invite you to take part in health and care research activities on behalf of the research organisation. The message will include details of how to sign up if you are interested. Your details will not be shared with the research organisation.
Email address
If you have provided us with your email address, we will use this to send information relating to your health and the services we provide. If you do not wish to receive communications by email please let us know.
Notification
Data Protection Legislation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
We are registered as a Data Controller and our registration can be viewed online in the ICO register of data controllers(opens in a new tab).
Any changes to this notice will be published on our website and at the Practice.
Data Protection Officer
Should you have any data protection questions or concerns, please contact our Data Protection Officer
What is the right to know?
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any non-personal information that the GP Practice holds that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Legislation under FOIA. However, you can request this under a right of access request.
Right to Complain
If you have concerns or are unhappy about any of our services, please contact us via our website contact us (opens in a new tab) page or the ICO, details below.
For independent advice about data protection, privacy and data-sharing issues, you can contact: The Information Commissioner - Wycliffe House , Water Lane , Wilmslow, Cheshire, SK9 5AF
- Phone: 0303 123 1113
- Visit the ICO website(opens in a new tab)
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programs available to you, confidentiality, information, and your right to complain if things go wrong. The NHS Constitution for England(opens in a new tab)
In our use of health and care information, we satisfy the common law duty of confidentiality because:
- you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
- we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) (opens in a new tab) who are satisfied that it isn’t possible or practical to seek consent
- we have a legal requirement to collect, share and use the data
- for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service
Providing NHS Services