GDPR and Privacy

Website Privacy Notice

1. About Us

We, at the Bancroft Medical Centre situated at Bancroft Court, 30-35 Bancroft, Hitchin Herts, SG5 1LH and 100 Bancroft, Hitchin, Herts, SG5 1ND, are a Data Controller of your information. This means we are responsible for determining the purpose for collecting, storing and handling your personal and healthcare information when you are registered with us as a patient.

Our aim is to provide you with the highest quality healthcare. To do this we must keep information about you, your health, and the care that is provided, or is planned to be provided, to you. This information is collectively known as your ‘health record’. The purposes for which we use the information held in your health record are set out in this Privacy Notice.

It is important to us that you are informed about how we use the information we hold about you. If you have any questions about this Privacy Notice or any other concern regarding how your personal and healthcare information is used, then please contact us.

2. Contact Us

A. Data Controller

The contact details of the named, responsible Data Controller at the practice are Dr Sally Crabtree, Senior Partner and David Roberts, Practice Manager.
You can contact them via our generic email – if:

1. You have any questions about your information being held
2. You require access to your information or if you wish to make a change to your information
3. Any other query in relation to this Privacy Notice and your rights as a patient.

B. If you have a concern

If you have a concern or complaint about the way we handle your personal data or how we have used or handled your personal and/or healthcare information, please contact the Data Controller on the contact information provided, so we can review your concern in accordance with our internal policy.

In the event that your concern was not resolved by your contact with our named Data Controller, then please contact our Data Protection Officer on the details below.
You also have the right to raise any concern or complaint with the UK supervisory authority, at the Information Commissioner’s Office (ICO) website or telephone: 0303 123 1113.

C. Data Protection Officer (DPO)

Data Protection Officer (DPO) function for this practice is provided by HBL ICT services, hosted by ENHCCG. If you wish to contact the DPO for further information on how we use your data, or if you have a concern about anything to do with the personal and healthcare information we hold about you (that was not resolved by your enquiry with the practice), please contact the DPO at HBL ICT hosted by ENHCCG at:

3. Information We Collect About You And Why

In order to provide healthcare services we collect personal information from you, such as your contact details: your name, address, telephone number(s), email address, date of birth, gender, NHS Number, details and contact number(s) of your next of kin/emergency contact, or carers as applicable.

We also collect health information and other related information from you and from health care professionals, or any other person involved in your general healthcare. This may include such information as:

  • Contact we have had with you, such as appointments and services
  • Information related to the services provided
  • Notes and reports about your health
  • Details and records about your treatment and care
  • Results of x-rays, laboratory tests etc.
  • Firearms Applications
  • Immigration matters
  • Court orders

The information collected from you and others is collectively known as your ‘health record’. Your health record may be held in hand written format (manual record) or on a computer system (electronic). Information held within your health record is used for your direct care purposes and to check and review the quality of care you have received. (This is called audit and clinical governance).

We may contact you using SMS messaging for appointment and other services on the mobile number you have provided and where you have given us permission to do so. If you no longer wish to receive messages via SMS, please contact the practice to let us know.

Your care providers will endeavour to ensure that your health record is kept up-to-date, accurate, secure and appropriately accessible to those providing your care and treatment.

Please ensure you update us on any changes to your contact information or any other relevant details. You have the right to access information held about you. For details on access requests, please see the section 7A of this Privacy Notice.

4. Lawful Basis Relied On For Processing Information About You

A. The primary lawful basis

The primary lawful basis that we rely on to collect, store, use, and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment), and the planning of healthcare services under Data Protection Legislation are as follows:

  • i. For processing personal data: The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e) ‘
  • ii. For Personal data concerning health or special categories of personal data:
    Article 9(2) (h) ‘…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

B. Vital Interests:

There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.

C. Legal Obligation:

Sometimes we are required by law to share your information. Examples of this may include such reasons as: to safeguard children or vulnerable adults, where it is in the wider public interest (public health), detection or prevention of crime, to defend a legal claim, reporting to DVLA, or where required by court order. In these instances, the lawful basis for sharing information is Legal Obligation.

D. Consent:

Your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information (see Section 4A-C). For example, if you wish to sign up to our practice newsletter or to release your information to a third party who we do not have a lawful basis to share your information with, your consent will be required. When consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.

We will never sell or share your information for direct marketing

5. Direct Care Services And Who We May Provide Your Information To And Why

Safe and effective care is dependent upon relevant information being shared between all those involved in caring for a patient. When an individual agrees to being treated by the wider care team, it creates a direct care relationship between the individual patient, the health and social care professional, and their team. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the Common Law Duty of Confidentiality and the GDPR and Data Protection Act 2018.

Your personal information will only be shared in accordance with your rights under the General Data Protection Regulation, Data Protection Act 2018, the Common Law Duty of Confidentiality, the NHS Constitution, and in keeping with professional and NHS Codes of Practice.

For further information on the use and sharing of confidential information, please visit the A Guide to Confidentiality in Health and Social Care page on the NHS Digital website.

You have the right to object to your information being shared for direct care, but in some circumstances this may delay or affect the care you receive. Always consult your GP or relevant health professional before deciding to opt out of sharing your information, as they will be able to advise you on the possible outcomes of this decision. Please see Section 7E for further information on the right to object.

If you have registered for patient online access services, you may have the ability to view the My Care Record (MCR) partner organisations. Please see section 5G for more information about the MCR programme. Records are only available to partner organisations where you are registering for, or have been referred to, direct care services. The patient online access service offers you the ability to implement alternative preferences through specific lists of partner organisations.

If you remove an organisation and require services from that organisation at a later date, you can inform the practice of your preference change(s). Alternatively, when you present at one of the partner organisations and you agree to their access of your record, you will receive a verification code via your mobile phone to provide access.

A. Case Findings and Risk Stratification

Sometimes your information will be used to identify whether you may benefit from a new or existing service; based on case findings. To do this, we may use automated technology to help us identify people that might require support or benefit from services, but ultimately, the decision is made by those involved in your care. Those involved in your care might look at particular ‘indicators’ (such as particular conditions) and contact you or take action for healthcare purposes. For example, this might be to prevent you from having to visit accident and emergency by supporting you in your own home or in the community.

The automated review may be completed at the practice or in conjunction with Clinical Commissioning Group’s (CCG) Risk Stratification processes. The information we pass to the CCG is via our computer systems and cannot identify you to them.

This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This protects you from being identified by anyone not involved in your care that may have access to this information.

Please follow this link to see how the CCG use information to provide services and improve care:

We may provide your information to the following people or organisations, where there is a legitimate reason to do so i.e.: they require your information to assist them in the effective provision of your direct healthcare needs:

B. People and Organisations involved in your care:

Health and Social Care Professionals, including support personnel who have, or will have a direct care relationship with you to meet your healthcare needs:

C. Diagnostic Organisations:

Diagnostic testing organisations are provided with relevant information to allow contact with you and to book a test/procedure to assist in your direct healthcare needs.

D. Pharmacies:

Pharmacists are provided with relevant information to allow contact with you and to provide relevant prescriptions and supporting advice, assisting in your direct healthcare needs.

E. Referrals such as Hospital Appointments/Specialists/Dentists/Continuing Health Care Services, Community Services (including Mental Health), and CCG approvals for certain NHS health services:

When referrals are made for patients to an NHS or private healthcare provider, relevant patient contact details, including the registered mobile phone number the patient has given the practice permission to use, are shared for the purpose of arranging the referral appointment and/making direct contact if further details are required by the receiving organisation. If a patient has a preference or does not wish to be contacted by a specific method (i.e. mobile, phone or SMS), this should be discussed with the clinician or personnel coordinating the referral on their behalf. In addition, a summary of the patient’s health history is typically included in the referral, to assist the receiving healthcare professional to make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant may affect the outcome of referrals and treatment. If there are areas of your healthcare history that you do not want shared, please raise this with your GP or healthcare professional.

F. National Screening Programmes:

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes currently include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at the Population screening programmes: detailed information page on the website.

For national screening programmes, you can opt out so that you no longer receive an invitation to a screening programme. See the Opting out of the NHS population screening programmes page or speak to your practice.

G. Record Sharing Programmes

In order to provide you with the most integrated health and social care services, there are numerous national and regional initiatives in place to securely link different clinical systems via such technology as GP Connect or the Medical Interoperability Gateway (MIG). This allows health and social care professionals to access to your clinical records when they are providing direct care services to you. Security and protection of your data is managed through robust national and local agreements.

i. My Care Record

1. This is a local record sharing initiative that promotes the safe, transparent sharing of your healthcare records for the purpose of your direct care needs. The My Care Record currently allows the sharing of patient records with local partner organisations. To ensure that those partner organisations comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those intended purposes only.

For more information of the My Care Record initiative and a list of the organisations who have signed data sharing agreements to promote this integrated care model, please follow the link:

2. Extended Access this service is part of the My Care Record initiative of electronic health record sharing, and provides you with access to GP appointments outside of our regular practice hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group (CCG), the local GP Federation, and other practices. The local GP Federation (a group of local GP practices) offers this service on our behalf. This means the Federation will need access to your healthcare record to be able to offer you the service. To ensure that each organisation involved in the Extended Access service comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

The Extended Access service is managed by 12 Point Care and the practices included are as follows:

Ashwell Surgery, Baldock Surgery, Birchwood Surgery, Bancroft Medical Centre, Knebworth and Marymead Medical Practice, Regal Chambers Surgery, The Garden City Surgery, Nevells Road Surgery, Portmill Surgery, Sollershott Surgery and Whitwell Surgery

3. Primary Care Networks (PCN) this practice is part of the Hitchin and Whitwell PCN. The PCN includes other local organisations such as: GP Practices, community, mental health, social care, pharmacy, hospital and voluntary services, working together as participating organisations in the MCR programme. This enables a greater provision of proactive, personalised, coordinated and more integrated health and social care for you. In order to provide you with these services, we have formal arrangements in place.

To ensure partner organisations comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those intended purposes only.

Local PCN membership of GP practices can be found here:

Further information about PCNs can be found on the Primary care networks page of the NHS website.

ii. Your Summary Care Record and Summary Care Record with Additional Information

Summary Care Record (SCR)

Your summary care record is an electronic record held on a national healthcare records database provided and facilitated by NHS Digital. This allows other healthcare professionals who we do not have data sharing agreements with, but who you have a direct care relationship with, to access your electronic record when they are providing you with direct care services. This is particularly helpful if you are visiting another part of the country and require healthcare services.

At a minimum, the SCR holds important information about;

  • current medication
  • allergies and details of any previous bad reactions to medicines
  • the name, address, date of birth and NHS number of the patient

This record may be accessed with your permission by relevant healthcare professionals involved in your direct healthcare. If you do not wish to have your SCR available to be shared, please contact the practice so we can update your records.

Summary Care Records (SCR) (NHS Digital website)

iii. Summary Care Record with Additional information

The inclusion of additional information on a SCR is particularly useful for people with complex or long term conditions. Due to the sensitivity of more detailed information being accessible on your SCR, you will be asked for your permission to allow additional information to be added to, and accessible on, your SCR.
NHS Digital have developed a Supplementary SCR (COVID-19) Privacy Notice to outline these changes which includes additional coronavirus-covid-19-supplementary-privacy-noticeinformation in THE Summary Care Records for patients

H. Clinical Commissioning Group (CCG)

The CCG manages the majority of contracts for primary care, in order for us to deliver healthcare services to you. At times, they may assist us in the administration of our direct care services through reviews, or coordination and follow up with organisations involved in your care. This may include such functions as coordinating community pharmacy services, providing medication optimisation reviews, arranging continuing health care services, contacting a hospital about important discharge information or a diagnostic organisation about a test result, or other health or social care services involved in your care.

We have contracts in place with the CCG. This means that they cannot do anything with your personal information unless we have instructed them to. They will only share information about you that is relevant and necessary to fulfil the requirement of a particular service to you.

Information about you is only shared with organisations that have a relationship with you or will have a relationship through a referral. They will hold your information securely and retain it for only as long as necessary. If you require further information please contact the practice or the DPO.

I. Electronic Prescribing Services (EPS)

The practice is upgrading to the latest phase of the Electronic Prescribing Service (EPS). This provides the following options:

You can choose a pharmacy or dispenser to dispense all your prescriptions. If you have already registered a nominated pharmacy or dispenser with us, we will continue to send your electronic prescription to that nominated pharmacy or dispenser. If you do not nominate a pharmacy or dispenser, you can decide each time you are issued a prescription where you would like it to be dispensed, or be issued a secure barcode token to take to a pharmacy of your choice where your prescription can be electronically accessed. Your data will be shared securely and in line with data protection legislation, for direct care purposes as outlined in this privacy notice.

Further information on the EPS can be found on the Electronic prescriptions page of the NHS website.

J. Third Party Technical Support Processors

We use data processors who are third party organisations to provide services that support us in our delivery of healthcare services to you. Contracts are in place with our data processors outlining the processing that they are permitted to undertake on our behalf. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. If you require further information, please contact the practice or the DPO.

K. Online Consultation Services

To assist us in our delivery of online direct care services to you, we use external organisation e- Consult. Patients registered at this practice can access the secure e-Consult portal via our website or via the NHS App. NHS England is a joint data controller with the Practice for online consultation for the purposes of commissioning, contracting and assuring the compliance of e-Consult. NHS England does not access any of your health data. If you access e-consult via the NHS App, NHS Digital is a data controller of personal data relating to your identify verification only.

For further information please refer to NHS APP Privacy policy: online consultation services.

With your consent, e-Consult will process the data you provide and submit your completed consultation back to us for our review and action. Once received, the practice will become data controllers of the completed online consultation, which will become part of your medical record and processed as outlined in this privacy notice for the purpose of providing direct care services to you.

Further information about the online consultation services available at this practice can be found here (

Information about how e-Consult processes your data can be found in their privacy notice when you access e-Consult. This includes the use of automated decision making and profiling when you complete the online consultation, but this decision is not absolute.

You can also: book an appointment directly with the practice for a consultation, fill in another form to provide different/ updated information on the e-Consult website, or provide further information when you speak with your GP.

To ensure compliance with data protection and other relevant legislation, there is a contract in place with e-Consult to ensure your data is protected and used for the purposes outlined in the privacy notice.

In the event that the practice receives an e-consultation where the individual is not registered at the practice, contact will be made to inform the individual of options available. Where the individual is unable to be contacted or will not registering with the practice, the e-consultation data will be destroyed in accordance with our retention policy. Further information can be obtained from the practice.

L. Video and Telephone Consultations

As an alternative to face to face appointments, there may be instances where we may offer you an appointment via telephone or video consultation. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information shared on the consultation will be safeguarded in the same way it would with any other consultation with relevant information added to your patient record.

Video or audio consultations/appointments are not typically recorded, but if are, your permission will be sought as to the purpose and use of the recording i.e.: for direct care purposes: diagnosis, treatment or care. Recordings will be stored as part of your patient record in line with NHS Digital Record Management Code of Practice (2016).

If, as part of the consultation, still images or photographs are taken/obtained and are to be kept, they will be securely stored as part of your patient record in line with NHS Digital Record Management Code of Practice (2016).

If the recording/images are to be used for any other reason than what the original permission was obtained for, then further permission would be required prior to that use.

If recordings or still images obtained are no longer needed (i.e.: adequately described in the clinical notes) then the recording/ images will be confidentially and securely destroyed as per our policies and in line with NHS Digital’s guidance.

M. NHS App

The NHS App is a nationally run service that allows individuals to access a range of services within the Practice and beyond. NHS England and NHS Digital are joint data controllers of the NHS App and any personal data that is necessary for accessing the App. The data controller or processor of your personal data within a service accessed via the App will depend on the organisation accessed. Please see the NHS App privacy notice for further information.

6. Non Direct Care Services Where Your Information May Be Used:

Whenever you use a health or care service, such as attending GP appointments, Accident & Emergency, admission to hospital, or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment.

In addition, this information may also be used by other approved organisations for non-direct care purposes, where there is a lawful basis to help with: planning services, improving care, research into developing new treatments, and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. However, confidential information about your health and care is only used in this way where the law allows and in alignment with the National Data Opt-Out Policy.

National Data Opt-Out

You have a choice about whether you want your confidential patient information to be used for research and planning. If you are happy with this use of information you do not need to do anything, but if you do choose to opt out, your confidential patient information will still be used to support your individual care and will not affect care and services available to you.

However, if there is an overriding public safety concern or legal requirement to share information, we must do so (See Section 4D).

For further information on the Nation Data Opt-Out Policy:

If you choose to opt out, you can still agree to your data being used for specific purposes i.e: a specific research project.

You can change your mind at any time on the NHS Digital link.

This practice is compliant with the National Data Opt-Out from 7th June 2021 and will use your NHS number to apply your choice in line with the National Data Opt-Out Policy.

Type One Opt-out

In addition to the National Data Opt-Out, the existing ‘type 1’ opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal. Therefore, until further notice, if you information the practice, or have previously informed the practice that you dissent from the sharing your confidential data for purposes beyond your direct care (Type1), your data will not be shared outside of the practice without your expressed permission, unless there is an overriding legal obligation to do so.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your explicit consent.
Please see Section 7E for further information on the right to object.

Your individual care will not be affected if you opt-out using the Tier 1 or National Data Opt-out.

Non-Direct Care services include organisations such as:

A. Clinical Commissioning Group East and North Hertfordshire Clinical Commissioning Group (CCG)

Clinical Commissioning Group East and North Hertfordshire Clinical Commissioning Group (CCG) is the organisation responsible for commissioning (planning, designing and paying for) your NHS services. The CCG is made up of local GPs, health professionals and commissioners, working together with other clinicians and patients to decide how the local NHS budget should be spent. Information provided to the CCG is pseudo-anonymised, meaning the CCG cannot identify the individual. For more information on how the CCG uses your information, please visit the How we use information about you – Fair Processing Notice page on the East and North Hertfordshire Clinical Commissioning Group website.

B. NHS Digital

NHS Digital General Practice Data for Planning and Research (GPDPR) – No specific date has been set for collection of this data.

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.
NHS Digital previously collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced with the GPDPR.

Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps understanding of whether the health and care system as a whole is working for patients.

In addition to replacing what GPES already does, the General Practice Data for Planning and Research service will also help to support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including coronavirus (COVID-19) and enable many different areas of research.

NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital. This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.
If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different, and they are explained in Section 6 above in the link below. Your individual care will not be affected if you opt-out using either option.

For more information, please see NHS Digital’s ‘GP Data for Planning and Research Transparency Notice’, including information about how Type 1 Opt-out or National Data Opt-out applies.

C. Care Quality Commission Access to Health Records

CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator.

This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.

D. Research Organisations

Health and social care research may be conducted by organisations commissioned by the NHS, other health and social care organisations, universities, or commercial research partners for such purposes as developing new treatments and improving healthcare outcomes. If through Case Findings (see section 5A), and where you have not previously objected, we would contact you to determine if you would like to participate with a research project.

We would always ensure that data protection laws were followed to protect your data, and information about you will not be shared with research organisations without following the National Data Opt-Out Policy.

E. For the purposes of complying with the law as explained in section 4C.

F. Anyone you have given your consent to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we may need to contact you to verify/clarify your consent before we release the record. It is important to us that you are clear and understand how much information and what aspects of your record will be released.

7. Individual Rights

The Law gives you certain rights about your personal and healthcare information that we hold.

We have one calendar month to reply to you and give you the information that you require or explain why we are unable to fulfil your request. We would ask, therefore, that any requests you make is in writing or verbal requests followed up in writing, so it is as clear as possible what you are requesting. This will prevent unnecessary delays in getting a response to you.

A. Subject Access Requests (SAR)

You have the right to see what information we hold about you and to request a copy of this information. Under special circumstances, which have an overriding legal basis, some information may be withheld.

Sometimes information about third parties mentioned by you or others may be recorded on your records. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including you. Third parties can include, but not limited to: spouses, partners, and other family members.

A subject access request can be made in writing or verbally but we will need to verify who you are. For ease of use, please complete the form on the website. Alternatively, please email the practice at

We will provide this information free of charge however, we may in some limited and exceptional circumstances have to apply a reasonable administrative charge for any extra copies or repetitive requests. If applicable, we will discuss this with you at the time of your request.

If you have consented to a third party to request a SAR on your behalf, we require the third party to supply us with your consent. Due to the confidentiality and sensitivity of health records, if we are unsure about the consent provided or think you may not be aware of the extent of what would be disclosed in the request, we may contact to review and confirm the request with you before the SAR is processed.
If online access is a service available at the practice, there are robust protocols necessary for security of this information. When we give you online access or provide you with a SAR via another means, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access to it.

Access Requests for Deceased Patient Records:

This is not managed under the data protection legislation. The Access to Health Records Act 1990 includes this access. NHS England becomes the data controller of deceased patient records and access requests are reviewed as per this Act.

Requests to access should be made to the Primary Care Services England.

B. Right to Restriction of Processing

You have the right to request we restrict processing your information while the accuracy, lawful basis, or the legitimate use of the information is being reviewed.

C. Right to Rectification/Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details or any of your dependant’s contact details, including your mobile phone number has changed.

You have the right to have any mistakes or errors corrected. However, we are not aware of any circumstances in which you will have the right to delete information from your health record that is deemed accurate at the time of entry. Please contact us if you hold a different view.

D. Right to be Forgotten

The right is typically not available because the primary conditions we rely upon for processing your information for services are: for the performance of a task carried out in the public interest, or for reasons of public health in accordance with Art. 9(2) (h) or (i).

If there are instances of a specific processing activity where you believe the lawful basis allows the right to be forgotten, please contact the practice to review your request.

E. Right to Objection

You have the right to object to your information being shared outside of the practice; however you are not able to object to your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.

Please see section 5 Direct Care: ‘You have the right to Object’ for more information about the right to object to the practice sharing information about you to other organisations involved in your direct care.

If you do not want your personal information to be shared and used for purposes other than your direct care and treatment, then you should contact the practice and ask for further information about how to register your objections. This should not affect the care and treatment you receive.

You can object to processing of your information at the practice; however this would prevent us for providing you with any further healthcare services.

Please note that there may be times where there are legitimate legal grounds that override the objection of an individual i.e.: a legal obligation that the data controller must comply with or for the establishment, exercise or defence of legal claims.

F. Right to Portability

The right to request portability is only available where the processing is based on Data Protection legislation lawful basis of consent or contract and the processing is automated. These are typically not the lawful bases relied on in primary care services and are not the lawful bases used by this practice. If there are instances of a specific processing activity where you believe the lawful basis allows the right to portability, please contact the practice to review your request.

G. Right to be informed of Automated Decision Making including profiling

We will inform you where automated decision making and profiling is used for a specific service and provide further information. For example, if human involvement in used in a process (i.e.: see Case Findings Section 5A where a clinician reviews the findings) or where further reviews are available (i.e.: see Online Consultation Section 5K, where irrespective of the outcome of such profiling and automated decision making, you are free to visit the practice for a consultation. You can also fill in another form to provide different, updated information on the website and you can also speak to your GP and provide them with any further information.

8. How Long Do We Keep Your Information

In line with the most current NHS Digital Records Management Code of Practice for Health and Social Care, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice.

If you move away and register with another practice, we will send your records to the new practice in accordance with NHS GP2GP transfer guidelines.

If the practice is merging with another practice or will no longer be offering GP services, you will be notified of this change by the practice and you will be provided further information on the secure transfer of your record to your new GP practice.
For further information, please contact the practice.

9. Our Website

The only website this Privacy Notice applies to is the GP practice’s website. If you use a link to any other website from the Practices’ website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

10. Cookies

The Practice’s website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

11. WI-FI

Is available on site for the use of our visitors via a third party provider as part of an NHS initiative. The practice has no access to the data held or control over Wi-Fi usage.

You will be provided with the access name and password if you wish to access the Wi-Fi, where terms and conditions of use will be available.

12. Data Security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure.

We regularly update our processes and systems and we also ensure that our staff members complete regular training on data protection. We also carry out assessments and audits of the information that we hold about you, and we make sure that if we are considering providing new services, we carry out security assessments to ensure measures are put in place to protect your data.

13. Organisational Security


CCTV is in place at Courtenay House and Orford Lodge sites.
It has been installed solely for the safety and security of our patients and staff; to prevent and deter crime.

Images are recorded 24 hours a day and stored on the hard drives of the recording devices that are situated in secure areas and only those authorised at the practice and those delivering technical support services will have access to the system.
The CCTV only records images and does not record audio.
All CCTV recordings are stored on our recording devices for 30 days before being deleted.

There are signs in the practice telling you that CCTV is in place.

We will only ever share information with the relevant internal personnel/authorities in connection with the safety and security of patients and staff and will not share with any other third parties.

Visitors to the practice have the right to request to see images of themselves on CCTV as part of a request made under the privacy legislation. Please refer to our Subject Access Request section ‘7 A’ of this Privacy Notice for more information.

B. Telephone Recordings

Please note: this section does not apply to Telephone Consultations. Please see section 5 L for information about how we collect, use and store telephone consultation data.

We record all incoming and outgoing telephone calls at the practice for the purpose of patient & staff security and safe, and staff training. All telephone recordings are stored on our recording devices for 12 months before being deleted.

There are messages on the phone system indicating the use of voice recording.

We will only ever share information with the relevant personnel/ authorities in connection with the safety and security of patients and staff and will not share with any other third parties.

Individuals contacting the practice have the right to request access to audio of themselves as part of a request made under the privacy legislation. Please refer to our Subject Access Request section ‘8A’ of this Privacy Notice for more information.

C. Lawful Basis

The purpose for processing the information is for quality, security and safety reasons.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.

14. Where To Find our Privacy Notice

You may find a copy of this Privacy Notice in our reception, on our website, or a copy may be provided on request.

15. COVID-19 And Your Information

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak.

In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

Coronavirus (COVID-19) has led to increased demand on general practices, including an increasing number of requests to provide patient data to inform planning and support vital research on the cause, effects, treatments and outcomes for patients of the virus.

To support the response to the coronavirus outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients, including from their GP record, for the duration of the coronavirus emergency period, under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

This collection will reduce burden on general practices, allowing them to focus on patient care and support the coronavirus response. Further information can be found on the GPES data for pandemic planning and research (COVID-19) page on the NHS Digital website.

Data collection has already commenced for those practices which have registered participation on CQRS. The data collection will continue until 30 September 2020 and will be reviewed before then. If there is a continued need for the data for coronavirus purposes it will continue with 6 monthly reviews until the expiry of the Direction, which is currently 31 March 2022.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.

However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.

It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video- conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response can be viewed on the How data is supporting the COVID-19 response page through the NHSX website.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response.

This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

16. Changes To Our Privacy Notice

We regularly review and update our Privacy Notice. This Privacy Notice was last updated 5th August 2021.

Please note: If English is not your first language, you may be able to request a translation of this Privacy Notice from the practice.

Supplementary Privacy Note on Covid-19 for Patients

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the COVID-19 pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

Please note that this notice has now been revised and extended by a further notice from 29th July 2020 until 31st March 2021.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease. Additionally, the use of your information is now required to support NHS Test and Trace.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 31st March 2021 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.

Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.


We use a processor, iGPR Technologies Limited
(“iGPR”), to assist us with responding to report
requests relating to your patient data, such as
subject access requests that you submit to us (or
that someone acting on your behalf submits to us)
and report requests that insurers submit to us under
the Access to Medical Records Act 1988 in relation to
a life insurance policy that you hold or that you are
applying for.
iGPR manages the reporting process for us
by reviewing and responding to requests in
accordance with our instructions and all applicable
laws, including UK data protection laws.
The instructions we issue to iGPR include general
instructions on responding to requests and specific
instructions on issues that will require further
consultation with the GP responsible for your care.