Privacy Notice

We collect and use your personal data so that we can:

• Provide you with safe, effective medical care
• Support continuity of care between services
• Arrange referrals, prescriptions, tests, investigations and results
• Carry out health-care management, planning and audits
• Fulfil legal and regulatory responsibilities
• Help improve NHS services and protect public health

We will only use your information where the law allows us to.

We collect and hold:

• Personal details (e.g. name, address, NHS number, contact details)
• Medical information (e.g. history, diagnoses, medications, test results)
• Details of your consultations, hospital referrals & interactions with us
• Information about carers, legal representatives & emergency contacts
• Communications relating to your care (letters, messages, documents)
• Relevant special category data (e.g. ethnicity, sexual orientation, safeguarding information) where needed for your care

Some of this information is automatically added to your medical record as part of providing NHS services.

Under UK GDPR, our main legal bases are:

Article 6

• 6(1)(e) – Public task: providing NHS care and treatment
• 6(1)(c) – Legal obligation (e.g. safeguarding, mandatory reporting)

Consent is used only when another legal basis does not apply.

Article 9 – Special category data (health information)

• 9(2)(h) – Provision of health or social care
• 9(2)(g) – Substantial public interest (e.g. safeguarding, public health)

We collect information directly when you:

• Register as a patient
• Attend appointments or contact us
• Submit forms or use digital services (TPP SystmConnect, AccuRx, NHS App)

We also receive data from other health and care providers such as hospitals, community services, urgent care, laboratories and NHS England.

We securely share data with other NHS and care providers involved in your direct care, including:

• Hospitals, consultants and community healthcare
• Pharmacies, opticians, dentists
• Diagnostics and screening services
• Local authority services where necessary

Where possible, we will notify you before sharing information.

We may also share limited information with NHS organisations for:

• Service planning
• Commissioning
• Disease surveillance and public health

This sharing is done under strict legal controls.

We use secure NHS-approved systems to support care:

• TPP SystmOne / SystmConnect – clinical system & messaging
• AccuRx – secure communication & video consultations
• NHS App & NHS Login – access to your health information and services

These organisations act under our instruction and must comply with UK GDPR.

CCTV operates in some areas of the practice for staff and patient safety, crime prevention and public protection.Images are stored securely and retained for 90 days, unless required for an investigation.CCTV may be shared with law enforcement where legally required.

Legal basis: Article 6(1)(e) & Article 9(2)(g)

All incoming and outgoing calls may be recorded for:

• Monitoring quality of care
• Clinical governance and dispute resolution
• Staff training and safeguarding

Recordings may become part of your medical record when relevant.They are kept securely for 24 months and then deleted.

Legal basis: Article 6(1)(e) & Article 9(2)(h)

You can choose whether your confidential patient information is used for planning and research purposes beyond direct care.

More information: www.nhs.uk/your-nhs-data-mattersTelephone support: 0300 303 5678

Direct care is not affected if you opt out.

If you use our website or online services, cookies may be stored on your device to make services work.

We apply additional safeguards when processing children’s data.If you are aged 16+ and can make your own decisions (Gillick-competent), you may exercise your own data rights.

Under UK GDPR you have the right to:

• Access your data (Subject Access Request)
• Request correction of inaccurate information
• Request deletion or restriction (in some cases)
• Object to the use of your data
• Data portability (where applicable)
• Be informed about how your data is used
• Not to be subject to automated decisions without human involvement(We do not use automated decision-making)

To exercise your rights, contact the Practice Manager or DPO.

We apply strict technical and organisational measures to keep your information secure.Access is limited to those who need it to provide care.

We do not routinely transfer your data outside the UK.If this becomes necessary, appropriate safeguards will be applied and you will be informed.

We follow NHS Records Management Code of Practice:

• Records are kept for the duration of your care and transferred if you move
• After death, GP records are retained for a minimum of 10 years
• Some information (e.g. children’s records) is kept longer under statutory rules

Retention ensures safe clinical care and legal compliance.

We will notify affected individuals and the ICO where a breach poses a risk to rights and freedoms, in line with our incident response procedures.

If you are unhappy with how we use your information, please contact us first so we can try to resolve your concerns.

If you remain dissatisfied, you can contact:

Information Commissioner’s Office (ICO)Wycliffe House, Water Lane, Wilmslow, SK9 5AF📞 0303 123 1113🌐 www.ico.org.uk

We review this Privacy Notice annually.Any changes will be published on our website and made available in the practice.

Last reviewed: February 2025 • Next review due: February 2026