This Privacy Notice explains how we use your personal information, why we need it, and what your rights are under data protection law.
We are committed to protecting your privacy and ensuring your information is kept safe, secure, and used only for lawful purposes.
Who we are
Our GP practice is the data controller for the personal data we hold about you. This means we are responsible for deciding how your information is used and ensuring it is handled in line with the law.
We have a Data Protection Officer (DPO) who helps us make sure your information is properly protected. You can contact the DPO if you have any concerns about how your information is used.
What information do we hold about you?
We collect and use different types of information, including:
-
Basic details: your name, date of birth, address, telephone number, email address, next of kin, carer, or legal representative.
-
Health information (special category data): details about your medical history, treatment, medications, allergies, test results, ethnicity, sex, and in some cases, religion (if relevant to your care).
-
Records of contact with the practice: appointments, visits, referrals, emergency care, and communications with you.
-
Information from other health and care providers: hospitals, walk-in centres, NHS 111, social care, or other professionals involved in your care.
Why we need your information
Your records help us provide you with safe, effective, and high-quality care. We use your information to:
-
Provide treatment and healthcare services.
-
Share relevant information with other professionals involved in your care.
-
Carry out clinical audits and service improvements.
-
Help protect public health.
-
Manage NHS services and resources.
The legal basis for using your information
We use your personal information in line with data protection law.
-
Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
-
Article 9(2)(h) GDPR – processing is necessary for the purposes of medical diagnosis, healthcare, treatment, and the management of health and social care systems.
How we keep your information safe
We take confidentiality very seriously. Your information is stored securely, whether on paper or electronically, and staff are trained to handle it appropriately.
We will only share your information when it is necessary for your care, required by law, or in exceptional circumstances (e.g. to protect life). Every member of NHS staff is legally obliged to keep your information confidential.
How long do we keep your records?
We keep your information for as long as the law requires. NHS retention rules (Records Management Code of Practice) set out how long health records must be stored.
Sharing your information
We may share your information with other organisations involved in your care, including:
-
NHS Trusts and hospitals
-
Community services and social care
-
Independent contractors (dentists, pharmacists, opticians)
-
NHS England and NHS Digital
-
Ambulance services
-
Local authorities, safeguarding teams, and public health services
-
Police or judicial services (only when legally required)
If we share your data with other organisations (e.g. IT providers or research teams), strict agreements are in place to make sure your data is kept safe and only used for the agreed purpose.
Other ways your data may be used
-
Risk stratification: using data tools to help identify patients at risk of certain conditions, so we can offer early support. You can opt out of this if you wish.
-
Medicines management: reviewing prescriptions to ensure treatments are safe, effective, and up-to-date.
-
Research and planning: sometimes data may be used for NHS research, innovation, or service improvement. If this involves identifiable information, we will always ask for your consent first.
We will never sell your data or use it for marketing.
Your rights under data protection law
You have the following rights:
-
Right to access – to see what information we hold about you.
-
Right to rectification – to have incorrect or incomplete information updated.
-
Right to erasure – to ask us to delete your data in certain circumstances.
-
Right to restrict processing – to limit how your information is used.
-
Right to object – to stop your data being used for certain purposes.
-
Right to data portability – to request your information is transferred to another provider.
-
Right to withdraw consent – where we rely on consent (e.g. research projects), you can withdraw this at any time.
To make a request, please contact the practice. We will respond within one month, in line with the law.
Accessing your records (Subject Access Request)
You can request a copy of your records at any time. There is no charge for this.
To do so, please provide enough detail (such as your full name, date of birth, address, NHS number) so we can locate your records and confirm your identity.
What should you do if your personal information changes?
It’s important that your details are correct so we can contact you and keep your health record accurate. Please let us know as soon as possible if your personal information changes.
You can update your details by:
-
Speaking to reception,
-
Using the NHS App (where available), or
-
Contacting the Practice Manager.
Where your data is stored
Your information is held securely in the UK. Some IT systems may store data within the European Union. We do not allow access to your data by third parties unless required by law and with appropriate safeguards in place.