Data and Privacy Homepage
Welcome to our new Data and Privacy Homepage. This is our practice's landing page for all things relating to data, privacy and information management.
Data and privacy are really important to us as a practice. We feel strongly that you should be clear about what data we hold about you, how we keep it safe, and what we do with it.
This page is designed to be our homepage for all things relating to your data. It replaces a traditional Fair Processing / Transparency Notice and serves as an overall summary Privacy Notice. This privacy notice explains:
What information do we collect and why
How we keep your information safe and confidential
How you can access, amend, and opt-out of data collection
Key contacts and other resources
We have summarised these key topics below, but these remain general overarching principles. For more details and specific information, we'd highly recommend reading the specific domain privacy notices on each area (posted below).
What information we collect and why
In order to provide you with the best possible healthcare, we as a practice maintain records about your health and any treatment or care you are receiving / have received (e.g. in NHS Trusts, GP Surgeries, Walk-in clinics, community care, etc.).
Records which we hold about you may include the following:
Personal details about you, such as your phone number, address, ethnicity, and next of kin
Any contacts the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
Notes and reports about your health
Details about your treatment and care
Results of investigations, such as laboratory tests, x-rays, etc.
Relevant information from other health professionals, relatives, or those who care for you
Records from your previous doctor
We are required by law to maintain these records about your health and we hold this data for the purpose of providing healthcare services to our patients. There are certain circumstances where we are required by law to report certain information to the appropriate authorities e.g. notification of new births, if we encounter infectious diseases (e.g. meningitis or measles), or where a formal court order has been issued.
We may also share your data with others where relevant. Under the Health and Social Care Act 2015, we are required to share data with NHS Digital (they are the national custodian for health and care data in England). This data does not include patients' names or other identifiable data and is used to support health and care planning and research in England and to improve health outcomes for everyone. We may also share your information with other local services (e.g. Trusts, GP Federations, Community Care) for your direct care and to help with local planning and improve local outcomes.
If you provide us with your mobile phone number, we may use this to send you reminders about your appointments or other health screening information. If you provide us with your email address, we may use this to communicate with you in place of posted letters. Please let us know at the practice email address (see here) if you do not wish to receive correspondence by mobile or email.
For more information about the specific data we collect, how we use it, and who it might be shared with, please read the full details in our specific domain privacy notices below. For more details about opting out of data sharing where applicable, please see below.
How we keep your information confidential and safe
Everyone working for the NHS is subject to the Common Law Duty of Confidence. The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared (as laid out in this statement). All our staff are expected to make sure information is kept confidential and receive annual training on how to do this.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with national NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel only.
We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
Data Protection Act 2018
United Kingdom General Data Protection Regulation (UK GDPR) 2018
Human Rights Act
Common Law Duty of Confidentiality
NHS Codes of Confidentiality and Information Security
Health and Social Care Act 2015
We maintain our duty of confidentiality to you at all times. We only ever use or pass on information about you if others involved in your care have a genuine need for it. We do not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or it is in the best interest of the wider patient population, or where the law requires information to be passed on.
Regarding data retention, we approach the management of patient records in line with the Records Management NHS Code of Practice which sets the required standards of practice, based on current legal requirements and professional best practice.
How you can access, amend and opt-out of data collection
Accessing your information: All patients have the right to see or have a copy, of the data we hold about you. If you want to access your data you may make the request in writing (including your full name and date of birth) to firstname.lastname@example.org or verbally in person at the practice. Under special circumstances, some information may be withheld.
Amending your information: It is important that you tell the Practice if any of your details such as your name, address, or anything else that we hold about you has changed. Please inform us of any changes by email at the practice email address (see here) to ensure our records about you are accurate and up to date.
Opting-out: We appreciate that some patients may be concerned about data sharing. We as a practice have double-checked with our local Information Governance Leads and with the NHS Digital team and we have been reassured that the data will not be shared for any marketing or insurance purposes. It is kept within NHS organisations and a few trusted research partners. Nevertheless, you can still stop your patient information from being used for research and planning purposes should you wish to. It’s important to note there are two types of opt-out:
Type 1 opt-out:
To stop your data from being shared from the practice to NHS Digital and other NHS organisations, you can complete the Type 1 form here and send it to us at the practice email address (see here). We’ll continue using your data internally at a Practice level and with other local NHS services like hospitals and ambulance services for your individual care needs e.g. referrals, blood tests, etc.
If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.
National Data opt-out:
You can complete the national opt-out form online (nhs.uk/your-nhs-data-matters) if you don’t want any patient information currently held by NHS Digital to be shared with other organisations for any purposes except your own care.
If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website at the link above.
Key contacts and other resources
If you have concerns or are unhappy about any of our services, please contact us at email@example.com. For independent advice about data protection, privacy, and data-sharing issues, you can contact the Information Commissioners Office. For contact details click here.
Our key contacts for data and privacy are:
Data Protection Officer: Claire Clements - firstname.lastname@example.org
Caldicott Guardian: Dr Sarah Hawxwell - email@example.com
Senior Information Risk Owner - Sachin Gupta - firstname.lastname@example.org
Information Governance Lead - Gregory Lee - email@example.com
ICO Registration: Penrose Surgery sits under the Penrose Health Partnership which is registered with the Information Commissioners Office (ICO) to describe the purposes for which they process personal and sensitive information. We are a registered Data Controller and our registration can be viewed online in the public register here.
Further Information: More information about the way in which the NHS uses personal information and your rights in that respect can be found here.
The NHS Care Record Guarantee: The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data, and how data is protected under the Data Protection Act 2018.
The NHS Constitution: The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public, and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information, and your right to complain if things go wrong.
NHS Digital: NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.
Specific Domain Privacy Notices
We've tried hard to lay this out in a way that is clear and concise whilst also remaining comprehensive but please feel free to email us at firstname.lastname@example.org if you'd like more information.