Patient Privacy Notice

Version 9.9

This privacy notice explains why Concept House Surgery thereafter known as ‘the Organisation’, collects information about you, how it is kept secure and how that information is used.

This notice will explain:

Introduction

The General Data Protection Regulation (GDPR) became law on 25 May 2018.  This regulation protects the personal and sensitive data of a living individual.  It is currently known as the UK GDPR 2021 after the United Kingdom withdrew from the European Union on 31 January 2020.

As your registered GP organisation, we are the data controller for any personal and sensitive data we hold about you.  We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

Why do we collect your information?

Healthcare professionals within the NHS and who provide you with care are required by law to maintain your medical records with details of any care or treatment you received.  This information will be used to aide clinicians to make decisions, either individually or jointly, about your health and to make sure it is safe and effective.  Other reasons include:

What information do we collect?

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (eg NHS hospital Trust, another GP surgery, Out of Hours service, Accident & Emergency Department, etc).  These records help to provide you with the best possible healthcare.

Information we hold about you may include the following:

How do we keep your information safe and secure?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

 

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

 

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

Our organisation policy is to respect the privacy of our patients, their families and our staff, and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

 

All employees must sign a confidentiality agreement as part of their condition of employment.  We also ensure that data processors who support us are legally and contractually bound to operate and prove security arrangements are in place where data which could or does identify a person are processed.

 

Third party processors include:

 

We will email or text you regarding matters of medical care, such as appointment reminders and, if appropriate, test results, unless you have separately given the organisation your explicit consent not to do so.  We maintain our duty of confidentiality to you and will only use or share information with others if they have a genuine need for it.  We will not share your information to a third party without your permission, unless there are exceptional circumstances, ie life and death, or where the law requires us to share your information.

Why do we share your information, and who do we share it with?

Confidential patient data will be shared within the healthcare team at the organisation, including nursing staff, administration staff (prescription, secretaries, reception, finance) and with other healthcare professionals to whom a patient is referred.

 

Data processors

The organisation uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients.  Details of the data processors are listed below:

 

 

 

 

 

We remain the controller of our own patient data but are required to let approved users run queries on pseudonymised patient data.  This means identifiers are removed and replaced with a pseudonym.

 

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

 

Patients who do not wish for their data to be used as part of the process can register a type 1 opt-out with the practice.

 

You can find additional information about OpenSAFELY here.

 

 

 

 

This information will be used to:

 

Data sharing schemes

To ensure optimal care delivery, we may share relevant data with carefully selected third parties when it directly supports your treatment or aids in preventing a medical condition. Such data sharing is conducted under strict legal and regulatory controls to safeguard your privacy and rights. These third parties could include specialists, laboratories, or external healthcare services involved in your care pathway. We ensure that all data exchanges comply with the highest standards of data protection.

Several data sharing schemes are active locally, enabling healthcare professionals working outside of the surgery to view information from your GP record.  A list of these schemes can be obtained by writing to the and asking for the information under the Freedom of Information Act 2000.

 

The shared record means patients do not have to repeat their medical history at every care setting.

 

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to stop your record from being shared or only allow access to parts of your record.

 

Your electronic health record contains lots of information about you.  In most cases, particularly for patients with complex conditions and care arrangements, this means that you get the best care and means that the person involved in your care has all the information about you. The shared record means patients do not have to repeat their medical history at every care setting.

 

 

Through GP Connect, the following functions are enabled:

 

The information shared may include your basic details, medical history, medications, allergies, test results and consultation notes. Only the minimum information necessary for your care is accessed, and only by staff directly involved in providing treatment.

 

All data sharing is carried out using secure NHS systems, in compliance with UK data protection law. Access is strictly role-based, logged, and audited. We remain responsible for your GP record as the data controller.

 

Our legal basis for using GP Connect is the performance of a task carried out in the public interest and in the exercise of official authority (UK GDPR Article 6(1)(e)), and the provision of health or social care (UK GDPR Article 9(2)(h)).

 

You have the right to know how your information is used, and you can ask to view, correct, or limit the sharing of your data. If you have questions or concerns, please contact our Data Protection Officer or practice team.

 

Using services supported by GP Connect means your information may be securely shared across NHS organisations solely for the purpose of your direct care. For more details, please refer to our full privacy policy or speak to a member of the practice team.

 

Mandatory disclosure of information

We are sometimes legally obliged to disclose information about patients to relevant authorities.  In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

The organisation will also have a professional and contractual duty of confidentiality.  Data will be anonymised if possible before disclosure if this would service the purpose for which the data is required.

Organisations which we are legally obliged to release patient data to include:

Permissive disclosure of information

The organisation can release information from your medical records to relevant organisations, only with your explicit consent.  These include:

 

Don’t want to share your information?

You have the right to withdraw your consent at any time for any instance of processing, provided consent is the legal basis for the processing.  Please contact your GP Organisation for further information and to raise your objection.

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

Your organisation has systems and processes in place to comply with the National Data Opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters/ or telephone 0300 3035678.  On the webpage you will:

 

You can also find out more about how patient information is used at:

Health Research Authority: What We Do (which covers health and care research).

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

 

You can change your mind about your choice at any time.

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.



 

 

Data Protection Impact Assessments

In primary care settings, protecting patient data and ensuring privacy is a fundamental obligation. One important tool used to uphold this responsibility is the Data Protection Impact Assessment (DPIA). A DPIA is a structured process that helps identify and minimise the data protection risks of a project, particularly when new technologies or processes involving personal data are introduced. It is an essential part of ensuring that any handling of patient information complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

DPIAs are typically required when data processing is likely to result in a high risk to individuals' rights and freedoms. In primary care, this might include the introduction of a new electronic health record system, sharing patient information with external providers, or deploying new tools for remote consultations. By carrying out a DPIA early in the planning stages, primary care organisations can assess how personal data will be collected, stored, used, and shared, and ensure appropriate safeguards are in place to protect that data.

The purpose of a DPIA is not only to protect patients' privacy, but also to promote transparency and accountability in how data is handled. It ensures that patients' rights are respected and that any potential impact on their privacy is fully considered and mitigated. DPIAs are reviewed and updated regularly as services evolve, making them a key part of continuous improvement in data protection practices within primary care.

Legal basis for processing your personal data

We need to know your personal, sensitive, and confidential data so that we can provide you with healthcare services and advice.  Under the UK General Data Protection Regulation (UK GDPR) there are different reasons why we may process your data, however we mostly rely upon:

Article 6(1)(e): Official Authority; and

Article 9(2)(h): Provision of health

 

For much of our processing, in particular:

 

We also rely upon:

 

 

Your data rights

The UK GDPR allows you to ask for any information the organisation holds about you, including your medical records.  It also allows you to ask the organisation to rectify any factually inaccurate information and object to how your information is shared with other organisations (opt-out).

 

Data being used or shared for purposes beyond individual direct care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Right of access

The organisation holds both personal and sensitive data (health records) about you.  If you need to review a copy of your historical medical records, you can contact the surgery to make a ‘Subject Access Request’.  Please note, if you receive a copy, there may be information that has been redacted. Under UK GDPR the organisation is legally permitted to apply specific restrictions to the released information.  The most common restrictions include:

 

The timeframe will begin when either:

 

Whichever is the latest.

 

The deadline is one month, however, we can pause this if we require more information from you.  The deadline can be extended by an additional two months depending on the complexity of the request, the number of requests you make, or if we must process a large amount of data.  We will notify you if the extension will be applied.

 

We will perform reasonable and proportionate searches to locate your personal data in response to a subject access request.

 

Right to rectification

You have the right to have any factual inaccuracies about you in your medical record corrected.  Please contact the surgery with your request.

 

Right to object

If you do not wish to share your information with organisations who are not responsible for your direct care, you can opt-out of the sharing schemes.  For further information about opting out, please visit Your NHS Matters.

 

Right to withdraw consent

Where the organisation has obtained your consent to process your personal data for certain activities, (eg preparation for a subject access request for a third party), you have the right to withdraw your consent at any time.


Your access to your future health records

If you have online access to your medical records, you will have access to your full records.  This means you will have access to free texts, letters, and documents once they have been reviewed and filed by the GP.  Please note that this will not affect proxy access. 

If you move organisation, access to your full medical records will commence from the date you register with the new organisation.

There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding.  If the release of information is likely to cause serious harm to the physical or mental health to you or another individual, the GP could refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary.  On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.

What should you do if your personal information changes?

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us as soon as possible of any changes so our records are accurate and up to date for you.

How long will we store your data?

The NHS Records Management Code of Practice can be accessed at:

https://transform.england.nhs.uk/information-governance/guidance/records-management-code/

 

How can you complain?

If you have any concerns about how your data is managed, you must contact Practice Manager  in the first instance and complete the practice complaint procedure.  If you are dissatisfied with the outcome of our investigation, you may then contact the Information Commission.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commission at:

The Information Commission

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Tel: 0303 123 1113    Web: www.ico.org.uk

 

Further information

If you have any concerns about how your data is shared or would like to know more about your rights in respect of your personal data held by the organisation, please contact the Data Protection Officer.

Data Protection Officer

Any queries about data protection issues should be addressed to:

 

Sharon Forrester-Wild

Emal: DPO.healthcare@nhs.net

 

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy will be reviewed April 2026, or earlier to align it with legislative changes.