Privacy Notice (GDPR)

Commissioning, Planning, Risk Stratification, Patient Identification

The records we keep enable us to plan for your care.

This practice holds data, with regards to patients, that we can apply searches and algorithms to in order to identify from preventive interventions. This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside the practice, your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease.

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk.

It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”. Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

Direct Care (Emergencies)

There are occasions when intervention is necessary in order to save or protect a patients life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate.

In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.

Direct Care, (Routine Care and Referrals)

This practice keeps data on:

  • You relating to who you are
  • Where you live
  • What you do
  • Your family
  • Possibly your friends
  • Your employers
  • Your habits
  • Your problems and diagnoses
  • The reasons you seek help
  • Your appointments
  • Where you are seen and when you are seen
  • Who you are seen by
  • Referrals to specialists and other healthcare providers
  • Tests carried out here and in other places
  • Investigations and scans
  • Treatments and outcomes of treatments
  • Your treatment history
  • The observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports.

Normally we will receive equivalent reports of contacts you have with non NHS services, but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to us sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests.

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at or speak to the practice.

NHS Digital

NHS Digital is the secure haven* for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed.

NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes. Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits.

GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed.

This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at


Contract holding GPs in the UK receive payments from their respective governments on a tiered basis.

Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days.

These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient.

There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets, known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises.

Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research2.

In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws1.

Public Health Privacy Notice

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.

Some of the relevant legislation includes:

  • The Health Protection (Notification) Regulations 2010 (SI2010/659)
  • The Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657)
  • The Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658)
  • Public Health (Control of Disease) Act 1984
  • Public Health (Infectious Diseases) Regulations 1988
  • The Health Service (Control of Patient Information) Regulations 2002

Direct Care

 This privacy notice explains why health and care providers collect information about you and how that information may be used. For additional information about our ‘Connecting Your Care’ programme please also see ‘Connecting Your Care’ leaflet and Frequently Asked Question or visit:

The health and care professionals who look after you maintain health and care records that contain details of any treatment or care you have received previously or are receiving.

These records help to provide you with the best possible care.

NHS patient health and care records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure. Records which health and care providers hold about you may include the following information:

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health and social care professionals, relatives or those who care for you
  • If you have had a social care assessment, the type of assessment and the date of the next planned review.

The information shared about you is used by the health and social care professionals looking after you to make sure they have the most up to date information available to them so that they can quickly assess you and make the best decisions or plans about your care. At the moment, each care organisation has a different system for managing your records, and there is no way for the information held in these records to be shared electronically in “real time”, i.e. immediately. This means that when a health or social care professional needs to know more about you, they must ask for this information by old fashioned methods, such as telephoning, faxing, or requesting paper copies of your records, all of which can take time, lead to losses of data, or gaps in what is provided.

We believe in an inclusive and innovative approach to care. For more information, please visit

FRMP GDPR Privacy Notice 11

Connecting your Care will introduce a new system that will provide a “connected” electronic view between each of these different systems so that the people looking after you can immediately see important information from each of the services that you use, to help them make the best decisions about your care.

How We Use Your Medical Records

This practice handles medical records in-line with laws on data protection and confidentiality.

We share medical records with those who are involved in providing you with care and treatment. In some circumstances we will also share medical records for medical research, for example to find out more about why people get ill.

We share information when the law requires us to do so, for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe. You have the right to be given a copy of your medical record.

You have the right to object to your medical records being shared with those who provide you with care. You have the right to object to your information being used for medical research and to plan health services.

You have the right to have any mistakes corrected and to complain to the Information Commissioner’s Office.