Spring Hill Practice - General Practice Privacy Notice
Reviewed in June 2023 by AP
Next review due June 2024
This practice’s primary purpose is to provide the best care possible for you. In order to do this, we need to collect, store and share information about you.
- Who we are and how we use your information
- The kinds of information we hold and how we process them
- The legal grounds for processing your personal data, including when it is shared with others
- What to do if your personal information changes
- The length of time that your information is stored and retained by us
- Information about your rights under the 2018 Data Protection Act incorporating the UK General Data Protection Regulations (GDPR)
- Information about what to do if you have a query or problem
Under the 2018 Data Protection Act incorporating the UK General Data Protection Regulation –(GDPR) the practice is known as the Data Controller. As such we are responsible for keeping your data up to date and accurate, as well as storing it safely and sharing it securely. If you have a problem or a question, you should contact the Practice Manager in the first instance. The Act stipulates also that public sector organisations should provide access to an independent Data Protection Officer and their contact details are provided in the summary below.
All health-related data is seen as a ‘special category’ or ‘sensitive data’ under the 2018 Data Protection Act which means that it is shared and processed with particular care. This applies to your data whether it is in electronic formats or on paper.
When registering for NHS care, all patients who are eligible for NHS care receive a unique NHS Number and are registered on a national database, the database is held by NHS Digital, a national organisation that has legal responsibilities to collect NHS data.
· Improve the quality and standard of care that we and other organisations provide
You also have a choice over whether you wish to use your confidential data – i.e. data that CAN be traced back to you for these purposes. If you are content with this, you do not need to do
Special Provisions during the Covid 19 pandemic
The NHS faces continued severe pressure during the pandemic. This makes it even more important to share health and care data across relevant organisations.
Using Regulation 3 (4) of the Health Service (Control of Patient Information) Regulations 2002 and related legislation, the Secretary of State for Health has issued a notice (the COPI notice) that requires health organisations including GP surgeries, local authorities and government bodies to share confidential patient information for the duration of the pandemic. There are new services and information flows that have been set up to manage the outbreak. For instance, this practice is part of a Primary Care Network and a GP Federation. As such, it collaborates to deliver COVID vaccinations in this area and is part of a ‘buddy system’ so that if its staff are so affected by the virus, that the practice cannot operate, colleagues from other practices and other organisations can still provide you with care.
All patients registered with a GP have a Summary Care Record (SCR) unless they have chosen not to have one. This record gives professionals in the healthcare system away from your practice access to your information when you need it. If you have previously expressed a preference to only have core information shared in the Summary Care Record or to opt out of the SCR completely. These preferences will be respected. For all other patients the SCR will be used to share additional information as required. New opt-out requests and changes to your opt-out preferences will be suspended and not processed for the duration of the pandemic.
Automated processing of data will be used to identify vulnerable patients and patients needing to be shielded.
NHS England and NHS Improvement and NHSX have developed a single, secure data-store to gather data from across the health and care system to manage and inform the Covid 19 response.
Any data flows used to share data specifically to manage Covid 19 during the pandemic will cease once the COPI notice is withdrawn.
Because of the importance of sharing data for us all (defined as “public interest” under the 2018 Data Protection Act) any patient opt-out including the National Data Opt-out will not apply during the COPI notice period. It may also take the practice longer to respond to Data Subject Access Requests (DSARs) than the stipulated one calendar month. The Information Commissioner’s Office has recognised the pressure the pandemic has placed upon GP surgeries.
e information with.
If your care requires treatment outside the practice, we will exchange with those providing such care and treatment whatever information may be necessary to provide you with safe, high-quality care. The practice also delivers services and treatment to our patients as part of, and in association with local primary care networks and beyond.
Once you have seen any outside care provider, they will normally send us details of the care they have provided you with, so that we can understand your health and treatment better.
The sharing of personal data, within the practice and with those other organisations involving the practice, such as Primary Care Networks (PCNs) as well as secondary care organisations, and social prescribing organisations is assumed and is allowed by law (including the Data Protection Act 2018). However, we will gladly discuss this with you in more detail if you would like to know more. We keep a register of our Information Assets which also sets out a Record of Processing Activity. The majority of patient data processing and storage happens via our EMIS and EMIS Community clinical systems.
We have an overriding responsibility to do what is in your best interests under the 2018 Data Protection Act ‘in performance of a public task’ (see legal bases in the summary below). The Practice team (clinicians, administration, and reception staff) only access the information they need to allow them to perform their function and fulfil their roles. A list of the types of organisation we share with is provided below. This summary also contains details of your rights in relation to your data under the Act and how to exercise them.
We do also share anonymised data across our Primary Care Networks, the Sutton GP Federation, The South-West London Clinical Commissioning Group, and NHS England. This data is extracted by secure data extraction tools such as EMIS Enterprise and/or Apollo.
This practice does NOT share your data with insurance companies, except by your specific instruction or consent.
Your data is NOT shared or sold for any marketing purpose.
The practice may use YouTube or similar media in order to communicate with specific groups of patients. Patients will never be asked to pay for such a service, but should be aware that the nature of YouTube or similar is that providers of content may receive remuneration based upon the number of hits that content receives. If offered such a service, patients can decline or opt-out at any time.
However, under the 2018 Data Protection Act, when the COPI notice described above is withdrawn, you do have the right to opt out of having your data processed in such automated ways. If you wish to opt out of this, please contact the practice.
The practice takes part in research that uses anonymised or pseudonymised data. It also takes part in planning at a local, regional, and national level. and is therefore no longer under the 2018 Data Protection Act and thus preserves patient privacy and confidentiality..
on a regular basis and their privacy notice explaining more about how this data is collected and how it is used is available at:
Anonymised or pseudonymised patient data held by the practice may also be used to evaluate present services that provide direct care or to plan future ones within the practice or across the local area.
Identifiable patient data may be used in planning and managing the response of the NHS to the Covid 19 virus due to the overriding priority of serving the national public health interest. This will continue until the COPI notice above is withdrawn.
Sometimes, the practice is contacted to ask whether its patients would consider taking part in research on a particular condition, but where the data used would identify those individuals.
You cannot opt-out of your data being shared for the purposes of providing you with direct care. You can opt-out of NHS Digital collecting your information, as outlined above, for purposes beyond your direct care; namely, planning and research based on your pseudonymised data.
To do this, you can check your present status and/or change your preferences at on-line and read the information and follow the instructions if you wish to opt out. This opt-out is recorded against your NHS number on the NHS ‘spine’. The NHS ‘spine’ is administered by NHS Digital.
You can also download a form called a Type 1 opt-out from the NHS Digital website, or ask one of our receptionists. This form which will be processed at the practice prevents identifiable patient data being shared outside of your practice
You can also exercise your ‘right to object’ to a specific process involving your data. If you wish to do this for data processed at this practice then you must contact the practice’s Data Protection Officer at Itservicedesk.firstname.lastname@example.org
There are some situations where your data will be shared in addition to providing you with direct care. These include:
- Situations where data is needed in the “public interest”, e.g in cases of epidemic where communicable diseases need to be diagnosed and the spread of their infection prevented or controlled;
- To monitor and deliver vaccination programmes;
- Where there is a legal compulsion;
- To manage risks of infection from food or water supplies or the environment.
This practice is compliant with the national data opt-out policy.
The practice stores the main patient record via a contracted data processor in the cloud. The contracted processor for the practice is Egton Medical Information Systems (EMIS). They can be contacted via EMIS, Rawdon House, Green Lane, Yeadon, Leeds LS19 7BY.
The medical record is retained at the patient’s practice for the lifetime of the patient, after which it is sent to Primary Care Services England (PCSE). If you move to another practice your records will be transferred to that practice.
Spring Hill Practice
DPO Name: NHS North East London ICB
DPO Address: 4th Floor, Unex Tower, 5 Station Rd. London. E15 1DA
Tel: 0800 917 8607.
Direct Care delivered to the individual alone, much of which is provided in the surgery.
After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare and social care professionals to provide the most appropriate advice, investigations, treatments, therapies and or care.
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6 (1) (c) – the processing is necessary for compliance with a legal obligation to which the controller (the practice is subject) and/or
Article 6(1)(e) ‘…the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Health data is defined as a special kind of personal data and is also processed by the practice under
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..’
The sharing of your personal data also takes place in accordance with the common law duty of confidentiality. Performance of this duty does not require consent from the patient where the proposed use of their data is either for individual care or in the public interest.
The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
· Primary Care Network
· Local GP provider organisation
· NHS Commissioning Support Units
· Social Care Services · Health and Social Care Information Centre (HSCIC)
· Clinical Excellence Group
· Community Pharmacists
· District Nurses
· Independent Contractors such as dentists, opticians, pharmacists
· Private Sector Providers
· Voluntary Sector Providers
· Ambulance Trusts
· Clinical Commissioning Groups
· Local Authorities
· Education Services
· Fire and Rescue Services
· Police & Judicial Services
· The Child Health Information Service
· Substance Misuse Remote Workers
· London Coroner’s Service
· Voluntary Sector Providers
· Private Sector Providers
· Social Prescribers
Many organisations across London share an aggregated summary view of your data, held in a secure Health Information Exchange and using a Local Health Care Exemplar format known as the One London patient record, in order to make quicker and better-informed decisions in providing you with care.
This practice is also part of a Neighbourhood Multi-Disciplinary Team based upon the Shoreditch Park and City Primary Care Network designed to bring together a number of service providers to help patients with more than one need.
You have the right to object to some or all of the information being processed, which is detailed under Article 21. Exercising your right to object may well prevent the referral or course of treatment from going ahead.
Please contact the Data Protection Officer at Itservicedesk.email@example.com
You should be aware that this is a right to raise an objection that is not the same as having an absolute right to have your wishes granted in every circumstance.
You have the right to access your data and to have any inaccuracies corrected.
There is no right to have medical records deleted except when ordered by a court of Law.
We retain your personal data in line with both national guidance and law, which can be found here:
If you have a question or wish to complain about the use of your data, you should approach the Practice Manager or contact the Data Protection Officer at: Itservicedesk.firstname.lastname@example.org
The use of personal data is overseen by the Information Commissioners Office, often known as the ICO.
If you wish to complain or raise a concern with the ICO, they can be contacted via their website:
Or you can also call their helpline
Tel: 0303 123 1113 (local rate)
01625 545 745 (national rate)
Or you can write to them at
The ICO, Wycliffe House, Water Ln, Wilmslow SK9 5AF
This practice acts as Data Controller for your data. It uses a number of suppliers as Data Processors. These suppliers may be procured, national regionally or locally and support the practice by providing various clinical services under instruction.
Patients receiving warfarin treatment are monitored by a system called INR Star. This system is owned by LumiraDX Care Solutions.