Fair Processing and Data Protection Privacy Notice for Registered Patients




Your information, your rights

The privacy of our patients is important to us, and we are committed to protecting and safeguarding your data privacy rights.

Being transparent and providing accessible information about how we will use your personal information is a key element of the Data Protection Act (DPA) 2018 and the UK General Data Protection Regulations (UK GDPR) 2018.

image depicting patient information


Privacy Notice

This Privacy Notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you in order to deliver your care.  It applies to personal information processed by or on behalf of the practice. This Notice explains:

  • Who we are and who is the controller of your data
  • what information we collect and use
  • how the information is collected
  • why we need the information
  • who we share your information with
  • how we lawfully use your data
  • how we maintain the confidentiality of your records
  • health risk screening
  • what consent is required and when
  • how to raise an objection to your data being used
  • how we store your information
  • sharing your data
  • how long we store your data
  • your right of access
  • how to object/complain.

Who is the controller of the data?

As your registered GP practice, we are the data controller for any personal data that we hold about you.

We are registered with the Information Commissioner’s Office – registration no Z2306259.


Data Controller

As your registered GP practice, we are the a “data controller”. This means that we are responsible to you in respect of how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.


What information do we collect and use?

All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to your care. 

We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

  • 'Personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS number
  • 'special category/sensitive data' such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Data collected in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographic and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.  We will not disclose your information to any third party without your permission unless there are exceptional circumstances, for example in a life or death situation or if it is in your best interests.  Our policy is to ensure all personal data related to our patients will be protected.


How is the information collected?

Your information will be collected either electronically using secure NHS Mail or a secure electronic transfer over an NHS encrypted network connection.  In addition, physical information will be sent to your practice.  This information will be retained within your electronic patient record or within your physical medical records.


Why do we need this information?

To ensure you receive the best possible care and treatment.  The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve the quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.

To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests
  • pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
  • perform tasks in the public’s interest
  • deliver preventative medicine, medical diagnosis and medical research
  • manage the health and social care system and services.

Your healthcare records contain information about your health and any treatment or care you have received previously (eg from another GP surgery, hospital, walk in or urgent care centre, community care or mental health provider, social services and so on).  These records may be electronic, a paper record or a mixture of both.  We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Records which the Practice holds about you may include the following information:

  • Details about you, such as your address, telephone number and email address.  Carer or family member information, legal representative, emergency contact details
  • any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc
  • notes and reports about your health, treatment and care
  • details about any medical conditions and prescription information
  • results of tests and investigations such as laboratory tests, x-rays etc. this may include vaccinations and tests relating to Covid-19 and information on whether you are self-isolating
  • hospital admission and discharge
  • relevant information from other health professionals, relatives or those who care for you.

Who will we share your information with?

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • Local GP Practices in order to deliver extended primary care services
  • NHS – for example, hospital trusts
  • 111 and the Out of Hours Service
  • local Social Services and Community Care services
  • voluntary support organisations commissioned to provide services by the local Commissioning Support Unit (CSU) and Clinical Commissioning Group (CCG).

Your information will only be shared if it is appropriate for the provision of your care or if it is required to satisfy our statutory function and legal obligations. Your information will not be transferred outside of the European Union.

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that we can provide the appropriate care. In addition, we received data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence to assist us to improve out of hospital care.


How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with healthcare services as a General Practice, under UK GDPR we will be lawfully use your information in accordance with:

  • Article 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the:

  • Data Protection Act 2018
  • General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review.

Access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All employees and sub-contractors engaged by our Practice are required to sign a confidentiality agreement.

We maintain our duty of confidentiality by conducting annual training and awareness and ensuring our policies and procedures are updated with any changes to legislation.


Health risk screening/risk stratification

Health risk screening or risk stratification is a process that helps us to determine whether you are at risk of an unplanned admission to hospital or deterioration in health.  By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care , it will help us to be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs. 

To summarise, risk stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition
  • prevent an emergency admission to hospital
  • identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • review and amend provision of current health and social care services.

We use computer based algorithms or calculations to identify our registered patients who are at most risk, with support from the local Commissioning Support Unit (CSU) and/or a third party accredited risk stratification provider.  The risk stratification contracts are arranged by our local Clinical Commissioning Group (CCG) in accordance with the current Section 251 Agreement*. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data.  They will only act on behalf of us to organise the risk stratification service with appropriate contractual technical and security measures in place.

We will routinely conduct the risk stratification process outside of your appointment.  This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

*A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.


Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost- effective treatments.



This Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Our legal basis for processing For the General Data Protection Regulation (UK GDPR) purposes is:

  • Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

  • Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.

Do I need to give my consent?

The UK GDPR sets a high standard for consent.  Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps build trust and enhance our reputation.  However, consent is only one potential lawful basis for processing information.  Therefore, we may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.  We will contact you if we are required to share your information for any other purpose which is not mentioned within this Notice.  Your consent will be documented within your electronic patient record.

From time to time, we may ask your consent to share your name, contact details and email address to inform you of services that may benefit you.  There may be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends.


What will happen if I withhold my consent or raise an objection?

In certain circumstances you may have the right to withdraw your consent to the processing of data at any time.  However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care.  Please contact the Practice Manager if you would like to discuss how disclosure of your personal data can be limited.

In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.  Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can opt-out of the surgery sharing any of your information for research and planning purposes.  If you would like to know more about this, ask at reception for a copy of the patient information around the National Patient Data Opt-out.

We hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016 and information is not held for longer than is necessary.


Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or other people
  • where a serious crime, such as assault, is being investigated or where it could be prevented
  • notification of new births
  • where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • where a formal court order has been issued
  • where there is a legal requirement, for example if you had committed a Road Traffic Offence.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

The Practice uses a secure system called Emis web to manage clinical information about your care and health. This system is provided by a company called Emis who act as a data processor on behalf of the practice.  A data processing agreement is signed by both parties.

The data processor that the Practice uses is called EMIS Health Ltd. They also use a sub-processor which is Amazon Web Services who act under written instructions from EMIS Health Ltd. Under no circumstances are any of these organisations allowed or able to access your information.

By using a secure clinical system, your information can be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.  To provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations.  Wherever possible, their staff will ask your consent before your information is viewed.  We consider patient consent as being the key factor in dealing with your health information.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.  We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.


Sharing of Electronic Patient Records within the NHS

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • NHS Trusts/Foundation Trusts 
  • GPs 
  • NHS Commissioning Support Units 
  • independent contractors such as dentists, opticians, pharmacists 
  • community services such as district nurses, rehabilitation services, telehealth and out of hospital services
  • child health services that undertake routine treatment or health screening 
  • urgent care organisations, minor injury units or out of hours services
  • community hospitals
  • palliative care hospitals
  • private sector providers 
  • voluntary sector providers 
  • ambulance trusts 
  • clinical commissioning groups 
  • social care services 
  • NHS England (NHSE) and NHS Digital (NHSD) 
  • multi agency safeguarding hub (MASH)
  • local Authorities 
  • education Services 
  • fire and Rescue Services 
  • police & Judicial Services 
  • other ‘data processors’ which you will be informed of.

In addition, NHS England has implemented the Summary Care Record, which contains information including medication you are taking and any bad reactions to medication that you have had in the past. 

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health.  Many patients are understandably not able to provide a full account of their care or may not be in a position to do so.  The shared record means patients do not have to repeat their medical history at every care setting. 

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask us to disable this function or restrict access to specific elements of your record.  This will mean that the information recorded by us will not be visible at any other care setting.  You can also reinstate your consent at any time by giving your permission to override your previous dissent.


Shared Care Records

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems.  The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.   

We may also use external companies to process personal information, such as for archiving purposes.  These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement.


Invoice Validation

If you have received treatment within the NHS, the local CSU may require access to your personal information to determine which CCG is responsible for payment for the treatment or procedures you have received.  Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill.  These details are held in a secure environment and kept confidential.  This information is only used to validate invoices in accordance with the current Section 251 Agreement and will not be shared for any further commissioning purposes.


How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for Health and Social Care and National Archives requirements.

More information on records retention can be found online at NHS England.


Your rights explained

Your right to be informed

As a controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided within this Privacy Notice).

Your right of access: Data Subject Access Requests (SAR)

The Data Protection Act and General Data Protection Regulations give you the right to request access to view or obtain copies of what information the surgery holds about you.  This is known as the “right of subject access”.  If you would like to have access to all or part of your records, please put your request in writing to the Practice Manager. There is no charge for this information. However, from 1 November 2022, all patients over the age of 16 automatically have prospective (future) access to their medical records held electronically in GP systems via the NHS app and your practice specific access system. Information about this new NHS England Policy can be found at NHS Digital

Your right to rectification

You have the right to request the correction of inaccurate or incomplete information in your health record, subject to certain safeguards.  If you have concerns about your health data, please write to the Practice Manager detailing your concerns and this will be investigated for you.

Your right to erasure

In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data.  We will only disagree with you if certain limited conditions apply.  If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so by writing to the Practice Manager.

Your right to restrict processing

Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data but will not process it any further.  If you would like to restrict the processing of your data, please write to the Practice Manager.

Your right to object

If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object.  Generally, we will only disagree with you if certain limited conditions apply.  Please write to the Practice Manager if you wish to object.

Your right of data portability

If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.

Your right to withdraw consent

Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.  Please write to the Practice Manager if you wish to withdraw your consent.

You also have the right to stop your health record entries being displayed in the NHS app and can request access to be turned off.  Further details regarding the new NHS England process can be found here.

To exercise your rights as detailed above, you need to write the Practice Manager in the first instance:

Practice Manager
01580 891220
Contact us online

We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases).  When submitting your request, you will need to give adequate information (for example, your full name, address, date of birth, NHS number) and details of your request.  You will also need to provide proof of identity, such as copy of your driving licence, passport, work ID badge or bus pass and proof of residence such as a bank statement, pay slip, utility bill or letter from your local authority.  You should be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.


What should you do if your personal information changes? 

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.



In the event that your feel we have not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at the details given above.  Alternatively, you may write to our Data Protection Officer at informationgovernance@malling.health or by writing to the address detailed below.

If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.  Enquiry Line: 01625 545700 or submit online via this link.

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything.  If you have any concerns about how your data is shared, then please contact the Data Protection Officer.

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.

Data Protection Officer

Our Data Protection Officer can be contacted on informationgovernance@malling.health or in writing to Data Protection Officer, Malling Health, 1st Floor, Rutherford House, Warrington Road, Birchwood, Warrington, WA3 6ZH.