Privacy Notice

Other care providers with NHS contracts (e.g. services providing ultrasound scans, medical imaging; specialist providers such as those providing day surgery, other direct care tests / services)

Purpose of the processing

Personal data concerning your GP medical record may be shared with NHS Trusts in order to enable their healthcare professionals make the best informed decision about your health needs, and provide you with the best possible care if you visit these providers for routine care and referrals.

Your information will also be shared with other care providers to provide best care, for example for medical imaging tests the practice cannot perform itself.

Note that NHS contracts are commonly delivered by private organisations; some of these providers will be partnerships, companies and other bodies, along with statutory NHS bodies such as NHS Trusts.

Your personal information may also be processed for local administrative purposes such as:

• Waiting list management;
• local clinical audit;
• Performance against local targets;
• activity monitoring;
• production of datasets to submit for commissioning purposes and national collections.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(e) - public interest or in the exercise of official authority.
• Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law.
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain.

Purpose of the processing

There are circumstances when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for example, during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate.

Medical professionals have a duty of care to share data in emergencies to protect their patients or other persons. In these circumstances, your GP medical record will be shared with emergency healthcare services, the police or fire service in order to enable you receive the best treatment or service.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(d) – the processing is necessary in order to protect the vital interests of the data subject;
• Article 9(2)(c) – the processing is necessary to protect the vital interests of the data subject.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• Make pre-determined decisions about the type and extent of care you will receive in an emergency, these are known as “Advance Directives” and are held in Universal Care Plans (formerly called "Urgent Care Plans");
• access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have the right to object to some or all of your personal information being shared with the recipients. You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

GP Federations are groups of GPs (patient centred organisation), working collaboratively and developing closer integration with other partners across health, social and third sector partners to facilitate an enhanced delivery of health and care services.

Primary Care Networks (PCNs) are similar, but are led at the GP level and may involve a variety of other organisations also noted in this privacy notice.

North Central London Integrated Care Service are a wider grouping performing shared functions across health and care.

In each case the Practice remains the data controller for the information about you.

Through various hubs in the community the GP Federations and PCNs provide direct health and care services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across North Central London (which covers the boroughs of Barnet, Camden, Enfield, Haringey and Islington).

If you receive treatment/consultation on any of these services, personal data concerning your GP medical record may be shared with the GP Federation and Multidisciplinary Teams (MDT) in order to enable them make the best informed decision about your health/care needs, and provide you with the best possible care.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(e) - public interest or in the exercise of official authority.
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Delivery of direct care e.g. vaccination, prescription fulfilment.

Medicines optimisation looks at the value which medicines deliver, making sure they are clinically-effective and cost-effective. It is about ensuring patients get the right choice of medicines, at the right time, and are engaged in the process by their clinical team.

Medicines optimisation enables community pharmacies to request medication electronically from the Practice and view relevant information from your GP record in order to provide you with the best medicines.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(e) - public interest or in the exercise of official authority.
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The practice works closely with Local Authorities to support and care for people of all ages to deliver the best possible social care.

Personal data concerning your GP medical record may be shared with Local Authorities and Multidisciplinary Teams (MDTs) delivering social care in order to enable them make the best informed decision about your social care needs if required.

The source of the information shared in this way is your electronic GP record and your Local Authority social care records. Your GP is the data controller for your electronic GP record, your local authority is the data controller for your social care record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(d) - processing for vital interests of data subject;
• Article 6(1)(e) - public interest or in the exercise of official authority;
• Article 9(2)(b) - processing necessary in the field of employment, social security and social protection law;
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at s

Purpose of the processing

Integrated Urgent Care Service (IUC) is an urgent care service delivered across North Central London (NCL) (Barnet, Camden, Enfield, Haringey and Islington) for the provision of a functionally integrated 24/7 urgent care access, clinical advice and treatment service for patients. IUC incorporates NHS 111 and Out of Hours (OOH) services, which is often referred to as an IUC Clinical Assessment Service.

The purpose of IUC is to ensure that patients receive the best possible healthcare service in their community.

If you visit the urgent care centre or call NHS 111 for health related needs, personal data in your GP record will be shared with healthcare professionals in order to enable them make the best informed decision about your health needs.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(e) - public interest or in the exercise of official authority;
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

NHS Continuing Health Care (CHC) is free care outside of hospital that is arranged and funded by the NHS to support living with complex medical conditions and on-going healthcare needs which can be delivered in the patient’s home, at their care home or in non-acute hospitals.

CHC is free, unlike support from social services for which a fee may be charged, depending on your income and savings. CHC is different from NHS Funded Nursing Care, which some people with less complex needs living in care homes receive.

If you require CHC needs personal data concerning your GP medical record will be shared with the care home or in non-acute hospitals looking after you.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) - processing for legal obligation;
• Article 6(1)(e) - public interest or in the exercise of official authority;
• Article 9(2)(b) - processing necessary in the field of employment, social security and social protection law;
• Article 9(2)(h) - processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

eConsult provides a service where patients can complete a set of online forms which will then refer them to their GP or other services to ensure the correct treatment can be accessed as quickly as practicable.

eConsult forward information to the practice where you give consent to do so; they are a data controller for your data until it is forwarded to the practice, at which point the practice is data controller for the information provided.

eConsult is a nationally available contract to GPs.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(a) – consent of the data subject
• Article 9(2)(a) – informed consent

Related Legislation:

• eConsult Privacy Policy

Your Rights

• To withdraw your consent to this processing – this has the same effect as right to object;
• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data – as this is consent based we will immediately arrange for your data to be removed from all those organisations it has been shared with.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

GP services can only be a part of care, and commonly voluntary/3rd sector organisations can help with conditions by providing support and other services. Where these may be helpful, we will, with your informed consent, share with these organisations to help you.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(a) – consent of the data subject;
• Article 9(2)(a) – explicit consent

Your Rights

• To withdraw your consent to this processing – this has the same effect as right to object;
• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data – as this is consent based we will immediately arrange for your data to be removed from all those organisations it has been shared with.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Some members of public are recognised as needing safeguarding protection, for example children and vulnerable adults. If an individual is identified as being at risk from harm, we have a duty to do what we can to protect that individual, and we are bound by ‘Safeguarding’ laws to do so.

Where there is a suspected or actual safeguarding issue we will share information that we hold about you with other relevant agencies such as local Ambulance trusts, the police, A&E departments, out of hours services, 111 or Social Services.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(d) – the processing is necessary in order to protect the vital interests of the data subject;
• Article 9(2)(c) – the processing is necessary to protect the vital interests of the data subject;
• Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law.

Related Legislation:

• Data Protection Act 2018 Section 10 (particularly Schedule 2 Part 1 Section 18)
• Section 47 of The Children Act 1989
• Section 45 of the Care Act 2014

Your Rights

This sharing is a legal and professional requirement and therefore there is no right to object.

The Children Act 1989 requires local authorities to investigate where a child is the subject of an emergency protection order, is in police protection or where there is a reasonable cause to suspect that a child is suffering or is likely to suffer harm. The Act requires the local authority to safeguard and promote the welfare of children who are in need, within their geographical area and to request help from specified authorities including General Practices, NHS Trusts, Integrated Care Systems / Boards (ICSes / ICBs – formerly CCGs) and NHS England.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The Care Quality Commission (CQC) is a regulatory body established under the Health and Social Care Act. The CQC regulates health and social care services in England to ensure that safe health and care are provided. The law allows CQC to access identifiable patient data/medical records in our clinical system for the purposes of their assessment and investigation of significant safety incident.

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• The Health and Social Care Act 2008, s64

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

In some circumstances the Practice may be legally required to share personal information with law enforcement and regulatory bodies (without the consent of the data subject) such as: the Police; Courts of Justice; HMRC and DVLA for the purposes of prevention or detection of crime; apprehension or prosecution of offenders; the assessment or collection of any tax or duty or, of any imposition of a similar nature.

GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.

The Practice will review each request based on its merits before deciding whether to release information to the ‘relevant authorities’.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Related Legislation:

There are a variety of acts which place responsibilities on health providers to provide information for law enforcement and regulatory bodies.

Your Rights

This sharing is a legal and professional requirement and therefore there is no right to object.

Personal data processed for these purposes are exempt from the first data protection principle (processed lawfully, fairly and in a transparent manner).

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

When a person dies, all deaths are now reviewed by the medical examiner service. We are required to share information about the deceased’s medical record with the examiner. This record may contain information regarding the living – for example, family members, persons who treated the deceased.

Data is reviewed only by persons under a professional duty of confidence as part of the medical examiner service.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – for the performance of a task carried out in the public interest or in the exercise of official authority;
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• The National Health Service Trust (Scrutiny of Deaths) (England) Order 2021

Your Rights

This sharing is a legal and professional requirement and therefore there is no right to object.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Medico-Legal – Where a medical professional is holding personal data for the purpose of providing medical reports in connection with legal action.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• The National Health Service Trust (Scrutiny of Deaths) (England) Order 2021

Your Rights

This sharing is a legal and professional requirement and therefore there is no right to object.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The General Medical Council (GMC) is a public body that maintains the official register of medical practitioners within the United Kingdom. Its primary responsibility is ‘to protect, promote and maintain the health and safety of the public’ by controlling entry to the register, and suspending or removing members when necessary.

Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practise.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• The Medical Act 1983
• Data Protection Act 2018 Section 10

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The Health Service Ombudsman (HSO) was set up by Parliament to provide an independent complaint handling service for complaints that have not been resolved by the NHS in England and UK government departments.

The HSO has the power to request access to a patient’s medical records for the purpose of an investigation.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• The Health Services Commissioners Act 1993, s12
• Data Protection Act 2018 Section 10

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information.

This means that we are compelled by the law to share your data.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 10 NHS Act 2006

Your Rights

This sharing is for a legal obligation and hence the rights to access, object or restrict processing are limited.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The Transformation Directorate of NHS England (formerly NHS Digital and the Health and Social Care Information Centre) is a national information and technology partner to the health and social care system. They use digital technology to transform the NHS and social care.

NHS England Transformation Directorate carries out National Data collections/extractions from the GP record. These include:

• General Practice Extraction Service (GPES) – This is an extraction of much of your GP data for use by the NHS centrally for planning and research. It is a statutory requirement upon your GP under sections 259(1)(a) and 259(5) of the Health and Social Care Act 2012.
• National Diabetes Audit (NDA) – Audits care for patients with diabetes. Mandatory under section 254 of the Health and Social Care Act 2012.
• National Obesity Audit (NOA) – Audits weight management and related care. Also mandatory under section 254 of the Health and Social Care Act 2012.
• Individual GP Level Data (IGPLD) – Provides GPs with information on care provision. Includes NHS number and other demographic data. Mandatory under section 254.
• FGM Enhanced Dataset – Tracks support and outcomes for women and girls at risk of or affected by FGM. Mandatory under section 254.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Sections 254 and 259 of the Health and Social Care Act 2012

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.

However, NHS England respects Type 1 objections (9Nu0) recorded in the GP record. If present, no data will be extracted or uploaded.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (section 6) or with the Information Commissioner (section 8).

Purpose of the processing

NHS England is responsible for securing, planning, designing and paying for Primary Care & Specialised NHS services not otherwise funded by North Central London Integrated Care Board. This includes planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services.

We may often share personal information with NHS England potentially for safeguarding concerns that need escalating beyond our borough.

Where required the Practice may also have to share staff personal information with NHS England for the purpose of allegations framework or performers list.

The source of the information that may be shared in this instance are in the staff record and patient’s electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Public Health England was replaced with two bodies during 2023:

• UK Health Security Agency (UKHSA)
• Office for Health Improvement and Disparities

All local authorities have public health departments with whom we are required to share certain information via various laws and regulations. Your information will be shared for this purpose with the local authority for your area of residence where required by the law.

UKHSA is responsible for protecting every member of every community from the impact of infectious diseases, chemical, biological, radiological and nuclear incidents and other health threats.

The Office for Health Improvement and Disparities is focused on improving the nation’s health so that everyone can expect to live more of life in good health, and on levelling up health disparities to break the link between background and prospects for a healthy life.

We are required by law to share information with these two bodies, although most information is shared with them via the link to the local authority.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 9(2)(b) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Related Legislation:

• The Health Protection (Notification) Regulations 2010 (SI 2010/659)
• The Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657)
• Data Protection Act 2018 Section 10

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Integrated Care Boards (ICBs) are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as ‘Commissioning’.

We are part of the North Central London (NCL) Integrated Care System (ICS) responsible for delivery of services.

In order to enable North Central London ICB carry out its statutory responsibilities effectively, we may share personal data about you with the ICB for the following purposes:

• Individual Funding Requests
• Continuing Health Care
• Appeals, queries or compliments
• Safeguarding concerns
• Commissioning purposes such as payment for target achievement known as Quality and Outcomes Framework (QOF)
• Participation in agreed national or local enhanced services

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (section 6) or the Information Commissioner (section 8).

Purpose of the processing

The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses (e.g. diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records and national data sets.

The results of these searches and assessment may then be shared with other healthcare workers, such as specialists, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

Risk stratification can be grouped into two purposes:

• Direct Care – ‘Case Finding’: where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care. This includes reviewing and checking on service outcomes by the health professionals involved in care. This is performed in HealtheIntent and has an objection (opt-out) you can exercise along with the London Care Record.
• Secondary Use: to understand the local population needs and plan for future requirement. Your identifiable personal data is used to create the data sets for this purpose, but no identifiable data is available to the persons performing indirect care tasks. This use is authorised by the Secretary of State via the Confidentiality Advisory Group (CAG).

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251B Health and Social Care Act 2012
• Section 251 NHS Act 2006

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object or opt-out: You have the right to raise an objection to your personal data being shared in HealtheIntent or used for risk stratification. You also have the right to opt out of HealtheIntent by completing an opt-out form with your Practice or online. Although we will first need to explain how this may affect the care you receive. Opting out of HealtheIntent includes opting out of the London Care Record.

You can also opt-out of the Local Secondary Use via the form available online at NCL Health and Care: Opting Out of the Joined-Up Health and Care Record .

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The Practice, when prescribing, passes pseudonymised data to prescribing improvement and alerting services to ensure that healthcare workers provide the most appropriate treatments and therapies. This allows the NHS to reduce cost and improve patient safety.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251 NHS Act 2006

Recipients:

• First Databank UK
• Optum

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

If your child has a cow’s milk allergy, or you are an adult patient with certain nutrition difficulties, Oviva UK will be used as a subprocessor to provide assistance for the condition.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251 NHS Act 2006

Recipients:

• Oviva UK Ltd (Paediatric Cow’s milk allergy)
• Oviva UK Ltd (Adult Oral Nutrition Support)
• Oviva UK Ltd (Diabetes Remission Services, commonly referred to as Type 2 Diabetes to Remission [T2DR] or Low Calorie Diet [LCD])

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The practice supplies pseudonymised data to organisations such as Clinical Practice Research Datalink (CPRD), for the purposes of performing research without using directly identifiable data. Data is matched before being provided with data from other sources (e.g. acute settings) and stored for research analysis.

Researchers then approach the organisation for data extracts for research; for example, research using CPRD data and services has resulted in over 3,000 peer-reviewed publications investigating drug safety, health care delivery and disease risk factors.

Researchers have to obtain a Research Ethics Committee (REC) approval, and, where necessary, a Confidentiality Advisory Group (CAG) approval before being given access to data.

This data cannot be used to directly identify you without special measures; these are only authorised where they would be a risk to patient safety. As you cannot be directly identified, it is not possible to make rights requests on this data; it is excluded from the requirements of Articles 15–22.

This vital research informs clinical guidance and everyday best practice such as demonstrating the safety of the MMR vaccine and the protective effects of the pertussis vaccine in pregnancy on infant health.

Data Retention Period

The pseudonymised data is retained indefinitely for longitudinal studies.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(j) – for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic law.

Your Rights

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient. This is managed via the National Data Opt-out. See the NHS Your Data Matters page.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The practice participates in projects and will only agree to do so if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of UK GDPR.

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally, research can be authorised under law without the need to obtain consent. This is known as the Section 251 arrangement; however, this generally falls into the pseudonymised data permissions noted above.

We may also use your medical records to carry out research within the practice.

The individual organisations involved will notify you via the consent process of their processing.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(j) – for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic law.

Related Legislation:

• Section 251 NHS Act 2006

Your Rights

• To access, view or request copies of your personal information;
• request rectification of any inaccuracy in your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The Practice ensures the protection of the rights and freedoms in respect of the processing of its employees’ personal data, in particular for the purposes of the recruitment, obligations performance contract of employment, rights and benefits management planning, health and safety, equality and diversity in the workplace, health and safety at work.

The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with regulatory bodies (e.g. courts, police or NHS England).

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject.

Your Rights

• To access, view or request copies of your personal information held by the Practice;
• request rectification of any inaccuracy to your personal information;
• restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful or,
  • where we no longer need the data for the purposes of the processing.

Right to object: Employees have a general right to raise an objection to the sharing of personal data.

If an employee wishes to exercise their rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The London Care Record (LCR) is an Electronic Health Record (EHR) linking system that brings together patient data across the health and care system in a secure manner, embedding a single aggregated longitudinal view of the patient natively in each EHR system irrespective of traditional organisational or technological boundaries.

The LCR includes information about patients/clients recorded by acute hospitals, mental health, community health, social care and GP Practices.

Healthcare professionals across London and the region are able to access subsets of their patients/service users’ medical or social records from a single system in order to provide the best possible care.

The source of the information shared in this way is your electronic GP record for the purposes of direct patient care and indirect care. The full local privacy notice for this system can be found at: The London Care Record – NCL Health and Care

Data Retention Period

All records held by the Practice and in the LCR system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object or opt-out: You have the right to raise an objection to your personal data being shared in the LCR. You also have the right to opt out of the LCR by completing an opt-out form with your Practice. Although we will first need to explain how this may affect the care you receive. Opting out of the LCR includes opting out of HealtheIntent.

You can opt-out of the London Care Record via the form available online at: Opting out of the London Care Record .

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. Contact the Practice’s Data Protection Officer (see section 6), or the Information Commissioner’s Office (ICO) if not satisfied (see section 8).

Purpose of the processing

HealtheIntent is a platform that allows the practice and other healthcare providers to improve healthcare outcomes, patient experience, reduce adverse events and shift towards more preventative care. It covers both sharing and risk stratification.

HealtheIntent uses the shared care record (see above, London Care Record) plus additional data from care providers to give a better picture of your health.

The HealtheIntent platform contains three main tools – HealtheRecord, HealtheRegistries and HealtheAnalytics – and a data warehouse (HealthEDW).

• HealthEDW is the data warehouse which securely holds all of the normalised, longitudinal data. “Normalised” means that all the same measurements are used so there is no confusion; “longitudinal” means that data is available over time.
• HealtheRegistries provides a dashboard view for specific population cohorts (usually a long-term condition, e.g. diabetes). It provides an overview of indicators/measures and allows users to track patient results (e.g. HbA1c) and compare to the population (e.g. GP practice). This helps identify gaps or duplication in care at both the individual and population level.
• HealtheAnalytics is a dashboard tool (Tableau) used to identify trends and unwarranted variation in population cohorts. It also allows clinicians and care professionals to ‘drill down’ to specific patients who require action.

The full privacy notice for HealtheIntent is available at The London Care Record – NCL Health and Care .

Data Retention Period

All records held by the Practice and in the systems are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object or opt-out: You have the right to raise an objection to your personal data being shared in HealtheIntent. You also have the right to opt out of HealtheIntent by completing an opt-out form with your Practice. Although we will first need to explain how this may affect the care you receive. Opting out of HealtheIntent includes opting out of the London Care Record.

You can opt out via the form at: NCL Health and Care Opt-out Form .

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (see section 6), or the Information Commissioner’s Office (see section 8).

Purpose of the processing

EMIS Local Record Sharing enables your GP medical record held on our secure EMIS Web clinical system to be shared with other healthcare providers (e.g. acute hospitals, mental and community health and other GPs) who are commissioned to provide healthcare services within your borough.

This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal services, GP at front door and other neighbourhood services across North Central London.

The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice and the EMIS Local Record Sharing system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Spine supports the IT infrastructure for health and social care in England, joining together over 23,000 healthcare IT systems in 20,500 organisations.

It hosts 5 key services to support the delivery of your care. They enable healthcare professionals, authorised with an NHS smartcard, to view relevant information about you as follows:

• Patient Demographics Service (PDS) – a national electronic database of NHS patient details (name, address, date of birth, NHS Number). It helps professionals identify patients, match them to records, and contact them.
• Summary Care Record (SCR) – an electronic record of important information created from GP records, visible to authorised staff involved in your direct care. Includes medication, allergies, and other essential details.
• e-Referral Service (e-RS) – combines electronic booking with patient choice for hospital or clinic appointments.
• Electronic Prescription Service (EPS) – sends prescriptions electronically to pharmacies, aiming to reduce the use of paper prescriptions.
• GP2GP – allows secure transfer of electronic health records between GP practices when patients move.

When your GP record is uploaded to the Spine, NHS England becomes the data controller for that uploaded information.

The source of the information shared in all these instances is your electronic GP record.

Data Retention Period

All records held by the Practice and on Spine systems are kept for the duration specified in the Records Management Code of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Section 251B Health and Social Care Act 2012
• Common Law of Duty of Confidentiality

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object or opt-out: You may object to having a Summary Care Record (SCR) by returning a completed opt-out form to your GP practice. However, please note that you cannot opt-out of other Spine services as these are essential for managing the NHS.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may appeal or complain to the Data Protection Officer (see section 6), or to the Information Commissioner (see section 8).

Purpose of the processing

CSMS is a web-enabled viewer which provides the facility for healthcare professionals to share/access patient data in the National Cervical Screening Programme.

Similarly for bowel cancer screening (BCSS), breast screening select (BSS), and abdominal aortic aneurysm screening (AAA). Collectively, they are sometimes known as the National Health Applications and Infrastructure Service (NHAIS). These screening services are all part of the National Screening Services.

Access to screening services is controlled by smartcards. Prior to July 2024, the system used for access was “Open Exeter”.

Data Retention Period

Data is viewed on screen. If printed, it is destroyed when no longer required (usually within 24 hours).

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared in these systems.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. Contact the Practice’s Data Protection Officer (section 6) or the Information Commissioner (section 8) if not satisfied.

The source of the information shared in this way is your electronic GP record.

Purpose of the processing

AccuRx supply a number of systems to practices including text (SMS) messaging and remote consultations. Your personal data is passed to them solely for these purposes and not used further.

Processing is carried out by AccuRx under instruction held as a processing agreement with your GP.

Data Retention Period

Data is not retained in this system once processed, but transferred to the clinical record system.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may raise the issue with the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (section 8).

Purpose of the processing

Amazon Web Services are used as a sub-processor by some NHS organisations and suppliers, including EMIS and NHS England (in particular the Transformation Directorate, formerly known as NHS Digital).

Processing is carried out by AWS as a sub-processor to controllers such as EMIS Health (part of Optum). These organisations are responsible under their contracts for the management of the sub-processor.

Your GP does not have a direct relationship with AWS.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where compelling legitimate grounds for processing cannot be demonstrated for continued care and legal compliance.

If you wish to exercise any of your rights, contact the Practice (data controller) or the DPO for review.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may raise a complaint with the Practice’s Data Protection Officer (section 6), or with the Information Commissioner’s Office (ICO) (section 8).

Purpose of the processing

The practice uses the listed processor(s) as a service for purposes including processing online registrations, coding letters received from others, filing, medical summarisation and letter creation.

The source of this data varies – for example, you may input data into a registration system online, or we may receive information from another health and care provider.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may appeal or complain to the Practice’s Data Protection Officer (see section 6), or to the Information Commissioner’s Office (see section 8).

Purpose of the processing

The practice uses the listed processor(s) as a service for analysing consultations between yourself and practitioners, verbal notes and statements made by the practitioner.

The source of this data is recordings of the conversations/statements made.

Your practitioner will review the notes created and amend them as needed before adding to your record, providing the needed human intervention.

Data Retention Period

The recordings are not held once processed. The entries in the patient record are held in the Practice EMIS system and kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The practice uses the listed processor(s) as a service for contacting patients to arrange call / recall for routine tests. Some providers also provide assistance in translation to patients, and helping to attend or participate.

The source of this data as a patient is your electronic patient record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may appeal or complain. You may raise the issue with the Practice’s Data Protection Officer (section 6), or with the Information Commissioner’s Office (ICO) (section 8).

Purpose of the processing

The practice uses Microsoft Office 365 supplied by NHS England for internal information management. As such, it contains a mix of staff and patient personal data.

The practice uses Microsoft Office 365 in line with guidance from NHSE.

Microsoft is also used as a processor by some NHS organisations and suppliers, including Optum, GP federations, most acute providers and others. Where Microsoft (particularly Azure) is a sub-processor (e.g. to Optum), your GP does not have a direct relationship and the contracting organisation is responsible under their contract for the management of the sub-processor.

The source of this data as a patient is your electronic patient record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing for the purposes of direct provision of care and legal obligations.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may raise the issue with the Practice’s Data Protection Officer (see section 6), or with the Information Commissioner’s Office (ICO) (see section 8).

Purpose of the processing

We use closed circuit television and security monitoring systems for the purposes of ensuring security of our patients, staff and premises.

Data Retention Period

All records held are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care . For CCTV images, this is normally 30 days.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with UK GDPR Article 21, you have a general right to object to the processing of your personal data in some circumstances. This only applies where we cannot demonstrate compelling legitimate grounds for continued processing for purposes of care or compliance with legal obligations.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with how the Practice processes your data, you may complain to the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (ICO) (section 8).

Purpose of the processing

Huma provide an app and devices for blood pressure monitoring for use in hypertension care. This is used to improve control of hypertension and hence outcomes. Patients can sign up voluntarily.

Huma additionally use anonymous, aggregated data from the app to improve their products and for research. Your identifiable patient data is not used for this purpose.

Data Retention Period

All records held are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

The practice uses Microsoft Office 365 supplied by NHS England for internal information management. As such, it contains a mix of staff and patient personal data.

The practice uses Microsoft Office 365 in line with guidance from NHSE.

Microsoft is also used as a processor by some NHS organisations and suppliers, including Optum, GP federations, most acute providers and others. Where Microsoft (particularly Azure) is a sub-processor (e.g. to Optum), your GP does not have a direct relationship and the contracting organisation is responsible under their contract for the management of the sub-processor.

The source of this data as a patient is your electronic patient record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing for the purposes of direct provision of care and legal obligations.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may raise the issue with the Practice’s Data Protection Officer (see section 6), or with the Information Commissioner’s Office (ICO) (see section 8).

Purpose of the processing

NHS North Central London ICB is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services, Information Communication Technology (ICT), providing risk stratification and secondary use services.

The ICB acts as the Data Processor for EMIS Systems Local Record Sharing and processes personal data from your GP record in accordance with instructions from the Practice.

Some services provided by the ICB are shared across London and provided to the ICB by other areas. These are detailed in this document.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (section 6), or if not satisfied, with the Information Commissioner (ICO) (section 8).

Purpose of the processing

The GP Practice Data Extraction Services is shared across London, with South West London performing the service. This enables SWL to, on behalf of the NCL area, extract personal data from GP Practices covering all currently registered patients and those ever registered since April 2009, except where patients have explicitly dissented from their information being extracted.

The extracted data supports services back to the practice including:

• Risk stratification
• Linking data to other datasets
• Financial reporting
• Business intelligence
• Statistical analysis
• Information to support delivery of patient care

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared, which will restrict your patient record from being shared with anyone outside your GP.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (section 6), or if not satisfied, with the Information Commissioner (ICO) (section 8).

Purpose of the processing

Docman (OneAdvanced Limited) acts as a data processor and provides cloud-based storage software for electronic patient documents. This includes letters that we receive, scan and upload to the patient record, as well as letters that we receive in an electronic format.

Generally, Docman enables primary health care organisations to capture, file, workflow, view and manage primary care documents efficiently.

Docman also includes workflow modules which use AI to enhance the coding and management of documents. This, where used, summarises your patient documents, identifies their urgency and describes potential high-level actions. A human review of all outputs is required before data is finalised in your medical record.

Data Retention Period

All records held in the Practice EMIS system and the Docman vault are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

Docmail from CFH Docmail Ltd. enables primary health care organisations send letters, invoices and documents directly from computers and other portable devices.

The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

Data Retention Period

All records held in the Practice EMIS system and the Docman vault are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

iPlato is a cloud-based text messaging service used by GPs to communicate with their patients.

The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

Data Retention Period

All personal health records held in the Practice EMIS system and the iPlato system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer, contact details are given at section 6, or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Purpose of the processing

InHealth (formerly QMS-UK) are commissioned by NHS England to provide secure data processing solutions for two services:

• Child Health Information Service – information relating to children’s vaccinations is shared with North East London Foundation Trust who run one of 4 Child Health Information Services across London.
• Additionally, they are an approved NHS provider for services such as diabetic retinopathy screening, ultrasound scans and other tests. For these purposes, they act as a separate data controller.

Data Retention Period

All records held in the Practice EMIS system and the QMS database are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared in QMS.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with how the Practice processes your data, you have the right to appeal/complain. Raise the issue with the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (section 8).

Purpose of the processing

Universal Care Plans – The NHS aims to provide personalised care based on what matters to you. Care planning enables your wishes and individual care and support needs to be communicated digitally with your healthcare professionals across London.

• A care plan can be created following a conversation between you and your healthcare professional (such as a doctor or nurse).
• Your healthcare professional will listen to you, understand your needs and make notes about:
  • What is important to you in your day-to-day life
  • Your preferences or wishes about your care, such as where you prefer to be cared for
  • What support you need and who is best placed to provide this
  • Information about others who may be involved in your care, such as relatives
• Based on your conversation, your healthcare professional can document this information using a digital system. Your care plan can be continuously updated throughout your life, depending on your needs and wishes.

For more details, visit: Universal Care Plan - One London

Your healthcare professional will document a clinical recommendation, should you need emergency care.

Information on your care plan is visible to all health and care services who are involved in your care. This may include the London Ambulance Service, 111 and Out of Hours GP services who may see you in an emergency.

Data Retention Period

Since the Universal Care Plan is created voluntarily by patients, patients can withdraw it at any time, in which case it will be deleted.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared.

If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (section 6), or with the Information Commissioner’s Office (section 8).

Purpose of the processing

Medicines optimisation looks at the value which medicines deliver, making sure they are clinically-effective and cost-effective. It is about ensuring patients get the right choice of medicines, at the right time, and are engaged in the process by their clinical team.

Medicines optimisation enables community pharmacies to request medication electronically from the Practice and view relevant information from your GP record in order to provide you with the best medicines.

ScriptSwitch prompts prescribers with potentially better choices for medication when they are prescribing, based on NICE guidance and guidance from the NCL Medicines Management Team. No identifiable personal data is shared or processed outside of the prescriber’s computer – the app processes your data locally as an add-on to the EMIS system. Your prescriber is free to accept or reject its suggestions based on their professional judgment. The app records anonymised data on the prescribing which is then provided as an aggregate (totals only) to the NCL Medicines Management Team for review.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(c) – processing for legal obligation;
• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Related Legislation:

• Data Protection Act 2018 Section 10
• Section 251B Health and Social Care Act 2012

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where compelling legitimate grounds for continued processing cannot be demonstrated.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with how the Practice processes your data, you may appeal or complain. Raise the issue with the Practice’s Data Protection Officer (see section 6), or the Information Commissioner’s Office (ICO) (see section 8).

Purpose of the processing

GP Connect allows authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently. It is run and managed by NHS England.

It provides full record sharing to other partners in health and care and is used for many of the linkages noted elsewhere in this notice.

For more details, please visit: GP Connect – NHS Digital

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the UK.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with how the Practice processes your data, you may appeal or complain. Contact the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (section 8).

Purpose of the processing

To enable healthcare professionals working for the Practice to provide information, derived from GP records, about individuals to accredited research organisations.

This covers research situations where the data controller (the Practice) is approached by research organisations, directly, to recruit patients for studies.

Any research proposal will only be agreed with a clearly defined protocol, consent mechanisms, and relevant research ethics committee approval, and in line with the principles of Article 89(1) of the UK GDPR.

Research organisations do not approach patients directly, rather the Practice will invite appropriate patients directly seeking their wish to take part.

Systems noted here provide us with potential patients who may fit study criteria, so we can invite them to participate. If you have chosen to exercise your right to opt out of research via the National Data Opt-Out, you will be excluded from these cohorts.

This Privacy Notice does not cover situations where the Practice has been approached by an organisation seeking special category personal data to be disclosed in the absence of consent, i.e. via Related Legislation: Section 251 NHS Act 2006 / Health Research Authority (HRA) approval.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority;
• Article 9(2)(j) – for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic law.

Related Legislation:

• Section 251 NHS Act 2006
• Health Research Authority (HRA) approval

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing.

Right to object: You have a general right to raise an objection to your personal data being shared.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with the way the Practice processes your data, you may appeal or complain to the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (section 8).

Purpose of the processing

Shred-IT provides solutions for records management, data backup and recovery, document management, secure storage, and accredited data destruction.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held by the Practice are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority

Your Rights

• To access, view or request copies of your personal information;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal or complain. Raise the issue with the Practice’s Data Protection Officer (section 6), or the Information Commissioner’s Office (ICO) (section 8).

Purpose of the processing

NHS North Central London ICB is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services, ICT, and providing risk stratification and secondary use services.

The ICB acts as the Data Processor for EMIS Systems Local Record Sharing and processes personal data from your GP record in accordance with instructions from the Practice. Some services provided by the ICB are shared across London and provided to the ICB by other areas.

The source of the information shared in this way is your electronic GP record.

Data Retention Period

All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

GP records should be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the UK. Electronic patient records must not be destroyed or deleted for the foreseeable future.

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services

Your Rights

• To access, view or request copies of your personal information
• Request rectification of any inaccuracy in your personal information
• Restrict the processing of your personal information where:
  • accuracy of the data is contested
  • the processing is unlawful
  • we no longer need the data for the purposes of the processing

Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal or complain. Raise the issue with the Practice’s Data Protection Officer (section 6), or the Information Commissioner (section 8) if not satisfied.

Purpose of the processing

The HR supplier, First Practice provides practices with a software solution to enable the recording of Human Resources related information of its employees’ personal data, in particular for the purposes of the recruitment, obligations performance contract of employment, rights and benefits management planning, health and safety, equality and diversity in the workplace, health and safety at work.

The Payroll supplier, PayeDoc provides practices with a software solution to enable the management and payment for employment of staff, contractors and others, including management of tax payments, pension payments, expenses and deductions. All processing is carried out in accordance with UK law relating to employment and taxation.

The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with regulatory bodies (e.g. courts, police or NHS England).

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject

Your Rights

• To access, view or request copies of your personal information held by the Practice;
• Request rectification of any inaccuracy in your personal information;
• Restrict the processing of your personal information where:
  • accuracy of the data is contested,
  • the processing is unlawful, or
  • we no longer need the data for the purposes of the processing

Right to object: Employees have a general right to raise an objection to the sharing of personal data.

If an employee wishes to exercise their rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.

Right to complain: If dissatisfied with the way the Practice processes your data, you may appeal/complain to the Practice’s Data Protection Officer (section 6), or to the Information Commissioner’s Office (section 8).

Purpose of the processing

Surgery Connect provides practices with a software solution to enable the delivery and recording of telephone calls/video calls for the purposes of care delivery.

The Practice ensures that personal data it collects in this way is only used for the purposes of delivery of service, fact checking and quality assurance.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services

Your Rights

• To access, view or request copies of your personal information held by the Practice
• Request rectification of any inaccuracy in your personal information
• Restrict the processing of your personal information where:
  • accuracy of the data is contested
  • the processing is unlawful
  • we no longer need the data for the purposes of the processing

Right to object: Users have a general right to object to the sharing of personal data.

If you wish to exercise any of your rights, contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If dissatisfied with the way the Practice processes your data, you may appeal/complain to the Practice’s Data Protection Officer (see section 6), or the Information Commissioner’s Office (see section 8).

Purpose of the processing

The Surgery Connect system provides practices with a software solution to enable the delivery and recording of telephone/video calls for the purposes of care delivery.

The Practice ensures that personal data it collects in this way is only used for the purposes of delivery of service, fact checking and quality assurance.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(b) – processing necessary for carrying out obligations and exercising specific rights of the data subject
• Article 9(2)(h) – necessary for medical/social care or system management

Your Rights

• Access or request copies of your personal information
• Rectification of inaccurate personal information
• Restrict processing where:
  • accuracy is contested
  • processing is unlawful
  • data is no longer needed

Right to object: You may object to sharing of personal data. Requests should be directed to the Practice (data controller) or the DPO.

Right to complain: Contact the Practice’s Data Protection Officer (section 6) or the Information Commissioner (section 8) if not satisfied.

Purpose of the processing

Tree View Design provides practices with a software solution to provide a website, including online patient interactions to improve the process of care delivery.

The Practice ensures that personal data it collects in this way is only used for the purposes of delivery of service, fact checking and quality assurance.

Data Retention Period

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(h) – necessary for medical or social care treatment or systems

Your Rights

• Access or request copies of your personal information
• Rectification of inaccurate personal information
• Restrict processing where:
  • accuracy is contested
  • processing is unlawful
  • data is no longer needed

Right to object: You may object to the sharing of personal data or website tracking. Contact the Practice (data controller) or DPO to exercise your rights.

Right to complain: If dissatisfied with how your data is handled, contact the Data Protection Officer (section 6) or the Information Commissioner (section 8).

Purpose of the processing

We use the iGPR system provided by Niche Health or the Medi2Data system provided by Medidata Exchange for the purposes of providing you with medical reports and subject access request responses that are correctly managed in respect of the rights of others.

These providers work as a processor on our behalf. They do not retain or use your medical records for any purpose other than fulfilling your requests.

Data Retention Period

All records held by the Practice and the IGPR Sharing system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care .

Lawful basis (UK GDPR)

• Article 6(1)(e) – public interest or in the exercise of official authority
• Article 9(2)(h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services

Your Rights

• To access, view or request copies of your personal information
• Request rectification of any inaccuracy in your personal information
• Restrict the processing of your personal information where:
  • accuracy of the data is contested
  • the processing is unlawful
  • we no longer need the data for the purposes of the processing

Right to object or opt-out: You have the right to raise an objection or opt out of having an SCR by returning a completed opt-out form to your GP practice. We will explain how this may affect the care you receive.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you may appeal/complain. Contact the Practice’s Data Protection Officer (section 6) or the Information Commissioner’s Office (section 8).