Introduction

The Data Protection Regulations in the UK include two key pieces of law:

  • The Data Protection Act 2018
  • The UK GDPR

There are other regulations in specific areas which need to be taken into account. This Privacy Notice has been written within the legislative framework as at November 2024. It will be revised as the framework and case law change. This notice was last updated November 2024.

What is this Privacy Notice about?

This Privacy Notice is part of the information to data subjects about how personal data is used. Being transparent and providing accessible information to individuals about how organisations will use their personal information is a key element of Data Protection Regulations.

This Privacy Notice is part of our programme to make the data processing activities we are carrying out to meet our healthcare obligations transparent.

The Privacy Notice tells you about information we collect and hold about you, the legal basis for collecting and holding the information, what we do with it, how we keep it secure (confidential), who we might share it with and what your rights are in relation to your information.

Who we are

We are the Caversham Group Practice. We provide medical services to you as a patient as part of the NHS.

Types of information we use

We use the following types of information/data:

Personal data and special category personal data such as:

  • demographics – name, address, date of birth, postcode, NHS number
  • racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, medical/health data, sexual life or sexual orientation data.

(special category personal data is sometimes called sensitive personal data)

  • Pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code.
  • Anonymised - about individuals but with identifying details removed.
  • Aggregated - anonymised information grouped together so that it doesn't identify individuals.

What we use your personal data and special category personal for

We use and share information about you in a number of ways. These include, if you are a patient:

  • Primary uses - information from your GP medical record which can be made available to other NHS and public sector organisations, including doctors, nurses and care professionals in order to help them make the best-informed decision, and provide you with the best possible direct care delivery.
  • Secondary uses - information from your GP medical record involves extracting identifiable data and (usually) sharing that data with other NHS organisations, for the purpose of indirect care. Examples include using your information for research, auditing, and healthcare planning (population health management).

If you’re a member of staff, we process your data for the purposes of your employment contract, professional monitoring requirements, your health and safety and other employment-related matters.

You have rights to object to the use of your personal data in some circumstances, particularly for secondary use. These are often called “opt-outs”. Details of the available objections are given in section 15 below.

Identity and Contact details of the Data Controller and Data Protection Officer

Practice Contact Details

The Caversham Group Practice
4 Peckwater Street
London
NW5 2UP

Practice ICO Reference Number: Z6080227

Data Protection Officer

You can contact the data protection officer by post at the practice address, addressed for the attention of the Data Protection Officer, or by email to

Name: Steve Durbin
Email: dpo.ncl@nhs.net

Please quote the practice name in any communication. The Data Protection Officer service is provided across NCL practices.

Organisations we share your personal information with

We share information about you with other GPs, NHS acute or mental health Trusts, local authorities, community health providers, pharmacists, commissioning organisations, medical research organisations and some specific non-NHS organisations for the purposes of direct care and secondary uses.

We are required under the law to provide you with the following information how we process your personal data, the purpose of processing, recipient/categories of your personal data, the identity of our Data Protection Officer (DPO), how long we retain personal information about you, the legal basis and justification for the processing, and your right to view, request access copies of your personal information, or object to the processing.

Please contact us if you require a copy of the detailed information about each organisation.

The Information Commissioner

The office of the Information Commissioner (ICO) is the regulator for personal data use in the UK. You can contact them with complaints or concerns regarding our use of your personal data, but please note you should always attempt to resolve issues with us first.

The ICO can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire

Find out how to contact the ICO

What is EMIS Systems Local Record Sharing?

Your GP medical record is held on our secure clinical system called EMIS Web. This clinical system allows for local record sharing with other healthcare providers who are commissioned in your area to provide care (e.g. acute hospitals, mental and community health). Through this record sharing, clinicians are able to see clinical information entered by other organisations who are party to the EMIS local record sharing agreement.

This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across North Central London in line the local care delivery strategy.

It also enables specific GPs identify their patients with highly complex, multiple morbidity and/or frailty, who might benefit from targeted multi-disciplinary team support as part of case management and care planning (the "Case Finding Purpose").

What do we use anonymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we provide;
  • plan for future service delivery to take into account local needs and priorities;
  • prepare performance reports on the services we provide and,
  • review the healthcare we provide in order they are of the highest standard.

Details of data linkage with other datasets

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

The organisation responsible for processing de-identified and linked data under this category, on behalf of the Practice is North Central London Integrated Care Board. We ensure that the data processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the data protection legislation. This requires us to process personal data only if there is a lawful basis for doing so and that any processing must be fair and lawful.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

Our appropriate technical and security measures include:

  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems;
  • the ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
  • a process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All Practice staff are trained to ensure information is kept confidential.

We are registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website. You can search by our Practice name or ICO Data Protection Register number, both of which are given at section 6 above (contact details).

What are your rights?

Where information from which you can be identified is held, you have the:

  • Right of access to view or request copies of the records
  • Right to rectification of inaccurate personal data or special categories of personal data
  • Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
  • Right to object to any automated individual decision-making
  • Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine readable format. Your right to portability applies only where:
    • data is processed by automated means, and
    • you provided consent to the processing or,
    • the processing is necessary for the fulfilment of a contract

These rights will only apply where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

Your right to erasure (right to be forgotten) will only apply where you had given ‘consent’ to process your personal health data and later withdrew the consent, and does not apply to the extent where the processing of your personal health data is necessary for:

You can exercise your rights at any time by contacting the Practice (data controller) or the Data Protection Officer (DPO) at the contact addresses given, although we will first need to explain how this may affect the care you receive and any overriding legitimate grounds for the processing that may apply.

Gaining access to the data we hold about you

You have the right to see or have a copy of personal data we hold that can identify you. You do not need to give a reason to see your data. However, some information may be withheld under some exceptional circumstances.

If you want to access your personal information you must do so in by contacting the practice at the address given or by contacting our DPO at the address given. Note that as the DPO does not have access to personal data, the DPO will forward requests to the practice, however it is a legal right for you to use this route should you choose.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that the Practice holds that does not fall under an exemption under the FOI Act. You may not ask for information that is covered by the Data Protection Regulations under FOIA i.e. personal data. However, you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.

How do I make a request for information?

Your request must be in writing

  • Post: The Caversham Group Practice, 4 Peckwater Street, London NW5 2UP

How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit Your NHS Data Matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation is compliant with the national data opt-out policy. There are other objections to processing – opt-outs – available to you. Please see the next pages for a summary of these.

National Data Opt-Out for Confidential Patient Data for Research and Planning

Is it direct care use only? Who can see it? Is my personal data sold?

Not direct care, it is research and planning. By opting out you restrict your confidential patient data from this use

It is available to researchers/planners anywhere who have demonstrated a research and planning need for identifiable data and been through the approval process which includes data protection and ethics reviews.

This differs from the Type 1 opt-out (see below) in that it applies to all your data. Note that NHS Digital (now the NHS England Transformation Directorate) have stated that the GP Data for Research and Planning is only restricted by the Type 1 opt-out. NHS Digital have stated that the National Data Opt-Out does not apply to confidential data used within the NHS.

What does it mean if I opt out?

For you
If critical issues are discovered via research that could have identified you as someone at risk, you will not be included and hence not informed early.

For care in my area
No impact

For the NHS
The NHS will be less able to plan.
Research may be affected by not having information.

How do I get more information? How do I opt in / opt out?

There is a detailed information page at Your data matters

You can opt in or out via the page above.

If you wish to exercise your choice by post, a form is available at the Surgery.

Note that if you opt out, data that does not identify you can still be used, e.g. number of patients in an area.

London Care Record (Local Shared Care Record – HIE/HEI)

Is it direct care use only? Who can see it? Is my personal data sold?

Yes, direct care only. All uses are direct care and restricted to the London area.

It is available to health and care practitioners involved in your direct care in the London area.

Because it is direct care only, we will never sell your personal information

What does it mean if I opt out?

For you
People providing care to you may not have the latest information. You will probably have to answer repeated questions, and there is a risk of harm to you because local information (e.g. at a hospital) may be out of date. You may be at risk if treated in an emergency situation and are unable to provide information.

For care in my area
We will be less able to join up your services and it will make it more difficult, and expensive, to provide some care to you. Where health and care initiatives are taking place outside your GP, you may not be included as your record will not be visible.

For the NHS
The extra cost may impact the wider NHS.

How do I get more information? How do I opt in / opt out?

There is a detailed information on their website

Your GP surgery also has copies of the information in multiple languages.

The form to exercise your choice is provided as part of the detailed information.

Note that if you opt out data that does not identify you can still be used, e.g. number of patients in an area.

North Central London Integrated Care System Secondary Data Use

Is it direct care use only? Who can see it? Is my personal data sold?

Not direct care; this is use for planning of services, review of deliveries and other purposes involving population health.

What does it mean if I opt out?

For you
You won’t be represented in statistics and planning. This is unlikely to impact you individually, but if enough people with similar needs to yours opt-out, services may not represent your needs.

For care in my area
We will be less able plan services in a way that meets all the needs in the area.

For the NHS
The extra cost may impact the wider NHS.

How do I get more information? How do I opt in / opt out?

There is a detailed information page and opt-out form on their website 

Summary Care Record (National Shared Care Record - SCR)

Is it direct care use only? Who can see it? Is my personal data sold?

Yes, direct care only. All uses are direct care. You will be asked for consent before the record is accessed, if this is possible.

It is available to health and care practitioners involved in your direct care anywhere in England where you are treated.

Because it is direct care only, we will never sell your personal information

What does it mean if I opt out?

For you
People providing care to you away from the London area will have little information about you. You will probably have to answer repeated questions. You may be at risk if treated in an emergency situation and are unable to provide information. You can choose to have no summary record, a basic summary record containing data for your safety and a more detailed record including additional clinical data.

For care in my area
This record is not generally used locally as the HIE record is used.

For the NHS
It affects the ability of health and care practitioners to treat you safely.

How do I get more information? How do I opt in / opt out?

Full details of the Shared Care Record (SCR)

Your GP surgery will also have a national leaflet available explaining the Shared Care Record.

The national leaflet is available to download from the page above, or available at your GP and contains details of how to exercise your options.

Note that during the pandemic, NHSE updated to include additional SCR for all persons who had not expressly dissented – see the page above.

GP Connect Record Sharing

Is it direct care use only? Who can see it? Is my personal data sold?

Yes, direct care only. All uses are direct care. You will be asked for consent before the record is accessed, if this is possible.

It is available to health and care practitioners involved in your direct care anywhere in England where you are treated.

Because it is direct care only, we will never sell your personal information

What does it mean if I opt out?

For you
People providing care to you away from the London area will have little information about you. You will probably have to answer repeated questions. You may be at risk if treated in an emergency situation and are unable to provide information. You can choose to have no summary record, a basic summary record containing data for your safety and a more detailed record including additional clinical data.

For care in my area
This record is not generally used locally as the London Care Record record is used.

For the NHS
It affects the ability of health and care practitioners to treat you safely.

How do I get more information? How do I opt in / opt out?

Awaiting details; the national data sharing agreement is being finalised; when it is, the details will be part of the agreement.

Patients are advised by NHSE to contact their practice if they wish to opt out.

Type 1 Opt-Out (GP Record sharing for Research and Planning)

Is it direct care use only? Who can see it? Is my personal data sold?

Not direct care, it is research and planning. By opting out you restrict your confidential GP patient data from this use.

It is available to researchers/planners anywhere who have demonstrated a research and planning need for identifiable data and been through the approval process which includes data protection and ethics reviews.

Your GP will never sell your personal information.

This differs from the National Data Opt-Out in that it applies to your GP data only. The National Data Opt-Out also opts out other providers. Note that NHS Digital (now the NHS England Transformation Directorate) have stated that the GP Data for Research and Planning is only restricted by this opt-out.

What does it mean if I opt out?

For you
If critical issues are discovered via research that could have identified you as someone at risk, you will not be included and hence not informed early.

For care in my area
No impact

For the NHS
The NHS will be less able to plan.
Research may be affected by not having information.

How do I get more information? How do I opt in / opt out?

There is a detailed information page on the NHS Website

No GP electronic care record sharing

Is it direct care use only? Who can see it? Is my personal data sold?

Yes and no. This covers ALL electronic sharing so no data will be shared outside of your GP

No record is available outside your GP

Because there is no electronic record there is nothing to sell

What does it mean if I opt out?

For you
Every interaction outside of your GP will require a letter to be sent to share data. This can put you at risk as information will be incomplete.

This option includes the type 1 opt-out, so those issues also apply.

For care in my area
Cost, difficulty and patient risk of care is increased as practitioners do not have access to your information.

This option includes the type 1 opt-out, so those issues also apply.

For the NHS
Increased cost and complexity of care.

This option includes the type 1 option so those issues also apply.

How do I get more information? How do I opt in / opt out?

Speak directly to your GP; because of the clinical risk it is recommended that you discuss first.

Other provider opt-outs (e.g. Mental Health Trusts)

Is it direct care use only? Who can see it? Is my personal data sold?

Yes – direct care. This covers ALL electronic sharing at the provider (e.g. if you had received treatment at the hospital it would not be shared electronically back to your GP or other providers).

No record is available outside the provider where you received treatment. Sharing of data to ensure treatment will be by letter/email.

Because there is no electronic record there is nothing to sell

What does it mean if I opt out?

For you
Every interaction outside of your provider will not have the information from that provider; this may create risks for you as your treatment may be incorrect.

For referrals, a letter/email will provide the data. This can put you at risk as information will be incomplete.

For care in my area
Cost, difficulty and patient risk of care is increased as practitioners do not have access to your information.

For the NHS
Increased cost and complexity of care.

How do I get more information? How do I opt in / opt out?

Speak to the individual provider.

They will provide opt-out information and how to exercise it.