Privacy Notice Sharing

b. Other primary care services delivered for the purposes of direct care

Continuing Health Care (CHC)

Purpose of the Processing

We may share your personal information with Continuing Health Care (CHC) teams to assess eligibility and facilitate the provision of NHS-funded care packages for individuals with significant ongoing healthcare needs. This includes the sharing of medical records, assessment documentation, and care plans necessary for decision-making processes and care delivery.

Data Retention Period

Information related to CHC assessments and decisions is stored in accordance with national NHS data retention guidelines, ensuring it remains securely managed within both the GP record and the relevant CHC service systems.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - processing necessary for the provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018 Section 8
• Health and Social Care Act 2012
• National Framework for NHS Continuing Healthcare and NHS-funded Nursing Care
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information shared with CHC services;
• Request rectification of inaccuracies in your data;
• Request restriction of processing under certain circumstances;
• Right to object to processing, subject to public interest requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

MyCAW® Measure Yourself Concerns and Wellbeing (Meaningful Measures)

Purpose of the Processing

We may collect and share information from the MyCAW® (Measure Yourself Concerns and Wellbeing) tool, a validated assessment tool designed to capture patient concerns and wellbeing outcomes. The information helps healthcare professionals understand your priorities, concerns, and health goals, enabling better personalised care planning and service improvement assessments.

Data Retention Period

MyCAW® data collected as part of patient interactions is retained securely and in line with national and local NHS data retention standards, usually forming part of the clinical record or a specific service outcome record.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - processing necessary for the provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018 Section 8
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your MyCAW® assessment information;
• Request rectification of inaccuracies in the assessment data;
• Request restriction of processing where appropriate;
• Right to object to the processing of personal data collected via the MyCAW® tool, subject to conditions;
• Right to complain to the Information Commissioner’s Office (ICO).

Online Consultation Provider

eConsult

Purpose of the Processing

We use the eConsult online consultation system to allow patients to submit clinical and administrative queries remotely. Personal information, including your contact details, health concerns, and relevant medical history, may be collected through the eConsult platform to support clinical decision-making, triage, and follow-up care by the Practice team.

Data Retention Period

Information submitted via eConsult is stored securely within the Practice’s clinical systems and is retained according to the NHS Records Management Code of Practice for Health and Social Care. eConsult submissions may also be stored temporarily within eConsult systems according to their privacy policies before integration with your GP record.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - processing necessary for the provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018 Section 8
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your consultation submissions made via eConsult;
• Request rectification of inaccuracies in your information;
• Request restriction of processing where appropriate;
• Right to object to processing, subject to legal and clinical requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

Voluntary sector, Resilience networks and Social Prescribing

Purpose of the Processing

We may share your personal information with voluntary sector organisations, resilience networks, and social prescribing services. These services aim to support patients with non-medical needs such as social, emotional, or practical challenges that affect wellbeing. Information shared typically includes basic contact information, relevant health needs, and social circumstances, enabling link workers and community groups to provide appropriate support and interventions.

Data Retention Period

Information shared with voluntary sector services is retained by those organisations in accordance with their local data protection and retention policies. Any records maintained by the Practice will be stored according to the NHS Records Management Code of Practice for Health and Social Care.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - processing necessary for the provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018 Section 8
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of personal information shared with social prescribing services and voluntary organisations;
• Request rectification of inaccuracies in your data;
• Request restriction of processing where appropriate;
• Right to object to sharing, subject to public interest and safeguarding exceptions;
• Right to complain to the Information Commissioner’s Office (ICO).

Weight Management Coaching Provider

MoreLife

Purpose of the Processing

We may share your personal information with weight management coaching providers, such as MoreLife, to support patients referred for lifestyle and weight management interventions. Shared information typically includes demographic details, relevant medical history, weight management goals, and progress monitoring data to enable tailored support programmes.

Data Retention Period

Data shared with weight management providers will be retained in accordance with provider-specific retention policies and national health record-keeping guidance. Relevant data may also be held within the Practice’s clinical system as part of your health record.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - processing necessary for the provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018 Section 8
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information shared with weight management providers;
• Request rectification of inaccuracies in your data;
• Request restriction of processing where appropriate;
• Right to object, subject to clinical and public health requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

d. Processing for the Purposes of Commissioning, Planning, Research and Risk Stratification

Integrated Care Systems / Boards (ICSes / ICBs)

Formerly known as Clinical Commissioning Groups (CCGs)

Purpose of the Processing

We may share personal and pseudonymised information with Integrated Care Systems (ICSs) or Integrated Care Boards (ICBs) to support local commissioning, service planning, resource allocation, and population health management. This enables effective decision-making regarding the delivery of healthcare services, ensures appropriate funding, and helps identify health trends at a population level.

Data Retention Period

Information shared with ICSes and ICBs is retained in accordance with NHS regulatory requirements and information governance policies. The Practice maintains records of shared information under the NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment or management of health and social care systems
• Article 9(2)(i) - reasons of public interest in the area of public health

Related Legislation

• Health and Care Act 2022
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of personal data processed by ICSes or ICBs about you;
• Request rectification of any inaccuracies identified;
• Right to object to processing where appropriate, subject to legal and public health exceptions;
• Right to complain to the Information Commissioner’s Office (ICO).

Risk Stratification

Population Health Management and Case Finding

Purpose of the Processing

We may share your personal and pseudonymised information for risk stratification purposes, which involves analysing data to identify patients at risk of certain conditions or events (such as hospital admission or long-term disease development). This helps GPs, commissioners, and health planners target interventions, allocate resources efficiently, and support preventative healthcare strategies to improve patient outcomes.

Data Retention Period

Information processed for risk stratification purposes is retained according to NHS regulatory guidance and national risk stratification programme requirements. Any pseudonymised data is subject to additional safeguards and minimisation practices to ensure appropriate protection.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or management of health or social care systems
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of data processed for risk stratification relating to your care;
• Request rectification of inaccuracies where applicable;
• Right to object to inclusion in risk stratification programmes, subject to public interest and service planning exceptions;
• Right to complain to the Information Commissioner’s Office (ICO).

Direct Care

Recipient: Oracle Health (formerly Cerner) - HealtheIntent / HealtheRegistries

Ardens – EMIS Templates

Secondary Use Recipient: NCL ICS

Purpose of the Processing

We may share your personal information with healthcare technology providers such as Oracle Health (HealtheIntent/HealtheRegistries) and Ardens (EMIS Templates) to support direct care activities, clinical audit, care pathway planning, and care coordination services. Additionally, pseudonymised information may be shared with North Central London Integrated Care System (NCL ICS) for secondary use purposes, including service improvement and population health planning, while ensuring minimal risk of re-identification.

Data Retention Period

Information shared with these systems is retained according to NHS regulatory requirements and supplier-specific data retention policies. Data maintained within Practice records complies with NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment or management of health and social care systems
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of information processed for direct care and secondary uses relating to your care;
• Request rectification of any inaccuracies where appropriate;
• Right to object to certain secondary uses of data, subject to legal exemptions;
• Right to complain to the Information Commissioner’s Office (ICO).

Prescribing Improvement and Alerting

Recipient: First Databank & UK Optum

Purpose of the Processing

We may share and use personal information within systems provided by First Databank and UK Optum to enhance prescribing safety, ensure evidence-based medicine use, and support medication optimisation programmes. This includes clinical decision support alerts, prescribing audits, and alerts relating to changes in national guidelines or patient-specific medication risks.

Data Retention Period

Information processed for prescribing improvement and alerting purposes is stored in line with the NHS Records Management Code of Practice for Health and Social Care and the specific retention policies of the service providers involved. Practice records regarding prescribing decisions are retained within the patient’s health record.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Medicines Act 1968
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your prescribing data processed by decision support and improvement systems;
• Request rectification of inaccuracies in prescribing data where applicable;
• Right to object to automated processing in specific cases, subject to clinical safety exceptions;
• Right to complain to the Information Commissioner’s Office (ICO).

Nutrition Improvement

Recipient: Oviva UK Ltd (Paediatric Cow's Milk Allergy, Adult Oral Nutrition Support, Diabetes Remission Services, commonly referred to as Type 2 Diabetes to Remission [T2DR] or Low Calorie Diet [LCD])

Purpose of the Processing

We may share your personal information with Oviva UK Ltd to support nutrition improvement programmes aimed at managing paediatric cow’s milk allergy, providing adult oral nutrition support, and facilitating diabetes remission interventions through structured diet programmes. This enables personalised dietary support to improve clinical outcomes, reduce reliance on medication, and support long-term lifestyle changes.

Data Retention Period

Information processed for nutrition improvement purposes is retained securely in accordance with Oviva UK Ltd’s data retention policies and national NHS data protection standards. Practice records are maintained in accordance with NHS Records Management Code of Practice requirements.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your nutrition improvement programme data;
• Request rectification of inaccuracies where applicable;
• Right to object to participation in nutrition support programmes, subject to clinical safety considerations;
• Right to complain to the Information Commissioner’s Office (ICO).

Research Partners Using Pseudonymised Patient Data

Purpose of the Processing

We may share pseudonymised patient data with approved research partners to support medical research, healthcare innovation, public health studies, and service evaluation projects. Pseudonymised data means that personal identifiers are removed or replaced with codes, significantly reducing the risk of re-identification. Research helps to advance medical knowledge, improve healthcare services, and develop new treatments and interventions.

Data Retention Period

Pseudonymised research data is retained by research partners according to their ethical approval, contractual obligations, and NHS and national research governance frameworks. The Practice retains appropriate records of any data disclosures in accordance with NHS Records Management Code of Practice guidelines.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest
• Article 9(2)(j) - processing necessary for scientific or historical research purposes or statistical purposes, subject to safeguards

Related Legislation

• Data Protection Act 2018 Schedule 1, Part 6
• UK Policy Framework for Health and Social Care Research
• Common Law Duty of Confidentiality

Your Rights

• To access information about how your pseudonymised data is used in research projects where feasible;
• Request rectification if inaccuracies are identified (where applicable);
• Right to object to the use of your pseudonymised data for research in certain circumstances;
• Right to complain to the Information Commissioner’s Office (ICO).

Research Partners Using Patient Identifiable Data

Purpose of the Processing

We may share patient identifiable information with approved research partners only where explicit consent has been obtained, or where specific legal authorisation exists (e.g., under Section 251 of the NHS Act 2006). Identifiable data supports clinical trials, healthcare research studies, and service evaluations that directly benefit patient care and public health. Researchers accessing identifiable information must comply with stringent ethical, legal, and information governance standards.

Data Retention Period

Patient identifiable information is retained by research partners in accordance with national research governance standards, ethical approvals, and data protection legislation. The Practice maintains records of disclosures following NHS Records Management Code of Practice policies.

Lawful Basis (UK GDPR)

• Article 6(1)(a) - consent of the data subject
• Article 9(2)(a) - explicit consent of the data subject
• Alternatively, where applicable:
• Article 6(1)(e) - performance of a task carried out in the public interest
• Article 9(2)(h) or (i) - health or public health purposes

Related Legislation

• Data Protection Act 2018 Schedule 1
• Health Research Authority guidelines
• UK Policy Framework for Health and Social Care Research
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of personal information used in research projects where identifiable information is involved;
• Withdraw your consent at any time where consent has been relied upon as the lawful basis for processing;
• Request rectification of inaccuracies where appropriate;
• Right to complain to the Information Commissioner’s Office (ICO).

Employment Processing

Purpose of the Processing

We process personal information for employment purposes where necessary for managing workforce activities, including recruitment, HR management, payroll, occupational health, training, performance monitoring, disciplinary procedures, and compliance with employment laws. This applies to information relating to current, former, and prospective employees, contractors, and volunteers.

Data Retention Period

Employee and applicant information is retained in accordance with the Practice’s retention schedules, NHS guidance, and applicable employment law. Records are securely maintained during employment and following termination for periods specified under legal obligations and good practice guidance.

Lawful Basis (UK GDPR)

• Article 6(1)(b) - performance of a contract
• Article 6(1)(c) - compliance with a legal obligation
• Article 6(1)(f) - legitimate interests pursued by the employer (where applicable)
• Article 9(2)(b) - employment, social security, and social protection law obligations
• Article 9(2)(h) - occupational health purposes (where applicable)

Related Legislation

• Employment Rights Act 1996
• Equality Act 2010
• Health and Safety at Work Act 1974
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of employment-related personal information;
• Request rectification of inaccuracies in employment records;
• Request restriction of processing where appropriate;
• Right to object to certain types of processing, subject to legal or contractual requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

f. Data Processors

AccuRx

Purpose of the Processing

We use AccuRx to facilitate patient communications including appointment reminders, clinical messaging, patient questionnaires, and document sharing between the Practice and patients. This enables secure, timely, and efficient communication to support direct care delivery and patient engagement.

Data Retention Period

Data processed through AccuRx is stored according to AccuRx’s data protection and retention policies. Communications and documentation integrated into the patient record are retained within the Practice’s clinical system according to NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your communications processed through AccuRx where feasible;
• Request rectification of inaccuracies in communication records;
• Right to object to specific types of communication processing, subject to direct care requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

Amazon Web Services (AWS)

Purpose of the Processing

We use Amazon Web Services (AWS) as a secure hosting platform for certain clinical systems and data processors who provide services to the Practice. AWS provides the underlying cloud infrastructure that supports the secure storage, processing, and transmission of personal health information for patient care and operational activities.

Data Retention Period

AWS itself does not determine retention periods but hosts data according to the policies set by the data controllers and processors using its infrastructure. The Practice ensures that hosted data complies with NHS data retention policies and NHS Digital’s cloud security principles.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• NHS Digital Cloud Security Guidance
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about how your personal data is hosted via AWS services where feasible;
• Request rectification of inaccuracies where applicable;
• Right to object to specific types of processing if data is hosted outside the UK without appropriate safeguards (not applicable where full NHS compliance is maintained);
• Right to complain to the Information Commissioner’s Office (ICO).

HealthTech-1

Purpose of the Processing

We use HealthTech-1 to support clinical coding, summarisation of medical records, processing of new patient forms, and the provision of various administrative services. These activities help ensure that patient records are accurately maintained, coded correctly for clinical audits and reporting, and support smooth patient onboarding and administrative workflows.

Data Retention Period

HealthTech-1 processes data under strict agreements requiring compliance with NHS data protection and information governance standards. All data processed is returned to or retained within the Practice’s clinical system according to NHS Records Management Code of Practice policies. HealthTech-1 retains only the minimum data necessary for as long as required to deliver contracted services.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information processed during clinical coding, summarisation, or administrative support;
• Request rectification of inaccuracies where applicable;
• Right to object to processing activities not directly related to direct care, subject to legal requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

Heidi Health

Purpose of the Processing

We use Heidi Health to support clinical coding, medical summarisation, and the creation of referral letters and patient letters based on AI-assisted analysis of conversations between patients and practitioners, or verbal statements made by practitioners. This helps improve the accuracy and efficiency of clinical documentation, enabling healthcare professionals to focus more on patient care while maintaining high-quality medical records.

Data Retention Period

Heidi Health processes information under strict agreements that require compliance with NHS information governance and security standards. Data processed for summarisation and letter creation is either integrated into the patient’s clinical record or securely deleted after completion of the contracted task. The Practice retains records according to NHS Records Management Code of Practice requirements.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of documents created via Heidi Health services where feasible;
• Request rectification of inaccuracies identified in summaries or communications;
• Right to object to AI-based processing of your health data where legally permissible;
• Right to complain to the Information Commissioner’s Office (ICO).

Community Links

Purpose of the Processing

We use Community Links services to support patient contact for routine call and recall programmes such as immunisations, cervical screening, health checks, and chronic disease reviews. Community Links also provides language assistance and support services to ensure accessibility and engagement for patients whose first language is not English or who require additional help navigating healthcare services.

Data Retention Period

Information shared with Community Links is retained only for the duration necessary to carry out contact and assistance activities, after which it is securely deleted in accordance with NHS data protection and retention standards. Permanent clinical records remain within the Practice's own systems as required by the NHS Records Management Code of Practice.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Equality Act 2010
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about contacts made by Community Links on your behalf;
• Request rectification of inaccuracies where applicable;
• Right to object to external communication support services being used, subject to care and public health requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

Community Links

Purpose of the Processing

We use Community Links services to support patient contact for routine call and recall programmes such as immunisations, cervical screening, health checks, and chronic disease reviews. Community Links also provides language assistance and support services to ensure accessibility and engagement for patients whose first language is not English or who require additional help navigating healthcare services.

Data Retention Period

Information shared with Community Links is retained only for the duration necessary to carry out contact and assistance activities, after which it is securely deleted in accordance with NHS data protection and retention standards. Permanent clinical records remain within the Practice's own systems as required by the NHS Records Management Code of Practice.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Equality Act 2010
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about contacts made by Community Links on your behalf;
• Request rectification of inaccuracies where applicable;
• Right to object to external communication support services being used, subject to care and public health requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

Microsoft Azure and Office 365

Including Teams, SharePoint, and OneDrive

Purpose of the Processing

We use Microsoft Azure and Office 365 platforms, including Teams, SharePoint, and OneDrive, to support secure communications, document storage, collaboration, and administrative processes. These tools help ensure safe, efficient internal management of healthcare information, enable remote and hybrid working, and allow secure document sharing between authorised healthcare professionals and administrative teams.

Data Retention Period

Data processed and stored on Microsoft Azure and Office 365 platforms is subject to the Practice’s internal retention schedules aligned with NHS data protection guidance. Microsoft provides hosting infrastructure but acts only on the Practice’s instructions as data processor under strict contractual terms and NHS Digital security guidelines.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• NHS Digital Cloud Security Guidelines
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information processed via Microsoft services where feasible;
• Request rectification of inaccuracies where identified;
• Right to object to specific types of cloud-hosted processing, subject to legal and NHS operational requirements;
• Right to complain to the Information Commissioner’s Office (ICO).

CCTV and Security Monitoring

Provided by NHS Property Services

Purpose of the Processing

We use CCTV and security monitoring services provided by NHS Property Services to ensure the safety and security of patients, staff, visitors, and property. CCTV footage is used to deter crime, assist in the investigation of incidents, and promote a safe environment across healthcare premises. Monitoring systems are installed in line with legal, ethical, and NHS information governance standards.

Data Retention Period

CCTV footage is retained for a limited period, typically no longer than 30 days unless required for an active investigation, legal proceeding, or serious incident review. Retention schedules comply with NHS Property Services security policies and the NHS Records Management Code of Practice where applicable.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(g) - substantial public interest, particularly in safeguarding individuals and property

Related Legislation

• Data Protection Act 2018
• Protection of Freedoms Act 2012
• Surveillance Camera Code of Practice
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of CCTV footage involving yourself, subject to lawful exemptions (e.g., third-party privacy, ongoing investigations);
• Request rectification of inaccuracies where possible (e.g., camera placement notices);
• Right to object to excessive surveillance, where applicable;
• Right to complain to the Information Commissioner’s Office (ICO).

EMIS Health and Egton

Purpose of the Processing

We use systems provided by EMIS Health and Egton to manage electronic patient health records, appointment booking, prescriptions, referrals, and administrative workflows. These systems ensure the secure and efficient management of clinical and operational information necessary for providing direct care to patients and for the smooth running of the Practice’s services.

Data Retention Period

Personal information managed through EMIS Health and Egton systems is retained in line with national NHS retention standards and the NHS Records Management Code of Practice. The Practice remains the data controller and determines retention periods, while EMIS Health and Egton act as data processors under contractual arrangements.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information processed by EMIS Health and Egton systems;
• Request rectification of inaccuracies in your electronic health records;
• Right to object to specific data processing practices where applicable under law;
• Right to complain to the Information Commissioner’s Office (ICO).

Huma Therapeutics Limited (Huma)

Purpose of the Processing

We use services provided by Huma Therapeutics Limited (Huma) to support remote patient monitoring, chronic disease management, health data collection, and clinical research programmes. Huma’s platform enables patients to input health information via mobile applications and allows clinicians to track patient progress, intervene when necessary, and improve healthcare outcomes through remote care solutions.

Data Retention Period

Data collected via Huma platforms is processed and stored securely in line with Huma's data protection policies and NHS information governance standards. Data is retained only for the duration required to support patient care, research activities, or service evaluation, after which it is securely deleted or anonymised where appropriate. Clinical records are maintained by the Practice according to NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(j) - scientific research purposes (where applicable)

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information processed by Huma’s systems;
• Request rectification of inaccuracies where applicable;
• Withdraw consent where research activities are based on explicit consent;
• Right to object to specific uses of your health information, subject to care and research governance considerations;
• Right to complain to the Information Commissioner’s Office (ICO).

NHSMail

Purpose of the Processing

We use NHSMail, the NHS’s secure email service, to facilitate the secure exchange of personal and sensitive information between healthcare organisations, patients, and third-party service providers. NHSMail ensures that confidential information is transmitted safely and in compliance with NHS information governance and cybersecurity standards.

Data Retention Period

Emails processed via NHSMail are retained according to NHS Digital’s email retention and archiving policies. Data within NHSMail systems is stored securely and deleted in line with NHS data lifecycle management standards. Any information shared via email that needs to be part of the patient record is transferred securely into the clinical record system and retained according to NHS Records Management Code of Practice policies.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your personal information transmitted via NHSMail where appropriate;
• Request rectification of inaccuracies in communication records;
• Right to complain to the Information Commissioner’s Office (ICO).

North Central London Integrated Care Board

(formerly North Central London Clinical Commissioning Group (CCG))

Purpose of the Processing

We share personal and pseudonymised information with the North Central London Integrated Care Board (ICB) to support commissioning activities, service improvement, clinical audits, and integrated care planning across the region. The ICB ensures that services are coordinated and delivered effectively to meet the health needs of the local population.

Data Retention Period

Data shared with the ICB is retained according to NHS national frameworks, local commissioning agreements, and NHS Records Management Code of Practice standards. Pseudonymised data is handled with additional safeguards to minimise identification risks wherever possible.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Health and Care Act 2022
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your information processed by the ICB;
• Request rectification of inaccuracies where applicable;
• Right to object to processing for commissioning or planning purposes under certain conditions;
• Right to complain to the Information Commissioner’s Office (ICO).

GP Practice Data Extraction Services

Purpose of the Processing

We use authorised data extraction services to securely extract information from GP clinical systems for purposes such as national audits, disease registries, public health monitoring, and service improvement initiatives. These extractions help meet statutory reporting requirements and support planning and evaluation of NHS services at local, regional, and national levels.

Data Retention Period

Data extracted is retained by the recipient bodies (e.g., NHS England, research organisations) according to the terms set out in data sharing agreements, NHS Digital standards, and applicable research and public health frameworks. The Practice maintains oversight of extractions and ensures compliance with NHS Records Management Code of Practice requirements.

Lawful Basis (UK GDPR)

• Article 6(1)(c) - compliance with a legal obligation
• Article 6(1)(e) - performance of a task carried out in the public interest
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about how your data is extracted and used where feasible;
• Request rectification of inaccuracies where applicable;
• Right to object to certain extractions, such as opting out of specific data sharing programmes (e.g., National Data Opt-Out);
• Right to complain to the Information Commissioner’s Office (ICO).

Docman

Purpose of the Processing

We use Docman systems to manage and store incoming and outgoing correspondence, such as hospital letters, referral documents, reports, and administrative communications. Docman enables the secure electronic handling of patient-related documents within the Practice, ensuring they are attached to the correct patient record and readily accessible for clinical care and administration.

Data Retention Period

Documents managed through Docman are retained as part of the patient’s electronic health record in accordance with NHS Records Management Code of Practice retention schedules. Docman acts as a processor under contract, hosting documents securely and enabling efficient access by healthcare staff.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your correspondence managed through Docman systems;
• Request rectification of inaccuracies or misfiled documents;
• Right to complain to the Information Commissioner’s Office (ICO).

Docmail

Purpose of the Processing

We use Docmail to provide outsourced printing and mailing services for patient communications, including appointment letters, health check invitations, recall reminders, and other official correspondence. Using Docmail helps ensure that communications are sent securely, efficiently, and cost-effectively while maintaining patient confidentiality at all times.

Data Retention Period

Personal information transferred to Docmail for printing and posting is retained only for the period necessary to complete the mailing task, after which it is securely deleted in accordance with NHS information governance policies and contractual requirements. A copy of the correspondence is stored within the Practice’s clinical system for record-keeping purposes in line with NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of communications sent via Docmail where retained by the Practice;
• Request rectification of inaccuracies in communication records;
• Right to complain to the Information Commissioner’s Office (ICO).

iPlato

Purpose of the Processing

We use iPlato to provide secure patient messaging services, including appointment reminders, health campaign communications, surveys, and two-way communication functionality. iPlato supports improved patient engagement, timely reminders for healthcare interventions, and access to online services, thereby enhancing the delivery of patient care and health outcomes.

Data Retention Period

Data processed through iPlato is retained only for the duration necessary to provide communication services and is then securely deleted, in accordance with NHS Digital and contractual requirements. Any clinical information resulting from patient communications (e.g., responses) is transferred securely into the patient’s clinical record and retained according to NHS Records Management Code of Practice policies.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your communications processed through iPlato where feasible;
• Request rectification of inaccuracies in your contact information;
• Right to object to the use of mobile communication services for reminders and campaigns, where appropriate;
• Right to complain to the Information Commissioner’s Office (ICO).

INhealth Intelligence

Purpose of the Processing

We use services provided by INhealth Intelligence to support health data analysis, clinical audits, and service planning. INhealth Intelligence processes pseudonymised or identifiable patient information to help identify trends, target interventions, support public health management, and monitor healthcare quality and effectiveness across services.

Data Retention Period

Information processed by INhealth Intelligence is retained only as long as necessary to support the agreed purposes under strict contractual terms. Pseudonymised data is stored with enhanced safeguards, and all processing aligns with NHS information governance frameworks and NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about how your data is used by INhealth Intelligence where feasible;
• Request rectification of inaccuracies in processed datasets;
• Right to object to certain types of processing (e.g., analytics outside direct care) under specific circumstances;
• Right to complain to the Information Commissioner’s Office (ICO).

Better Ltd Universal Care Plan

(formerly “Urgent Care Plan”)

Purpose of the Processing

We share personal and clinical information with Better Ltd to support the Universal Care Plan system, allowing healthcare professionals across services to view up-to-date care preferences, treatment escalation plans, and key clinical information in urgent or emergency situations. This ensures that care is delivered in line with patient wishes and clinical needs, particularly for patients with complex health conditions or end-of-life care plans.

Data Retention Period

Information recorded in the Universal Care Plan is retained in accordance with the patient’s active care status and NHS Records Management Code of Practice policies. Updates are made dynamically to ensure the latest information is available, and information is securely archived or deleted when no longer clinically required.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your Universal Care Plan where appropriate;
• Request rectification of inaccuracies in your care plan information;
• Right to object to sharing your care preferences, subject to clinical safety considerations;
• Right to complain to the Information Commissioner’s Office (ICO).

Optum Scriptswitch

Medicines Management and Prescribing Optimisation

Purpose of the Processing

We use Optum Scriptswitch to provide real-time prescribing decision support to clinicians. Scriptswitch analyses prescription choices against local formulary guidelines and national best practices, offering cost-effective, safe, and clinically appropriate prescribing options. This supports medicines optimisation initiatives, improves patient safety, and promotes responsible use of NHS resources.

Data Retention Period

Data processed through Scriptswitch is limited to the information necessary to generate prescribing alerts and support decisions during consultations. No long-term patient record is created within Scriptswitch itself; prescription-related information is retained within the Practice’s clinical system in accordance with NHS Records Management Code of Practice requirements.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Medicines Act 1968
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about how prescribing support decisions are made during your consultations;
• Request rectification of prescription records where applicable;
• Right to object to certain prescribing decisions, in consultation with your clinician;
• Right to complain to the Information Commissioner’s Office (ICO).

GP Connect

Purpose of the Processing

We use GP Connect to securely share medical information between GP practices, community services, and other authorised NHS healthcare providers. GP Connect enables timely access to important health information for direct care purposes, ensuring that clinicians involved in a patient’s care have access to up-to-date and accurate records, particularly for urgent care and out-of-hours services.

Data Retention Period

Data accessed via GP Connect remains within the originating clinical systems and is not separately stored by GP Connect itself. Access is logged and audited. Each participating organisation retains responsibility for the management and retention of its own clinical records according to the NHS Records Management Code of Practice for Health and Social Care.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Health and Social Care Act 2012
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about your data shared via GP Connect where feasible;
• Request rectification of inaccuracies in your clinical records;
• Right to object to specific data sharing through GP Connect where applicable (e.g., by opting out);
• Right to complain to the Information Commissioner’s Office (ICO).

Clinical Research Processors

Examples: EMIS Recruit, AccuRx Research

Purpose of the Processing

We work with clinical research processors such as EMIS Recruit and AccuRx Research to facilitate patient identification, recruitment, and engagement for ethically approved clinical research studies. These services enable patients to be informed about research opportunities and to participate in studies that may contribute to advances in medical care and treatment development.

Data Retention Period

Initial patient information used to assess research eligibility is retained only as long as necessary to conduct the screening process. If a patient consents to participate in a research study, their information is managed in accordance with the study’s specific ethics approval and research governance requirements. The Practice retains oversight of initial contact records according to NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(a) - consent of the data subject (for participation)
• Article 9(2)(a) - explicit consent of the data subject
• Where applicable:
• Article 6(1)(e) - public interest tasks (identifying eligibility without contacting patient)
• Article 9(2)(j) - scientific research purposes subject to safeguards

Related Legislation

• Data Protection Act 2018 Schedule 1 (Research Provisions)
• UK Policy Framework for Health and Social Care Research
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your information used for research invitations or participation;
• Withdraw consent for participation at any time without affecting your healthcare;
• Request rectification of inaccuracies where applicable;
• Right to complain to the Information Commissioner’s Office (ICO).

Phoenix Data Solutions

Purpose of the Processing

We use Phoenix Data Solutions to support data analytics, reporting, service evaluation, and clinical research activities. Phoenix Data Solutions assists in processing pseudonymised and identifiable health information to enable audits, identify health trends, and provide evidence to improve patient care and support NHS commissioning requirements.

Data Retention Period

Data processed by Phoenix Data Solutions is retained only for the duration necessary to fulfil agreed reporting and analytics activities. Retention periods are managed under NHS standards, and pseudonymised datasets are safeguarded in accordance with NHS information governance frameworks and NHS Records Management Code of Practice policies.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(j) - scientific or statistical research purposes

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about your data processed by Phoenix Data Solutions where feasible;
• Request rectification of inaccuracies where applicable;
• Right to object to certain secondary uses of your data, subject to public interest and legal exemptions;
• Right to complain to the Information Commissioner’s Office (ICO).

RBP

Purpose of the Processing

We use RBP to provide healthcare data analysis, reporting, and project support services. RBP processes pseudonymised and identifiable health data to assist the Practice and NHS organisations in auditing clinical performance, monitoring healthcare outcomes, and supporting commissioning, planning, and service improvement initiatives.

Data Retention Period

Data processed by RBP is retained only for the length of time necessary to deliver the agreed service outcomes, after which it is securely deleted or anonymised according to NHS data protection standards. The Practice retains its own copies of clinical data as part of normal records management following NHS Records Management Code of Practice guidelines.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment
• Article 9(2)(i) - public interest in the area of public health

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request information about data processed by RBP relating to you where feasible;
• Request rectification of inaccuracies where appropriate;
• Right to object to the secondary use of your data under certain conditions;
• Right to complain to the Information Commissioner’s Office (ICO).

Workforce Window PayeDoc

Purpose of the Processing

We use Workforce Window PayeDoc services for the management of payroll, HR administration, workforce planning, and employment-related compliance activities. This includes the processing of personal and employment information to ensure that staff receive appropriate remuneration, tax, and pension contributions are managed, and that employment records are maintained according to legal and regulatory requirements.

Data Retention Period

Employee information processed by Workforce Window PayeDoc is retained according to statutory retention periods specified in employment law, tax legislation, and NHS employment standards. Employment-related records are securely stored for as long as necessary for legal, payroll, and workforce management purposes in compliance with the NHS Records Management Code of Practice.

Lawful Basis (UK GDPR)

• Article 6(1)(b) - processing necessary for the performance of a contract
• Article 6(1)(c) - compliance with a legal obligation
• Article 9(2)(b) - processing necessary for carrying out obligations in the field of employment and social security law

Related Legislation

• Employment Rights Act 1996
• Income Tax (Earnings and Pensions) Act 2003
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of your employment and payroll records where appropriate;
• Request rectification of inaccuracies in employment information;
• Right to complain to the Information Commissioner’s Office (ICO).

Surgery Connect (XON)

Purpose of the Processing

We use Surgery Connect, provided by XON, to manage telephone communications, including inbound and outbound calls, call recording for quality and training purposes, call routing, and telephony system management. Surgery Connect supports efficient communication between the Practice and patients, helping to ensure that patients receive timely advice, appointment bookings, and follow-up communications.

Data Retention Period

Call recordings and related telephony metadata are retained securely in accordance with the Practice’s call recording policy and NHS information governance standards. Typically, call recordings are kept for a limited period (e.g., six months) unless required longer for complaint investigations, legal proceedings, or serious incident reviews. All data is managed following NHS Records Management Code of Practice guidance.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality
• Telecommunications Regulations (PECR)

Your Rights

• To access, view, or request copies of your call recordings where appropriate and subject to lawful exemptions;
• Request rectification if incorrect information is recorded during calls;
• Right to object to call recording in certain limited circumstances (subject to service limitations);
• Right to complain to the Information Commissioner’s Office (ICO).

TreeViewDesigns

Purpose of the Processing

We use TreeViewDesigns services to manage and develop Practice websites, digital forms, online patient communications, and workflow automation solutions. TreeViewDesigns helps ensure that patients have secure, efficient access to online services such as appointment requests, administrative form submissions, and general Practice information while maintaining a high standard of digital security and compliance with NHS information governance requirements.

Data Retention Period

Data submitted through TreeViewDesigns digital forms or platforms is securely transmitted to the Practice’s clinical system or designated administration systems and is not permanently stored by TreeViewDesigns. Information is processed solely for the duration necessary to complete the requested task and is managed in accordance with NHS Records Management Code of Practice policies within the Practice.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of information you have submitted via TreeViewDesigns platforms where feasible;
• Request rectification of inaccuracies in submitted information;
• Right to complain to the Information Commissioner’s Office (ICO).

Consultant Connect

Purpose of the Processing

We use Consultant Connect to facilitate rapid access to specialist clinical advice for GPs and other healthcare professionals. Consultant Connect provides secure communication channels, including telephone advice lines, messaging services, and photo-sharing systems, to enable real-time advice on patient care decisions and to help avoid unnecessary hospital referrals or admissions.

Data Retention Period

Information shared via Consultant Connect is retained according to the service provider’s retention policies, with strict compliance to NHS information governance standards. Communications are securely stored for a defined period (e.g., 12 months) to support clinical audit and service evaluation. Relevant clinical advice or outcomes are recorded within the patient's medical record in the Practice’s system and retained according to NHS Records Management Code of Practice standards.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(h) - provision of health or social care or treatment

Related Legislation

• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of clinical communications involving your care where appropriate;
• Request rectification of inaccuracies in recorded advice outcomes if identified;
• Right to complain to the Information Commissioner’s Office (ICO).

Medical Reports Providers

Examples: Niche Health (iGPR), Medidata Exchange (eMR/Medi2Data)

Purpose of the Processing

We use medical report providers such as Niche Health (iGPR) and Medidata Exchange (eMR/Medi2Data) to assist in securely creating, preparing, and delivering medical reports requested by third parties, such as insurance companies, solicitors, or patients themselves. These providers help ensure that medical reports are produced in a standardised, legally compliant, and efficient manner while safeguarding patient confidentiality.

Data Retention Period

Medical report providers process information only for the duration necessary to fulfil each report request. Once completed and delivered securely to the authorised recipient, data is securely deleted by the provider in line with NHS and ICO (Information Commissioner’s Office) guidance. The Practice retains a copy of issued medical reports in the patient’s health record according to NHS Records Management Code of Practice policies.

Lawful Basis (UK GDPR)

• Article 6(1)(a) - consent of the data subject (for third-party reports)
• Article 9(2)(a) - explicit consent of the data subject
• Where legally required:
• Article 6(1)(c) - compliance with a legal obligation
• Article 9(2)(h) - provision of health care or treatment (for patient-requested reports)

Related Legislation

• Access to Medical Reports Act 1988
• Data Protection Act 2018
• Health and Social Care Act 2012
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request copies of medical reports prepared about you;
• Withdraw consent for third-party reports where legally permissible;
• Request rectification of inaccuracies in reports where applicable;
• Right to complain to the Information Commissioner’s Office (ICO).

Social Media Channels

Facebook, Instagram, Twitter, Mastodon, Threads, WhatsApp, YouTube

Purpose of the Processing

We maintain a presence on social media platforms such as Facebook, Instagram, Twitter, Mastodon, Threads, WhatsApp, and YouTube to communicate Practice updates, health promotion campaigns, service information, and community engagement activities. We do not use social media channels for direct patient care communications or confidential discussions about individual healthcare needs.

Data Retention Period

Content posted by the Practice is retained on social media platforms according to each platform’s policies and for as long as necessary to fulfil communication purposes. We do not routinely collect or process personal information through our social media accounts unless you explicitly contact us through those platforms, in which case we will advise you to use secure communication channels instead.

Lawful Basis (UK GDPR)

• Article 6(1)(e) - performance of a task carried out in the public interest or in the exercise of official authority (public health information, service communications)
• Article 6(1)(a) - consent (for individual engagement through social media, where applicable)

Related Legislation

• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Common Law Duty of Confidentiality

Your Rights

• To access, view, or request removal of content that personally identifies you on our social media accounts;
• Request rectification of incorrect information posted by the Practice, where feasible;
• Right to object to specific types of communications or direct interactions through social media platforms;
• Right to complain to the Information Commissioner’s Office (ICO).