Privacy Notice

The Data Controller is: Allison Hey – Practice Manager

How We Use Your Information

This privacy notice explains why the Northenden Group Practice collects personal information about you, and how that information may be used.

We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

As Data Controllers, GPs have responsibilities under the Data Protection Act 2018 (DPA18). This means ensuring that your personal data is handled in ways that are safe, transparent and what you would reasonably expect.

​We respect your trust in us to use, store and share your information. In this notice we explain how we collect personal information about you, how we use it and how you can interact with us about it.

We try to keep this notice as simple as possible but if you are unfamiliar with our terms, or want more detail on any of the information here, please contact us at [email protected].​

Capturing images – CCTV

Visiting our premises

Our premises are monitored by CCTV so your image may be captured whenever you enter our site boundary and within our premises. We use CCTV for maintaining public safety, the protection and security of our property and our staff and for the detection, prevention and investigating of crime. It may also be used to monitor staff when carrying out work duties.

For these reasons, the information processed may include visual images, including personal appearance and behaviour of those displayed and recorded on the system.

Where the CCTV is located on our premises but near a public space, it may also record these images even if you have not directly visited our premises.

There are signs to show you when you are entering an area monitored by our CCTV. CCTV images are normally held for 30 days and then deleted unless we require to retain them for investigative or policing enquiries.

Meeting Our Legal and Regulatory Obligations

To use your information lawfully, we rely on one or more of the following legal bases:

  • For the performance of a task carried out in the public interest or where it is necessary in the exercise of official authority vested in us
  • The performance of a contract
  • Where the processing is necessary for compliance with our legal obligations
  • Protecting the vital interests of you or others
  • For our organisational legitimate interests; e.g. for incidental and ancillary data processing, for example the management of non-patient or medical databases used for our internal administrative purposes
  • Where appropriate with your consent
  • Where necessary for the purposes of preventative or occupational medicine, for the assessment of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

We also respect the common law duty of confidentiality and to satisfy the common law we may rely on implied consent to share confidential health data for the provision of direct care; for example, when a patient agrees to a referral from one healthcare professional to another.

Health care professionals are required to maintain records about your health including any treatment or care you have received within the NHS (e.g. NHS hospital trust, GP surgery, walk-in clinic, etc.). Using these records helps us to provide the best possible healthcare for our patients.

NHS health records may be processed electronically or on paper or a mixture of both and a combination of working practices and technology are used to ensure that your information is kept confidential and secure.

Records used and stored by this GP practice may include the following information:

  • Any contact we have with you, such as appointments, clinic visits, emergency appointments, telephone triage etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Details about you, including your date of birth, NHS number, address and next of kin etc.
  • Results of investigations about you such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, agencies, relatives or those who care for you

This practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that such sensitive information is kept confidential.

However, we may disclose your personal information if:

  • It is required by law
  • You consent to do so – either implicitly (e.g. for your own treatment and care) or explicitly for other purposes (e.g. sending you newsletters etc.)
  • It is justified in the public interest

Some of your personal data will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.

Sometimes information about you may be requested to be used for research purposes. Northenden Group Practice will always endeavour to gain your consent before releasing such information.

Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request personal data from GP practices without seeking the patient’s consent.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

Any patient can choose to withdraw their consent to their data being used in this way. When Northenden Group Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website, at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other health care providers, however if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Normally, this is because patients have a long-term condition such as chronic obstructive pulmonary disease (COPD) or some cancers. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.

In order to achieve this, information about you is collated from several sources, including this GP Practice and from NHS Trusts etc. A risk score is then produced through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form.

Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.

Please note that you have the right to opt out of Risk Stratification.

Should you have any concerns about how your information is managed or wish to opt out of any data collection at Northenden Group Practice, please contact your GP or a healthcare professional to discuss how the disclosure of your personal information can be restricted.

All our patients have the right to change their minds and reverse a previous decision. Please contact Northenden Group Practice if you change your mind regarding any previous decision.

​Invoice Validation

If you have received treatment within the NHS, access to your personal information may be required to determine which Clinical Commissioning Group should pay for the treatment or procedure that you have received.

This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further purposes.

Hospital Attendance

Personal data about any hospital attendance is obtained from the Health and Social Care Information Centre (HSCIC) and matched to NHS data to create a risk profile about you.

​NHS Health Checks

All our patients aged 40-74, not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at Northenden Group Practice will see confidential information about you during the invitation process. Your details will be securely transferred to a third-party data processor (if appropriate). You may be offered the chance to attend your health check either within Northenden Group Practice or at a local community venue. If your health check is at a community venue, all data collected will be securely transferred back into the Northenden Group Practice system and nobody outside the healthcare team at Northenden Group Practice will see any confidential information about you during this process.

​How Do We Maintain The Confidentiality of Your Records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the DPA18 and DPA 18, the Human Rights Act, the Common Law Duty of Confidentiality, the Health and Social Care Act 2012 and the NHS Codes of Confidentiality and Security.

All our staff, contractors and professional members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. They also have employment contractual obligations to uphold your confidentiality, which are enforceable through disciplinary procedures. Your information may be shared internally, including with members of the practice team but only a limited number of authorised staff have access to your personal information (where it is appropriate to their role) and access is only allowed on a strict ‘need-to-know’ basis.

We strive to maintain our duty of confidentiality to you at all times. We will only ever use or pass on personal identifiable information about you if others involved in your care have a genuine need to have it. We will not disclose your information to any third-party without your permission, unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

We are mindful of the UK information sharing principle following Dame Fiona Caldicott’s information sharing review amongst health professionals. We recognise that our duty to share information can be as important as the duty to protect patient confidentiality. Therefore, we encourage our health and social care professionals to have the confidence to share information in the best interests of our patients within the framework set out by the Caldicott principles;

‘To share or not to share – the Information Governance Review’.

​Who Do We Share Your Information With?

We may also share your information, subject to strict agreements on how it will be used, with other care providers and agencies.

These could include:

  • NHS and specialist hospitals, Trusts
  • Other GPs
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private and Voluntary Sector Providers
  • GP practice federations
  • Ambulance Trusts
  • Clinical Commissioning Groups and NHS England
  • NHS Digital
  • National Institute for Health and Care Excellence
  • Care Quality Commission
  • NHS Improvement
  • NHS Shared Business Services
  • Universities
  • Social Care Services and Local Authorities
  • Education Services
  • Police and Fire and Rescue Services
  • Other ‘data processors’ during specific project work e.g. Diabetes UK

Health and Safety Requirements

If you have an accident whilst you are on any of our premises, this must be reported and will be recorded and kept for the purposes of health and safety and insurance requirements.

​How Do We Protect Your Data?

We take the security of your data very seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where we engage with third parties to process personal data on our behalf, we stipulate our privacy expectations in written instructions. They are under a strict duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

​Access to Personal Information

We aim to be as open as we can regarding access to personal information.

Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the DPA 18. You also have the right to require it to be amended or removed should it be inaccurate.

If we do hold information about you, we will:

  • Give you a description of it
  • Tell you why we are holding it
  • Tell you who it could be disclosed to
  • Let you have a copy of the information in an intelligible form provided it is lawful to do so

To make a request to Northenden Group Practice for any of your personal information we may hold, you need to contact our Data Protection officer on the data controller address given in this document.

You have the right to complain to the Information Commissioner’s’ Office if you believe that we have not complied with the requirements of the DPA18 regarding your personal data.

​Storing or transferring your information outside the European Economic Area (“EEA”).

We do not transfer or store your personal information outside the EEA.

​How Long We’ll Keep Your Information

We only keep your information for as long as we need it. We’ll retain certain information (e.g. contact information and bank details) for as long as you have a relationship with us. The length of time depends on the purpose of the processing. Generally, we keep data for ten years.

​Complaints or Queries

Northenden Group Practice tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. We are happy to provide any additional information or explanation needed. Any queries you have should be addressed to: [email protected]  or telephone us on 0161 998 3206.

You can also contact the Information Commissioner’s Office at or write to Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or 0303 123 1113 for information, advice or to make a complaint.

Any changes to this notice will be published on our practice website.

​Document name: Members Privacy Notice
Version: 0.1
Name of originator/author: Allison Hey
Policy Owner: Northenden Group Practice
Date created: May 2018
Date reviewed: June 2018
Reviewer: Practice Manager
Date ratified: 24/3/2019