How We Use Your Data


St Mary's Surgery Privacy Notice

What is a Privacy Notice?
This is also sometimes called a ‘Fair Processing Notice’ and explains the information we collect about you and how we use it. As part of the new UK General Data Protection Regulations (UK GDPR) St Mary’s Surgery will be open and provide clear information about how we use your personal data.

Under the UK GDPR we must process personal data in a fair and lawful manner and as an organisation we must:

  • Have lawful and appropriate reasons for the use or collection of personal data
  • Not use data in a way to cause harm to the patient
  • Be open about how the data will be used
  • Handle personal data in line with the appropriate legislation and guidance
  • Not use data inappropriately or unlawfully

Why do we need a Privacy Notice?
Under the UK GDPR, which became law in the UK on 25th May 2018, we are required by law to let patients know how we use, collect and hold their personal and healthcare information.

This Notice explains:

  • Who we are and how we use your information
  • What personal and healthcare information we collect and process
  • Who we share your information with and why
  • For how long your personal information is retained by us
  • What to do if your personal information changes
  • What are your rights under the data protection laws

What information do we collect and how do we use it?
We collect:

  • Contact details such as name, address, telephone numbers, email addresses
  • Next of Kin details
  • Age, gender, ethnicity
  • Records of appointments, visits, telephone calls
  • Your health records including consultations, treatment you have received, medication, results
  • Other relevant information received from other health care professionals, relatives or carers

How do we use your information?
Your information is collected for the purpose of providing direct patient care, however we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. 

In order to comply with legal obligations, St Mary’s Surgery may have to, when directed, send data to NHS Digital when directed under the Heath and Social Care Act 2012. We may also have to share data for research purposes, however we will always gain your consent to do so.
Under the General Data Protection Regulation, we will lawfully use your information in accordance with:

  • Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Who do we share your information with?
We may have to share your information with the following organisations for the provision of your direct health care needs:

  • Hospital professionals (doctors, consultants, nurses etc)
  • Other GPs/doctors
  • Primary Care Networks
  • NHS Trusts/Foundation Trusts/Specialist Trusts
  • NHS Commissioning Support Units
  • Lancashire and South Cumbria Integrated Care Board
  • Multi-agency Safeguarding Hub
  • NHS England and NHS Digital
  • Independent contractors such as dentists, opticians, pharmacies
  • Any other person who is involved in providing services related to your general healthcare including mental health professionals
  • Private Sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc
  • Voluntary sector providers
  • Ambulance Trusts
  • Integrated Care Systems
  • Local Authorities
  • Social Care Services
  • Education Services
  • Other ‘data processors’ e.g. Diabetes UK

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when it is required.

Who may we provide your information to:

  • The Police etc to comply with the law
  • Anyone you have given your consent to view your medical records. If  you have given  your consent for another person or organisation to access your records we will need to verify this with you before we release this information. It is important you understand the importance of this and how much access can be disclosed.
  • Electronically to other organisations so everyone who is caring for you is informed about your medical history including allergies and medication. We will share information with our partner organisations above to ensure you receive the appropriate and safe care, unless you decline to consent. Wherever possible staff will gain your consent to share before the information is viewed. 
  • Extended Access Services – we provide this service so patients can access medical services outside our normal working hours. We have an arrangement in place with the Integrated Care Board to offer this service in other GP Surgeries in your local area where they will have access to your medical records. To comply with the law and protect the use of your information we have robust data sharing agreements in place to ensure your data is protected.
  • The Integrated Care Board will extract medical information from your records which is passed via our computer systems, this is information pseudo-anonymised and therefore protects you from anyone who may access the information.

How do we maintain confidentiality of your records?
Everyone working for the NHS has a legal duty to keep information about you confidential and will only use the information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

This means ensuring your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way. We will only pass on information about you if there is a genuine need for it in your health care. We will not disclose your information without your permission unless there are exceptional circumstances e.g. life or death situations, where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality” This means Health and Social Care professionals should have the confidence to pass on information in the best interests of their patients within the framework of the Caldicott Principals.

All our staff, contactors and locums receive training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality which is enforced through disciplinary procedures. 

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK GDPR and all UK specific data requirements. Our policy is to ensure all personal data related to our patients will be protected.

You have the right to withdraw your consent to the processing of data should you wish to, please contact the surgery in writing. In some circumstances to comply with the law we may need to store or share your data after your consent has been withdrawn.

Where do we store your information electronically?
All the personal data we process is processed by our staff in the UK, however for the purposes of IT hosting and maintenance this is information may be located on serves within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place to oversee the effective and secure 
processing of your personal and/or special category data.

All information is recorded in a clinical system called EMIS Web. EMIS Health Ltd, who own EMIS Web acts as the data processor for this, hosting the patient records database on a cloud-based data centre, which is owned and operated by Amazon Web Service (AWS).

How long do we keep your personal information?
In line with the UK GDPR and Data Protection Act 2018, we are required under UK law to keep your information and data for the full retention period as specified by the NHS Records Management Code of Practice for Health and Social Care and national archives requirements. For further information please see the NHS England website

Your rights as a patient?
You have the right under the Data Protection legislation to request access to view or obtain copies of what information the surgery holds about you and to have it amended if inaccurate.

  • Your request should be made to the practice, please contact reception to ask for a Subject Access Request to Medical Records Form (for Hospital records please contact the hospital direct)
  • Please ensure the form is completed fully with all your details and details of what information you require
  • We shall respond within a month and there will be no charge for the first application, however we reserve the right to charge for subsequent copies

You have rights in relation to the information we keep about you. We endeavour to deal with any requests without undue delay, and in any event in accordance with the requirements of any applicable laws. We may keep a record of your communication to help us resolve any issues which you raise.

Right to object: if we are using your data and you do not agree, you have the right to object. We will respond to your objection within one month, although we may be allowed to extend this time in certain cases. This is NOT an absolute right as sometimes we need to process your data even if  you object.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain actives, for example research, or consent to send you information about us or matters you may be interested in, you may withdraw your consent at any time.

Right to erasure: In certain situations, for example where your data has been processed unlawfully, you have the right to request us to erase your personal data, under 

  • Article 17 of the UK GDPR individuals have the right to have personal data removed, this is also known as ‘right to be forgotten’

The right only applies to data held at the time the request is received, It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances. 

What should you do if your personal information changes?
You should contact the surgery as soon as possible if you change name, address or telephone number to enable your records to be updated and for us to ensure we have the correct information. We may verify your contact details when you contact the surgery on an opportunistic basis.

Medical Records
Lancashire and South Cumbria has been chosen by NHS England to be a national pilot for the digitisation of Medical Records. Scanning these paper-based records and making them digital will enable better utilisation of space, creating more clinical space, staff areas, multi-team space and video hubs, removing the need for some practices to build extensions. In addition, it will also make your records more easily and speedily accessible to clinical staff within your practice.

Your complete GP medical record will be digital and stored in a secure cloud based clinical system (only accessible by your GP practice) with paper-based records being securely destroyed following BS_EN_15713:2009 Secure destruction of confidential material. Your GP will still be able to access your records easily within this system. The scanning and destruction of the paper records will follow strict data protection guidelines adhered to by the NHS. As with paper-based records, digital records are stored for the durations specified in the Records Management Codes of Practice for Health and Social Care. For GP patient records, this states that they may be destroyed 10 years after the patient’s death if they are no longer needed. If you wish to discuss the scheme, please email the practice at 

Patient communication
St Mary’s Surgery would like to use your name, contact details and email address to inform you of appointments and other NHS Services which we provide to you for your direct health care. We are obliged to protect any information we hold therefore it is imperative you contact us with any change in your contact details.

Sharing your information without your consent
We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or other people
  • Safeguarding matters and investigations
  • Where a serious crime, such as an assault is being investigated or where it could be prevented
  • Notification of new births
  • Where we encounter infectious diseases that may endeavour the safety of others, such as meningitis or measles (but not HIV/Aids)
  • Where a formal court order has been issued
  • Where there is legal requirement, for example if you had committed a road traffic offence

Risk Stratification
Risk stratification is a mechanism used in the NHS to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions e.g. cancer. Your information is collected by a number of sources including St Mary’s Surgery. This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure you receive the most appropriate care.

Medicine Management
The practice may conduct Medicines Management Reviews of medication prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

Clinical Practice Research Datalink (CPRD) collects de-identified data from a network of GP practices across the UK. Primary care data are linked to a range of other health related data to provide a longitudinal, representative UK population health dataset. You can opt out of your information being used for research purposes at any time, full details can be found on the CPRD website

The legal basis for processing this information

CPRD do not hold or process personal data on patients; however, NHS Digital may process ‘personal data’ for us as an accredited ‘safe haven’ or ‘trusted third party’ within the NHS when linking GP data with data from other sources. The legal basis for processing this data are:

  • Medicines and medical device monitoring: Article 6 e and Article 9 (2)(i) – public interest in the area of public health
  • Medical research and statistics: Article 6 e and Article 9(2)(j) – public interest and scientific research purposes

Any data CPRD hold or pass on to bona find research, except for clinical research studies will have been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. We will hold data indefinitely for the benefit of future research, but studies will normally only hold the data we release to them for twelve months.

Primary Care Networks
The objective of primary care networks (PCNs) is to group practices together to create more collaborative workforces that ease the pressure of GPs, leaving them better able to focus on patient care. All areas within England are covered by a PCN.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons including improving the ability of practices to recruit and retain staff, to mange financial and estates pressures, to provide a wider range of services to patients and integrate with the wider health and care system more easily.

All GP practices have come together in geographical networks covering populations of approximately 30-50,000 patients to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes that exist in many places in the country but are much smaller than most GP federations.

This means that St Mary’s Surgery may share your information with other practices within the Primary Care Network to provide you with your care and treatment.

St Mary’s Surgery is part of Grange and Lakes PCN.

St Mary’s Surgery is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purpose is:

  • Article 6(1)(e) ‘…exercise of official authority…’

For the processing of special categories data, the basis is:

  • Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information sent to safeguarding teams is retained at St Mary’s Surgery when handling a safeguarding concern or incident. We may share this information to ensure duty of care and investigation if required to other partners e.g. local authorities, the Police or other health care professionals.

Third Party Processors
To help us deliver the best possible service, we will share data (where required) with other NHS bodies such as hospitals and other GP practices. In addition, the practice will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have the appropriate agreement in place to ensure they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

  • Companies that provide IT services and support, including our core clinical system, systems which manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems which facilitate appointment bookings or electronic prescription services and document management services etc.
  • Further details regarding specific third-party processors can be supplied by the practice on request.

National Opt-out Facility
The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research and planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

You can view or change your national data opt-out choice at any time by using the online service at NHS: Your Data Matters or by visiting on Your Health in the NHS App and selecting “Choose if data from your health records is shared for research and planning".

Objections / Complaints
Should you have any concerns about how your information is managed at the practice, please contact the Practice Manager at St Mary’s Surgery. If, however you are still unhappy following a review at the practice, you have the right to lodge a complaint with the UK supervisory authority the ICO via their website or telephone 0303 123 1113.

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data, including your rights and how to access your personal information.