We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
Privacy Notice
Introduction
St Mary’s Surgery is committed to protecting your personal information and being transparent about how we use it.
This Privacy Notice (sometimes called a Fair Processing Notice) explains:
- What information we collect about you
- How and why we use it
- Who we share it with
- How long we keep it
- Your rights under data protection law
We process your personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
St Mary’s Surgery is the Data Controller of your personal information.
We are responsible for ensuring that your data is processed lawfully, fairly, and securely.
What information we collect
We collect and hold the following types of information:
- Personal details (name, address, NHS number, date of birth)
- Contact details (telephone numbers, email address)
- Next of kin and emergency contacts
- Demographic information (e.g. gender, ethnicity)
- Records of appointments, visits, and communications
- Medical and clinical records (consultations, diagnoses, treatment, medication, test results)
- Information received from other healthcare providers, carers, or relatives
How we use your information
Your information is primarily used to provide direct care and treatment.
We may also use your information to:
- Manage appointments and services
- Communicate with you about your care
- Coordinate care with other healthcare providers
- Meet legal and regulatory requirements
- Support public health and safeguarding
- Improve services, including audit and planning
We will only use your information where we have a lawful basis to do so.
Legal basis for processing
Under UK GDPR, we process your information in accordance with:
- Article 6(1)(e) – processing necessary for tasks in the public interest
- Article 9(2)(h) – processing necessary for healthcare and treatment
Where required, we may also rely on:
- Legal obligations
- Public health requirements
- Your consent (e.g. for certain types of research or communication)
Who we share your information with
For your care
We may share your information with organisations involved in your care, including:
- Hospitals and specialists
- Other GP practices
- NHS Trusts and services
- Primary Care Networks (including Grange and Lakes PCN)
- Community and mental health services
- Pharmacies, dentists, and opticians
- Ambulance services
Wider health and care services
We may also share information with:
- Integrated Care Boards (ICBs)
- NHS England and NHS Digital
- Local authorities and social care services
- Safeguarding teams (including MASH)
- Voluntary and private sector providers involved in care
Other circumstances
We may share your information with:
- The police or courts where required by law
- Organisations you have given consent to
- Extended Access services (for out-of-hours care)
Where possible, we will seek your consent before sharing your information.
Sharing without consent
There are situations where we may share information without your consent, including:
- Safeguarding concerns (children or vulnerable adults)
- Risk of serious harm to you or others
- Investigation or prevention of serious crime
- Legal requirements (e.g. court orders)
- Public health requirements (e.g. infectious diseases)
All such decisions are made in line with Caldicott Principles and legal guidance.
How we keep your information confidential
All staff, contractors, and locums have a legal duty to maintain confidentiality.
We comply with:
- UK GDPR and Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- NHS Codes of Practice
Staff receive regular training and are subject to confidentiality obligations and disciplinary procedures.
How your information is stored
Patient records are held securely using electronic systems, including EMIS Web.
- Data is stored within secure UK/EU-based systems
- Our systems are supported by approved providers (e.g. AWS hosting)
- Strict security measures are in place to prevent unauthorised access
We ensure all third-party providers meet NHS data security standards.
How long we keep your information
We retain records in line with the NHS Records Management Code of Practice.
For GP records, this generally means:
- Records may be kept for 10 years after death
Your rights
Under data protection law, you have the right to:
- Access your information (Subject Access Request)
- Request correction of inaccurate data
- Object to certain types of processing
- Withdraw consent (where applicable)
- Request deletion of data (in limited circumstances)
Requests will be responded to within one month. To make a request, please contact the practice.
National data opt-out
You can choose whether your data is used for research and planning purposes.
To opt out, visit: Your NHS Data Matters
Research and data use
We may support research through organisations such as the Clinical Practice Research Datalink (CPRD).
- Data used for research is usually anonymised or pseudonymised
- You can opt out at any time
Risk stratification and medicines management
We may use your information to:
- Identify patients at higher risk of illness
- Review medications and treatment
This helps ensure you receive appropriate and effective care.
Primary Care Networks (PCNs)
We are part of the Grange and Lakes Primary Care Network.
Your information may be shared within the PCN to support your care.
Safeguarding
We are committed to protecting vulnerable individuals.
Your information may be shared with safeguarding partners where necessary to protect you or others.
Keeping your information up to date
Please inform us if your details change (e.g. address, telephone number).
This ensures your records remain accurate and your care is not affected.
Third-party processors
We use external providers for services such as:
- IT systems and support
- Appointment systems
- Data hosting
All providers are contractually required to keep your data secure and confidential.
Complaints and contact
If you have concerns about how your data is used, please contact the Practice Manager.
If you remain dissatisfied, you can contact the Information Commissioner’s Office (ICO):
- Visit the ICO website
- Telephone: 0303 123 1113