Your Information, Data Protection & Opt-Out

Privacy Notice

How we keep your records confidential

Everyone working for the NHS has a legal duty to keep information about you confidential. We have a duty to;

Maintain full and accurate records of the care we provide to you

  • Keep records about you confidential and secure
  • Provide information in a format that is accessible to you (e.g. large type if you are partially sighted)

 We will not share information that identifies you for any reason unless:

  • You ask us to do so
  • We ask and you give us specific permission
  • We have to do this by law
  • We have special permission for health or research purposes, or
  • We have special permission because the interests of the public are thought to be of greater importance than your confidentiality—for example, if you had a serious medical condition that may put others you had come into contact with at risk

We hold your records in STRICT CONFIDENCE

Who are our partner organisations?

We may share information with the following main partner organisations:

  • Strategic Health Authorities (SHA’s)
  • NHS Trusts (Hospital’s, PCT’s)
  • Special Health Authorities
  • Ambulance Service

We may also share your information, with your consent and subject to strict sharing protocols on how it will be used, with:

  • Social Services
  • Education Services
  • Local Authorities
  • Voluntary Sector Providers
  • Private Sector

Anyone who receives information from us also has a legal duty to:

KEEP IT CONFIDENTIAL!

Why we collect information about you:

In the National Health Service, we aim to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.

These records may include:

  • Basic details about you such as an address, date of birth, next of kin
  • Contact we have had with you such as clinical visits
  • Notes and reports about your health
  • Details and records about your treatment and care
  • Results of x-rays, laboratory tests, etc.
  • Relevant information from people who care for you and know you well such as health professionals and relatives

It is good practice for people in the NHS who provide care to:

  • Discuss and agree with you what they are going to record about you
  • Give you a copy of letters they are writing about you, and
  • Show you what they have recorded about you, if you ask

How your records are used

The people who care for you use your records to:

  • Provide a good basis for all health decisions made in consultation with you and other health care professionals
  • Deliver appropriate health care
  • Make sure your health care is safe and effective, and
  • Work effectively with others providing you with health care

 Others may also need to use records about you to:

  • Check the quality of health care (such as clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending
  • Manage the health service
  • Help investigate any concerns or complaints you or your family have about your health care

Some information will be held centrally to be used for statistical purposes. In these instances we take strict measures to ensure that individual patients cannot be identified

We use anonymous information, wherever possible, but on occasions we may use personal identifiable information for essential NHS purposes such as research and auditing.

 However, this information will only be used with your consent, unless the law requires us to pass on the information.

Notification

The Data Protection Act 1998 & General Data Protection Regulations 2018 require organisations to notify the Information Commissioner of the purposes for which they process personal information.

You have the right

You have the right to confidentiality under the General Data Protection Regulations 2018 (GDPR), Data Protection Act 1998 (DPA), the Human Rights Act 1998 and the common law duty of confidence (the Disability Discrimination and the Race Relations Acts may also apply)

You also have the right to ask for a copy of all records about you 

  • Your request must be made in writing to the organisation holding your information
  • We are required to respond to you within a calendar month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number etc.)
  • You will need to be specific about the time period you wish to access as we are unable to comply with excessive requests.
  • You will be required to provide ID before any information is released to you

If you think anything is inaccurate or incorrect, please inform the organisation holding your information. We have provided the form below to help you request an amendment to your records. 

Amendment Request Form

If you require this information in a different format or you need further information or assistance, please contact Ms Sally Oldbury, Practice Manager.

How we use your personal information

 

Primary Care Network Agreements

Because we are also part of a Primary Care Network (PCN) of practices that provide clinics for patients of any of our 8 practices at central hubs and satellite clinics the Privacy Notice for the PCN is also available below as well as our Data Sharing Agreement.

Tolson PCN is a partnership of 8 practices in the area. When we offer services through the PCN, the may be hosted at any one of these premises. We have a centralised computer system to manage appointments booked with PCN services.

This includes;

The Waterloo Practice

The Whitehouse Centre

The University Health Centre

The Almondbury Surgery

The Junction Surgery

Dalton Surgery

Greenhead Family Doctors

and us, Rose Medical Practice

Their website is HERE

  

What is a Primary Care Network?

From 1st July 2019, all patients in England are covered by a Primary Care Network (PCN). A PCN is made up of neighbouring GP Practices who have decided to work together to provide and improve healthcare services in the local area.  The video below details what a Primary Care Network (PCN) has been designed to achieve.  

The Tolson Care Partnership Primary Care Network (Tolson PCN) is based in Huddersfield, West Yorkshire, and we are made up of eight GP surgeries, with a combined patient list size of approximately 50,000. 

 

Privacy Notice - Tolson PCN

Tolson Network Data Sharing Agreement

National Data Opt-out

You can find out more about how patient information is used at:

https://www.nhs.uk/your-nhs-data-matters/

With National Data Opt-out you can change your mind about your choice at any time.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.

Accessible resources:

British Sign Language video of the patient hand-out

Audio version of the patient hand-out

Braille version of the patient hand-out which can be ordered from NHS England Health Publications

An easy read booklet of the patient hand-out for patients with learning disabilities as well as a larger print version can be downloaded from the resources for patients NHS Digital web page

Where can I get more information?

Leaflets in other languages and formats are available from https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/different-languages-and-formats/

For more information, including a list of frequently asked questions (FAQs), please go to the website at https://www.nhs.uk/your-nhs-data-matters/

A patient has to register their choice to opt out only once, and that registration applies to all healthcare settings and organisations, not just general practice. They can do this by using one of the following:

Online service – Patients registering need to know their NHS number or their postcode as registered at their GP practice

Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700

NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

 “Print and post” registration form. Photocopies of proof of applicant’s name (e.g. passport, UK driving licence etc.) and address (e.g. utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ

Docmail

We will sometimes use a mailing company called DocMail to handle bulk mailings to patients. Typically this is for bulk mailings such as the invitations to attend the flu clinics where it is difficult to accommodate the administrative work involved without affecting our ability to serve patients.

This is permissible under guidance from both the Information Commissioner’s Office (ICO) and the Department of Health (DoH) subject to the provisions of the Data Protection Act

Please find below some more information about DocMail and how we work with them to ensure that we protect our patients’ personal data at all times.

1.1 What is Docmail?

DocMail is provided by CFH Total Document Management Ltd a secure print and mailing company which provides print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. throughout the UK.

The system can be found online at www.docmail.co.uk and requires a secure user name and password for us to log on and upload our letters and address lists to create the printed output for dispatch to Royal Mail. The system allows us to upload a letter template and mailing data for the patients we want to write to via a secure web portal.

1.2 The Data Protection Act (2018) (DPA)

Rose Medical Practice and DocMail are both fully compliant with the Data Protection Act.

The Information Commissioners Office issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions that must be met for it to be compliant.

An organisation that processes personal data is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor.

The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor.

Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle.

Further extracts from the guidance are reproduced here and the entire document is available on the ICO website.

Rose Medical Practice has strictly adhered to this guidance in setting up the partnership with DocMail.

  • Rose Medical Practice remains the data controller and as such has the responsibility for ensuring compliance with the provisions of the Act. We are not able to pass on those responsibilities to DocMail whose role is that of a data processor.
  • There is a written contract between Rose Medical Practice and CFH – Total Document Management Ltd in addition to the standard terms of business that are published on the DocMail website.
  • That contract stipulates that DocMail can only act in accordance with instructions from Rose Medical Practice i.e. they can only print and mail letters in accordance with data provided by us. They are not able to do anything else with that data.
  • The contract also creates a legal requirement for DocMail to act in accordance with the seventh principle of the Data Protection Act.
  • The Partners of Rose Medical Practice have satisfied themselves that DocMail have provided sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out.
  • The partners have taken, and will continue to take, reasonable steps to ensure that DocMail are compliant with these security measures.
  • No data will pass outside of the European Union

1.3 Data Security and Protection Toolkit

DocMail regularly completes the Data Security and Protection Toolkit, the latest results can be found on the DSP Toolkit Website.

1.4 Other Approvals

DocMail is also approved by the following:

  • Government Procurement Service for Hybrid Mail – which allows all government organisations to use DocMail
  • 67 Primary Care Trusts for Medical Studies have approved the use of DocMail. 500,000 medical studies packs were sent in 2011 across 200 surgeries
  • Caldicott Guardian across a number areas have approved the use of DocMail when asked
  • Ethics Committees have approved the use of DocMail by surgeries for use in medical studies

1.5 Accreditation’s & Security Policies

In addition to the credentials listed above, I have been supplied with DocMail’s Corporate Policies and certifications as detailed below..

  • ISO 27001:2005 Information Security Management System Certificate
  • CFH Site Security Policy
  • CFH Information Technology Security Policy
  • Information Security Policy

1.6 Process

The data file provided to DocMail will only contain enough data to enable them to fulfil the contract. This means that it will include name and address details and, where appropriate, the date and time of an appointment as well as the name of the clinician you will be seeing or the name of a clinic you will be attending eg Flu Clinic or NHS Health Check. We will of course exercise the same discretion in writing the letters as we would if we were printing and posting them at the surgery.

The letters will be delivered to your address by Royal Mail in the normal way. The letters will carry the DocMail logo and the return address on the reverse side. This address does not identify the letter as having come from a doctor’s surgery.

DocMail delete the personal data 28 days after the mailing.

If you have any questions or require further information about this please ask to speak to the Practice Manager.

DPA Seventh Principle

Schedule 1 of the Data Protection Act (2018) lists eight principles of data protection. The seventh principle is of particular importance where an organisation uses a third party to process data.

The seventh data protection principle provides that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Information Commissioner’s Office provides the following guidance to organisations seeking to use a third party to process data on its behalf.

Where a data controller chooses to use a data processor, paragraphs 11 & 12 of Schedule 2, DPA introduces additional obligations on the data controller as follows:

11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle

a. choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

b. take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless:

a. the processing is carried out under a contract:

i. which is made or evidenced in writing, and

ii. under which the data processor is to act only on instructions from the data controller, and

b. the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Page last reviewed: 04 November 2025
Page created: 03 January 2023