GDPR Policies & Other Information

Privacy notice for Cape Hill Medical Centre

Introduction:

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.

This Notice explains:

Who we are and how we use your personal information?
Information about our Data Protection Officer
What kinds of personal information we hold about you and what information we use
The legal grounds for processing your personal information, including when we share it with other organisations.
What to do if your personal information changes
For how long your personal information is retained for/stored by us
What your rights are under Data Protection laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive (special) information, the DPA 2018 deals with elements of UK law that differ from the European Regulation, both came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 the practice responsible for your personal data is LAYTON MEDICAL CENTRE.

This Notice describes how we collect, use and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

About Us

Cape Hill Medical Centre is located on Raglan Road, Smethwick, West Midlands, B663NR. We are a Data Controller of your information and are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be a Data Processor. The purposes for which we use your information are set out in this Privacy Notice.

We are registered with the ICO, and our registration number is Z6755641.

Data Protection Officer contact details

Our Caldicott Guardian and Data Protection Officer is Dr Jonathan Bown and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at: capehillmedicalcentre@nhs.net

Why we need your information

Healthcare professionals who provide you with care are required to maintain medical records detailing any care or treatment you have received. These records help to provide you with the best possible healthcare.

Your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used within the practice for clinical audit to monitor the quality of the services we provide.

Records about you may include the following information:

Details about you, such as your address, your carer or legal representative and emergency contact details.
Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments.
Notes and reports about your health.
Details about your treatment and care.
Results of investigations such as laboratory tests, x-rays etc.
Relevant information from other health professionals, relatives or those who care for you.
Contact details (including email address, mobile telephone number and home telephone number)

Your NHS health records may be held on paper, electronically, or a mixture of both. We use technology and working practices to ensure that your information is kept confidential and secure.

Information we collect about you

Records which we hold about you may include the following:

Personal Data - Your name, address, telephone number, email address, date of birth, next of kin information, carer, legal representative, emergency contact details, NHS number etc.
Special Categories of Personal Data – Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data person's sex life or sexual orientation.
Confidential Patient Information – Your health record including any appointments, surgery visits, emergency appointments etc, notes and reports about your health, information regarding your treatment and care, results of investigations such as x-rays, laboratory tests, etc, information from other health providers, health professionals or third parties, relatives or those who care for you.
Pseudonymised Data - This data has had any identifying information replaced with a pseudonym, like a code or a unique identifier to make it harder to directly link the data back to an individual without additional information.
Anonymised Data - This data has been processed to remove any personal identifiers, making it impossible or extremely difficult to link the data back to an individual
Aggregated – This statistical data about individuals that has been combined to show trends or values without identifying the individuals within the data.

How long do we hold your information?

We are required under UK law to keep your information and data for the retention periods as specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice. At the end of the retention period, personal confidential and commercially confidential information will be disposed of securely.

For more information on records retention: NHS Records Management Code of Practice 2021

How we lawfully use your Data

We need to know your personal, sensitive, and confidential data to provide you with healthcare services as a General Practice, under the UK General Data Protection Regulation we will be lawfully using your information in accordance with:

Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Individuals Rights under UK GDPR

You have the following rights over your personal information:

The right to be informed - You have the right to be informed on how we handle, process, and share your personal information
The right to access your personal information (SAR) – You can request access to and/or copies of the personal data we hold about you, free of charge (subject to exemptions) within one calendar month.

Some information may be removed for the following reasons:

If it is deemed to cause harm to yourself or others
If the information within the record relates to third parties who are entitled to their confidentiality, or who have not given their permission for the information to be shared.

Such requests can be made verbally or in writing. To process your request, we require information such as the details of your request, full name, address, date of birth, NHS number and if necessary, documents to verify your identity.

The right to rectification - You have the right to have personal data rectified when found to be incorrect, out of date or incomplete will be acted upon within one calendar month of the request being received.
The right to erasure (not an absolute right - You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances.
The right to restrict processing - You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that an organisation uses your data.
The right to data portability - You have the right to receive personal data you have provided to the Practice in a structured, commonly used, and machine-readable format.
The right to object - You have the right to object to processing. However, it only applies in certain circumstances. We may not need to stop if we can give strong and legitimate reasons to continue using your data.
Rights in relation to automated decision making and profiling - You have the right to object to decisions based solely on computer processing and to question the decisions made about you by a computer. You can ask for a person to be involved in the decision making.

Practice to Patient Communication(s)

For the purposes of direct care, we may need to contact you regarding appointments and other services. We will usually do this by sending SMS texts to your mobile phone. We assume that you give us permission to contact you via your phone if you have provided us with your phone number. Please contact the practice if you wish to opt out of this service.

There may be occasions that we may need to contact you using your email address. If any of your contact details change, please inform the practice

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. Patient data is de-identified, and an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form.

Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt-out of your data being used in this way in most circumstances

Medicines Management

Black Country ICB’s medicines team, practice-based pharmacists, and other NHS pharmacy professionals will collaborate with GP practices to deliver medication reviews, clinical audits, medicine safety checks, and medicines optimisation initiatives—ensuring safe, effective, and cost-efficient patient care.

GP Connect Service

The GP Connect service enables authorised NHS 111 clinicians to access our practice’s appointment system and book appointments on your behalf. If you contact NHS 111 and the clinician determines you need a GP appointment, they’ll use GP Connect to view available slots and secure an appointment for you—saving you the extra step of contacting the practice directly.

Rest assured, NHS 111 only sees appointment availability—they cannot view your medical record or access your personal data. Any relevant clinical information you share with NHS 111 will be passed on to our practice, and you’ll be informed that this is happening. This ensures your GP understands your current health needs and can provide the most appropriate care.

Summary Care Records

All patients registered with a GP in England automatically have a Summary Care Record (“SCR”) unless they opt out. This record gives authorised and regulated healthcare professionals—when providing your care away from your usual GP practice—access to essential information that helps improve safety, reduce prescribing errors, and enhance your experience

Core SCR includes:

Allergies and past medication reactions
Current repeat medications, plus any discontinued repeats from the past six to twelve months

Many patients—particularly those with long-term health conditions—have already given consent for Additional Information to be included in their Summary Care Record (SCR). This enhanced record may encompass:

Significant medical history (both past and present)
Reasons for prescribed medications
Care plan details and anticipatory care arrangements
Immunisations

By including this expanded data, healthcare teams can better understand your health background and treatment needs, especially in urgent care or when you're away from your regular GP.

Summary Care Records (SCR) - information for patients

Safeguarding

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently, and conscientiously applied with the wellbeing of all patients at the heart of what we do.

Personal Data collected

When a safeguarding situation occurs, basic demographic, contact and special category details may be used. However, this information will be kept to a minimum.Information may be collected when someone contacts the practice with concerns regarding safeguarding or if the practice has safeguarding concerns and makes enquiries. To ensure duty of care, the practice may share information with other partners such as local authorities, the police or healthcare professionals.

Our legal basis for processing information for safeguarding purposes, as stipulated in the UK GDPR is:

Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services from all areas of the NHS. It provides reports on NHS performance. These are used to help plan and improve patient services.

This practice must comply with the law and send data to NHS Digital when it is told to do so by the Secretary of State for Health or NHS England under the Health & Social Care Act 2012.

The NHS shares some data, in which nobody can identify you, with trusted third parties. This is to improve the NHS for you and everyone else.

Trusted third parties include:

scientists researching medicines
university researchers
NHS planners

Data is only shared when a benefit is demonstrated to the NHS. Access is strictly controlled.

Your data will not be:

Shared for commercial purposes
Shared with insurers
Sold

Further information regarding NHS Digital can be found at: digital.nhs.uk

General Practice Data for Planning and Research (GPDPR)

The NHS needs information about the patients it treats to plan and deliver its services and to ensure that care and treatment provided is safe and effective.

The General Practice Data for Planning and Research data collection was set up by the NHS to improve health and care services for everyone through the collection of patient data. This will help the NHS to:

Monitor the safety and effectiveness of care.
Deliver improved health and care services.
Prevent the spread of infectious diseases.
Identify new treatments and therapies through health research.

The practice already shares patient data for these purposes, but this new data collection will be more efficient and effective.

This means that NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

NHS Digital will collect, analyse, publish, and share this patient data to improve health and care services for everyone.

This includes:

informing and developing health and social care policy
planning and commissioning health and care services
taking steps to protect public health (including managing and monitoring the coronavirus pandemic)
in exceptional circumstances, providing you with individual care.
enabling healthcare and scientific research

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

What patient data NHS Digital collect

Data may be shared from the GP medical records about:

· any living patient registered at a GP practice in England when the collection started – this includes children and adults.

· any patient who died after this data sharing started and was previously registered at a GP practice in England when the data collection started.

We will not share your name or where you live. Any other data that could directly identify you, for example your NHS number, General Practice Local Patient Number, full postcode, and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that no one will be able to directly identify you in the data.

In certain circumstances, and where there is a valid legal reason NHS Digital will be able to convert the unique codes back to data that could directly identify you. Only NHS Digital has the ability to do this. An example would be where you consent to your identifiable data being shared with a research project or clinical trial in which you are participating, as they need to know the data is about you.

For more information about when NHS Digital may be able to re-identify the data, and how NHS Digital will use your data see the NHS Digital General Practice Data for Planning and Research Transparency Notice

Opting Out of NHS Digital collecting your data

There are two types of opt-out Type 1 and the National Data Opt-Out.

Type 1 Opt-Out

If you choose a Type 1 Opt-out, the practice will not share your data for research and planning. However, NHS England will still be able to collect and share data from other healthcare providers, such as hospitals

To opt-out complete a Type 1 Opt-out form. The form and further information can be found on the NHS website: Opt out of sharing your health records

If you register a Type 1 Opt-out after your patient data has been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with them before you registered the Type 1 Opt-out.

National Data Opt-Out

If you choose the National Data Opt-Out, NHS England and other health and care organisations will not be able to share any of your personal data with other organisations for research and planning, except in certain situations. For example, when required by law.

To opt-out you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital will not share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

The legal bases for processing this information.

All GP practices in England are legally required to share data with NHS Digital under the Health and Social Care Act 2012.

NHS Digital has powers to share patient data and to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

Data provision notices can be found on the NHS digital website

Under GDPR our legal basis for sharing patient data with NHS Digital is Article 6(1)(c) – legal obligation, as we are required under the 2012 Act to share it with NHS Digital.

The legal basis for sharing patient data about health are:

Article 9(2)(g) ….” necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued”….
Article 9(2)(h) ….” the provision of health or social care or treatment or the management of health or social care systems and services”…..
Article 9(2)(i) …” necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”…
Article 9(2)(j) …” necessary for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Domestic Law which shall be proportionate to the aim pursued”….

Other Organisations who we share your data With

The practice may need to share information (where required) with other organisations that do not directly treat you.

These Organisations may be other NHS bodies such as other GP practices or hospitals. Third party service providers may also be used but only when necessary.

When using a third-party service provider to process data on our behalf, we will have an appropriate agreement in place. This will ensure that they are operating appropriately and that any data is kept secure and is only shared within the confines of the agreement.

Our partner organisations

We may have to share your information, subject to strict agreements on how it will be used, with the following organisations:

NHS Trusts/Foundation Trusts
GP’s
Primary Care Networks
Integrated Care Systems
NHS Commissioning Support Units
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Ambulance Trusts
Clinical Commissioning Groups
Social Care Services
NHS England (NHSE) and NHS Digital (NHSD)
Multi Agency Safeguarding Hub (MASH)
Local Authorities
Education Services
Fire and Rescue Services
Police & Judicial Services
Other ‘data processors’ which you will be informed of

Shared Care Records

When our partner organisations (as above) are involved in your care. We will share information with their systems. This is to support your care when they are looking after you. You may opt out of sharing this information if this sharing is based on your consent.

External companies may also be used process personal information, i.e. for archiving purposes. Companies like these are bound by contractual agreements to ensure information is kept confidential and secure. If a sub-contractor acts as a data processor an appropriate contract will be established for the processing of your information.

Primary Care Networks

The objective of Primary Care Networks (PCNs) is for group practices working together to create more collaborative workforces which ease the pressure of GP’s, leaving them better able to focus on patient care. The aim is for all areas within England to be covered by a PCN.

Cape Hil Medical Centre is a member of Caritas PCN which includes two other Practices: Hill Top Medical Centre and Rood End Medical Practice. This means the practice may share your information with the two other practices within the PCN to provide you with your care and treatment.

National screening programs

The NHS offers national screening programmes to detect certain diseases at an early stage. These programmes currently include:

Bowel Cancer Screening: Offered to individuals aged 50 to 74, with home test kits provided every two years.
Breast Cancer Screening: Available to women aged 50 to 70, with mammograms offered every three years.
Cervical Cancer Screening: Offered to individuals with a cervix aged 25 to 64, with tests every three years for those aged 25 to 49, and every five years for those aged 50 to 64.
Abdominal Aortic Aneurysm (AAA) Screening: Offered to men aged 65, with a one-off ultrasound scan.
Diabetic Eye Screening: Available annually for individuals aged 12 and over with diabetes, to check for early signs of diabetic retinopathy.

To ensure you receive invitations to the appropriate screening programmes, the law permits us to share your contact information with Public Health England. This helps us identify and invite individuals who are eligible for screening.

For more information on these screening programmes, please visit the NHS Screening page or speak to the practice.

Sandwell and West Birmingham NHS Trust

The Practice and Sandwell and West Birmingham NHS Trust have agreed to share patient information to support more integrated care. Through a secure Health Information Exchange (HIE) gateway, each organisation can access patient data created by the other. The HIE operates under strict data protection laws (UK GDPR and Data Protection Act 2018), ensuring that all patient information is securely stored, transmitted, and accessible only to authorised healthcare professionals involved in direct care.

Birmingham and Solihull Shared Care Record

The Birmingham and Solihull Shared Care Record is a regional initiative designed to connect various health and care providers, enabling authorized professionals to access up-to-date patient information across different organizations and locations. It will let health and social care professionals see relevant information about the care and treatment you’ve had across all services. This done via HealthShare.

Which organisations are involved?

The organisations currently taking part in the programme are:

GP practices in Birmingham and Solihull
Birmingham and Solihull Mental Health NHS Foundation Trust
University Hospitals Birmingham NHS Foundation Trust
Birmingham Women’s and Children’s NHS Foundation Trust (including Forward Thinking Birmingham)
Birmingham Community Healthcare NHS Foundation Trust
The Royal Orthopaedic Hospital NHS Foundation Trust
Birmingham City Council
Solihull Metropolitan Borough Council
Birmingham Children’s Trust
West Midlands Ambulance Service University NHS Foundation Trust

Health and social care organisations in the neighbouring areas of Coventry and Warwickshire and Herefordshire and Worcestershire will also be able to view your information if necessary for care you receive there.

Staff who access your information must follow the law on keeping your information confidential. Each time they look at your records this will be recorded to make sure they’re only looking at the right information, for the right reasons.

You can object to your information being shared. However, Objecting will mean the services giving you care will be unable to view your records from other services. If you do want to object, visit The shared care website.

One Health and Care

One Health and Care is the NHS shared care record in the Black Country. It allows health and social care professionals directly involved in your care to view relevant information about you which is held by other parts of the NHS and social care. This done via the Graphnet Portal.

Which organisations are involved?

The organisations currently taking part in the programme are local health and care services:

GP practices in the Black Country and West Birmingham
The Dudley Group NHS Foundation Trust
Sandwell and West Birmingham Hospitals Trust
Walsall Healthcare NHS Trust
The Royal Wolverhampton NHS Trust
Black Country Healthcare NHS Foundation Trust
Dudley Metropolitan Borough Council
Sandwell Metropolitan Borough Council
Walsall Metropolitan Borough Council
City of Wolverhampton Council
West Midlands Ambulance Service NHS Trust

Health and care organisations in the neighbouring areas of Staffordshire and Stoke-on-Trent, and Shropshire Telford and Wrekin, will also be able to view your information for the purpose of giving you direct care should it be necessary.

Our Software and Service Suppliers

We partner with the following Software and Service Suppliers to deliver healthcare services to our patients

Accurx

The practice uses the Accurx platform to communicate between healthcare staff and patients resulting in improved outcomes and productivity. Functions include text messaging, booking appointments, online triage. Data is transmitted and stored in encrypted form. Your data is stored in an extremely secure UK-based Microsoft Azure data centre.

Ardens

Ardens Clinical

The practice uses Ardens Clinical toolkit to support clinical decision making and workflow optimisation. Certain updates to the toolkit are available online. All communications are encrypted with an industry-standard Secure Socket Layers protocol; Data is encrypted as a minimum with AES-256 or a reasonable industry alternative.

Ardens Manager

The practice uses Ardens Manager to help support the management of the practice and improve patient care. It’s a cloud-based data analytics software application that provides a range of reporting dashboards. Ardens Manager is hosted on UK-based web servers, pseudonymization techniques and encryption are used to protect data.

Optum (Emis Health)

The practice uses the clinical system “EMIS Web” supplied by Optum (Emis Health). This is an electronic system from primary care that is used to record and store patient information.

Information is available on their website: www.emishealth.com. Use this link: EMIS Group Privacy Notice to access Optum (Emis Health’s) Privacy Notice.

Changes to where and the way EMIS Web processes Data

In June 2019, EMIS commenced storing patient data in a third-party cloud environment, specifically Amazon Web Services (AWS), for its EMIS Web system. This change involved moving the data from EMIS's own data centre. This migration was part of a broader effort to enhance data security and infrastructure.

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

Docman

The practice uses “Docman 10” a document workflow system supplied by Docman. It is a cloud-based software platform designed to manage incoming clinical correspondence and securely transfer structured messages and documentation between healthcare providers and GP practices.

Docmail

The practice uses DocMail software and services, provided by CFH Total Document Management Ltd. A secure, fast online method of producing, managing, and sending personalised documents.

Healthtec-1 LTD

The practice uses Healthtech1 to automate new patient registrations. It is a web-based system that integrates with the electronic health record. Information that the patient submits online is used to register the patient with the practice.

NHS App

The NHS App enables patients to securely access health services including the booking of appointments, ordering prescriptions, and viewing their electronic GP health record. To use the NHS App, you must set up an NHS login and verify your identity. The app employs advanced encryption to protect your personal health data, ensuring that your information remains secure. Additionally, you can use biometric authentication, such as fingerprint or facial recognition, for convenient and secure access.

NHS Health Checks (Health Diagnostics LTD)

The NHS Health Check is a free check-up for adults aged 40 to 74 who do not have pre-existing conditions like heart disease, diabetes, or high blood pressure. It assesses risk factors such as cholesterol, blood pressure, and lifestyle habits to help prevent serious health issues like heart disease, stroke, kidney disease, and type 2 diabetes. The check includes:

Measuring height, weight, and waist circumference
Blood pressure test
Cholesterol and blood sugar tests
Lifestyle questions about smoking, alcohol consumption, physical activity, and family medical history

Results are used to calculate a 10-year cardiovascular risk score, guiding personalized advice and support.

Role

Health Diagnostics Ltd supports NHS Health Checks through a comprehensive digital platform that includes:

Targeted Invitations: Automated and personalized outreach to eligible individuals.
Interactive Consultations: Engaging tools for patients to understand their health status.
Personalized Health Reporting: Clear and actionable feedback on health metrics.
Seamless Data Transfer: Integration with GP records for continuity of care.
Intelligent Data Analytics: Insights to improve service delivery and outcomes.

Health Diagnostics prioritizes data security and complies with NHS standards:

Data is encrypted and stored securely in the UK.
Access is restricted to authorized health professionals.
Personal information is not shared with third parties without consent.
Patients have the right to access their data through subject access requests.

Numed

The practice uses spirometry; blood pressure monitoring devices and a patient call system provide by Numed. When required Numed provides support for these systems, devices and associated software.

Practice Website (www.capehillmedicalcentre.co.uk)

The Practice Website is provided by My Surgery Website. All our website data is stored in encrypted databases hosted on UK based servers. Our website has a security certificate, uses the secure HTTPS protocol and our SHA2 security certificates are up to date and valid.

Surgery Connect

The practice uses Surgery Connect a cloud-based telephone system providing Call recording and call management supplied by X-on. Information is encrypted and access controlled in compliance with data protection regulations.

iGPR

To help with the processing of requests made by patients and insurers, the practice uses iGPR software and services, supplied by iGPR Technologies Limited. In short iGPR is used when responding to report requests relating patient data. For example, subject access requests that a patient or someone acting on the patient’s behalf may submit

Microsoft 365 Applications

Microsoft is a key technology partner to the NHS. Our practice uses Microsoft 365 applications for various tasks such as patient letters, email communications, and data analysis. Microsoft 365 employs advanced encryption protocols to protect your data both at rest and in transit. These protocols include Transport Layer Security (TLS), Secure Real-Time Transport Protocol (SRTP), and Advanced Encryption Standard (AES) with 256-bit keys. Additionally, Microsoft implements multiple layers of encryption to safeguard against unauthorized access, ensuring that your data remains secure.

MIDLANDS AND LANCASHIRE COMMISSIONING SUPPORT UNIT (MLCSU)

NHS Midlands and Lancashire Commissioning Support Unit (MLCSU) is commissioned by our Integrated Care Board (ICB) to provide IT support for our practice, covering PC hardware, peripherals, and software issues. MLCSU's IT services are governed by stringent data protection standards. Employees with access to personal data are bound by confidentiality agreements and common law duties. MLCSU adheres to the Data Protection Act 1998 in the handling and processing of personal data.

Patient Access

Patient Access enables patients to access their GP electronic health record remotely. A range of functions such as repeat prescription ordering and booking appointments are available. The application security is designed to protect patient data and privacy through measures like two-factor authentication and secure connections. These measures ensure that only authorized users can access patient information and that data is transmitted securely.

With your consent we would also like to use your information

We may want to use your information to contact you or offer you services that may benefit you. We will only do this with your consent. There may also be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends. You will be asked to opt into such programmes if you are happy to do so.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing, and you can unsubscribe at any time via phone, email or by informing the practice.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

where there is a serious risk of harm or abuse to you or other people.
Safeguarding matters and investigations
where a serious crime, such as assault, is being investigated or where it could be prevented.
notification of new births.
where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS).
where a formal court order has been issued.
where there is a legal requirement, for example if you had committed a Road Traffic Offence.

How we maintain the confidentiality of your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the following:

Data Protection Act 2018
The UK General Data Protection Regulations (UK GDPR)
Human Rights Act 1998
Common Law Duty of Confidentiality
Health and Social Care Act 2012
NHS Codes of Confidentiality, Information Security and Records Management
Information: To Share or Not to Share Review
Information: To Share or Not to Share Review

Everyone who works in the NHS is legally obliged to keep information about you confidential.

All our staff receive regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality. Information will only be used or passed on if others involved in your care have a genuine need for it.

Information will not be disclosed to any third party without your permission unless there are exceptional circumstances for example, life or death situations or where the law requires information to be passed on.Objections/Complaints

Should you have any concerns about how your information is managed at the practice, please contact Cape Hill Medical Centre in the first instance. If you are still unhappy following a review of your concerns by the practice, you have the right to lodge a complaint with a supervisory authority, the Information Commissioner’s Office using the contact details below:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 01625 545745

https://ico.org.uk/

If you are happy for your data to be used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please email capehillmedicalcentre@nhs.net and address your concerns to the Practice Data Protection Officer: Dr Jonathan Bown

Page last reviewed: 07 July 2025
Page created: 27 August 2021