This privacy notices explains:
What type of information do we collect about?
To be able to be able to provide you with care and for our other purposes we need to collect information about you. This includes:
- The Practice also records CCTV images for the prevention and detection of crime
- Your contact details (such as your name, age, gender, ethnicity, address and email address)
- Details and contact numbers of your next of kin
- Details in relation to your medical history
- The reason for your visit to the organisation
- Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
- Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
- Details about the treatment and care received
- Results of investigations such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
- Recordings of telephone conversations between yourself and the organisation
Why we collect information about you?
The main reason we collect information about you is for your direct care and treatment, this includes to ensure safe and high-quality care for all our patients. We also collect and use information for other purposes such as research.
Other reasons for collection of information may include: safety of patient and staff, prevention and detection of crime
Further details on why we collect personal data about you can be found further below under the section ‘Specific Privacy Notices’
Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.
How we keep your information secure?
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), The Data Protection Act 2018, Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.
All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for Manor Brook Medical Centre an appropriate contract (Article 24-28) will be established for the processing of your information.
Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR), The Data Protection Act 2018and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.
Who we share your information with?
In order to comply with its legal obligations, this organisation may have to send data to NHS England when directed by the Secretary of State for Health under the Health and Social Care Act.
Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Under the UK General Data Protection Regulation, where we are providing direct care to you, or managing your direct care, we will be lawfully using your information in accordance with:
- Article 6, 1, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Article 9, 2, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
For the lawful bases for the processing and collection of your data outside of the above, you can locate these in the individual specific privacy notices linked below.
Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.
However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.
We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:
- Other ‘data processors’, e.g., Diabetes UK
- Hospital professionals (such as doctors, consultants, nurses etc.)
- Other GPs/doctors
- Primary Care Networks
- NHS Trusts/Foundation Trusts/Specialist Trusts
- NHS Integrated Care Boards,
- NHS England (NHSE)
- Multi-agency Safeguarding Hub (MASH)
- Independent contractors such as dentists, opticians, pharmacists
- Any other person who is involved in providing services related to your general healthcare including mental health professionals
- Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
- Voluntary sector providers
- Ambulance Trusts
- Integrated Care Systems. Local authority, Social care services, Education services
Information may also be shared with appropriate or authorised organisations like the police and the court for the purpose of investigation, court proceeding and prevention and detection of crime where we are required to
How long do we keep your personal information and your rights as a patient?
We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.
More information on records retention can be found online at: NHSX – Records Management Code of Practice 2022.
Your rights as a patient
The law gives you certain rights to your personal and healthcare information that we hold as set out below:
| Access and Subject Access Requests | You have the right to ask us for copies of your personal information. Please speak to reception regarding SAR forms or online access to records |
| Correction | We want to make sure that your personal information is accurate and up to date. If you believe that entries within your GP record are inaccurate, incorrect or misleading then please do let us know. You can make a request for rectification verbally or in writing |
| Removal | You have the right to ask us to erase your personal information in certain circumstances. You can make a request for rectification verbally or in writing. This is not an absolute right, and certain exemptions do apply.Please be aware that an alteration to an electronic record, or deletion of an entry in it, is always preserved (together with the original entry) as part of the electronic audit trail. |
| Objection | You have the right to object your information been shared with anyone else without your consent. However, this right is not absolute, and this right may be limited under certain situations if there is good reason or in public interest. Please contact the Practice for further information. |
| Transfer | You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation but we will require your clear consent to be able to do this. |
Summary care records and london care record
Summary care records
During the height of the Covid-19 pandemic, changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it to support direct patient care, leading to improvements in both care and outcomes.
The full supplementary privacy notice for the Summary Care Record has been published by NHS Digital here.
London Care Record
This practice uses a shared record system called the London Care Record. The London Care Record is a secure view of your health and care information and lets health and care professionals involved in your care see important details about your health when and where they need them. Having a single, secure view of your information helps speed up communication between care professionals across London, improves the safety of care and can save lives.
London Care Record can only be lawfully looked at by staff who are directly involved in your care. Your information isn’t available to anyone who doesn’t need it to provide treatment, care and support to you. Your details are kept safe and won’t be made public, passed on to a third party who is not directly involved in your care, used for advertising or sold.
For more information, please read the London Care Record privacy notice for South East London here: SEL-ICS-Privacy-Notice-SEL-London-Care-Record-v1.0-updated.pdf (selondonics.org)
Opting out of the London Care Record
You have the right to object to your information being available through London Care Record. Although patients have the right to object and request restrictions on sharing their records, there may be instances where this request will not be upheld due to a clinical need as determined by the direct care giver. Please discuss this with your GP/ health and social care worker and you can find further information in this London Care Record leaflet.
For further information and advice about data protection or your right to object to sharing your data you can contact the team at Lewisham and Greenwich Trust who manage the London Care Record for South East London www.lewishamandgreenwich.nhs.uk/london-care-record or you can call 020 3192 6011 and leave your name and number for someone to contact you.
If you have already requested to stop sharing on ConnectCare/Local Care Record in South East London, then you will not have to request this again for London Care Record.
Key contacts for data and privacy
If you have any queries, concerns or are unhappy about any of our services,
please contact the Practice Manager on 020 8269 2040.
If you would like any further information about primary or secondary uses of your GP record, opting out, the NHS Databases, access to your medical record, confidentiality, or about any other aspect of NHS data sharing or your medical records, then please do contact the surgery’s Caldicott Guardian / Information Governance lead / Data Protection Officer:
Data Protection Officer: Mr Rezaur Choudhury, [email protected]
Caldicott Guardian: Dr Mary Clare Parker
Senior Information Risk Owner: Dr Rebecca Moore
Information Governance Lead: Dr Mary Clare Parker
Vanbrugh Group Practice is registered with the Information Commissioners Office (ICO) to describe the purposes for which they process personal and sensitive information.
Information Commissioner’s Office Details
If you are unhappy with how information has been handled, please speak to Practice Manager first or for independent advice about data protection, privacy, and data sharing issues, you can contact:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Phone: 08456 30 60 60
Website: www.ico.gov.uk
Opting out of sharing your data
You can choose whether or not your data is used for research and planning. There are different types of data-sharing you can opt out of.
- Stop your GP surgery from sharing your data. This is called a Type 1 Opt-out.
To do this you need to fill in an opt-out form and return it to your GP surgery https://assets.nhs.uk/nhsuk-cms/documents/Type1Opt-outform.docx
Only your GP surgery can process your opt-out form. They will be able to tell you if, and when, you have been opted out.
If you choose a Type 1 Opt-out, your GP will not share your data for research and planning. However, NHS Digital will still be able to collect and share data from other healthcare providers, such as hospitals. We will also still be able to share your data for your direct care, or to provide you with healthcare or treatment.
Find out more about Type 1 Opt-out from NHS Digital’s transparency notice
- Stop NHS Digital and other health and care organisations from sharing your data for research and planning. This is called the National Data Opt-out.
To opt out online or find out more, visit Make your choice.
If you choose this opt-out, NHS Digital and other health and care organisations will not be able to share any of your personal data with other organisations for research and planning, except in certain situations. For example, when required by law.
If you want to check if you have opted out, you can enter your details again at Make your choice or check your settings in the NHS App.
You can opt out, or opt back in again, at any time.
Specific privacy notices
Access to Medical Records
Complaints, SARs & FOI
CQC
Data Processors
Direct Care
Direct Care Emergencies
Enhanced Access
HR, Staffing and Recruitment
LeDer Programme
Litigations and Claims
National Screening & Reporting Programmes
NHS Digital
Patient Communications
Patient Participation & Engagement
Payments
Public Health
Reporting Knife and Gunshot Wounds
Research
Risk Stratification
Safeguarding