Answer 4 simple questions and PATCHS will get you help quickly.

Contact us online

Privacy Notice

Version History

VersionReview DateEdited ByApproved ByComments
1.013/07/2023Anthony NicholasPartnersReview 13/07/2024
1.102/08/2024Anthony NicholasPartnersUpdated DPO – Review 02/08/2025
1.221/10/2025Anthony NicholasPartnersOpenSafely – check information correct

Introduction

We understand how important it is to keep your personal information safe and secure, and we take this very seriously.

We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.

Please read this Privacy Notice carefully, as it contains important information about how we use, disclose, and safeguard your personal and healthcare information when you visit our website or interact with our services.

How We Use Your Personal Information

This Privacy Notice explains why the Practice collects information about patients, members of staff, and visitors (known as Data Subjects) and how we use that information.

To provide you with the best possible service, we collect information about you from a range of sources such as local NHS hospitals. This information is used to support your healthcare.

Under the UK General Data Protection Regulation (UK GDPR), information about your physical and mental health, racial or ethnic origin, and religious belief are considered special category (sensitive) personal data and are subject to strict laws governing their use.

The Practice is legally responsible for ensuring all processing of personal information complies with UK GDPR. As the data controller, we are responsible for maintaining the security and confidentiality of the personal information that you provide.

Security of Information

Confidentiality affects everyone. Middlestown Medical Centre collects, stores, and uses large amounts of personal and sensitive data daily — such as medical and personnel records.

We are committed to ensuring confidentiality and compliance with all relevant legislation.

  • The Partners have appointed a Senior Information Risk Owner (SIRO) – accountable for managing information assets and associated risks.
  • A Caldicott Guardian oversees the management of patient information and confidentiality.

Legal Basis for Processing Your Information

Special Category Data (Sensitive Data, including Health Records)

  • Explicit consent
  • Employment, social security, and social protection (if authorised by law)
  • Vital interests – life and death
  • Made public by the data subject
  • Legal claims or judicial acts
  • Reasons of substantial public interest (with a basis in law)
  • Health or social care (with a basis in law)
  • Public health (with a basis in law)

For Personal Data

  • Consent: Clear consent given for a specific purpose
  • Contract: Necessary for a contract or pre-contract steps
  • Legal obligation: Required to comply with the law
  • Vital interests: Life or death situations
  • Public task: Task in the public interest or official function with a legal basis

Why We Collect Information About You

Clinicians and health professionals keep records to ensure you receive the best care. These may include:

  • Basic details (name, address, NHS number, date of birth, etc.)
  • Contact history (appointments, visits)
  • Notes and reports about your health, treatment, and care
  • Diagnosis, treatment details, allergies, and test results
  • Information from other healthcare professionals or relatives
  • Visitor information (e.g., name and vehicle registration)

Keep your contact details accurate and up to date to avoid missing important correspondence.

By providing contact details, you agree to communication via post, phone, SMS, or email regarding your healthcare.

How Your Personal Information Is Used

Your records are used to:

  • Ensure healthcare professionals have accurate, up-to-date information
  • Assess and improve care quality
  • Investigate complaints
  • Provide information for referrals or consultations
  • Support teleconsultations (telephone/video) under the same confidentiality standards

The NHS Care Record Guarantee

The Care Record Guarantee commits to using your records to respect your rights and promote your wellbeing.

Read more: Care Record Guarantee (archived)

Records Management Code of Practice

The Records Management Code of Practice for Health and Social Care 2020 sets NHS best practice for managing records.

More info: NHSX Guidance

Retention of Records

Records are retained and destroyed per the NHS Records Management Code of Practice.

No patient record is kept longer than necessary. All records are destroyed confidentially after the retention period.

Sharing Information

Information may be shared for direct care and indirect care purposes.

Direct Care

Shared with:

  • NHS Trusts, hospitals, and other GPs/PCNs
  • NHS Digital and NHS bodies
  • Ambulance Services
  • Integrated Care Boards (ICBs)
  • Social Care and Local Authorities (where relevant)

Indirect Care

Used to:

  • Review care quality
  • Investigate complaints
  • Support research (with consent)
  • Conduct audits, education, and planning

National Data Opt-Out

You can choose whether your confidential information is used beyond your individual care.

Learn more or manage your preferences at www.nhs.uk/your-nhs-data-matters.

OpenSAFELY COVID-19 Service

The OpenSAFELY service allows secure research and analysis using pseudonymised GP data.

Only approved users may run non-identifiable queries.

Patients may register a Type 1 opt-out with their GP.

Other Uses of Information

Call Recording

Telephone calls are recorded for:

  • Compliance
  • Quality control
  • Training and service improvement
  • Crime prevention and staff protection

CCTV

Used for safety, crime prevention, and operational monitoring.

Subject Access Requests for CCTV must include identifying details.

Your Data Rights (UK GDPR)

You have the right to:

  • Access your personal data
  • Know who data has been disclosed to
  • Request correction or deletion (where applicable)
  • Data portability
  • Lodge a complaint with a supervisory authority

You may also object to data sharing or withdraw consent at any time.

Accessing Your Health Records

Requests must be made in writing to the Practice.

Responses will be provided within one month (extendable for complex cases).

Employee Notice

Covers recruitment, employment, and HR-related data — including contact details, qualifications, DBS checks, and references.

Information may be shared with:

  • Employers, regulators, and government departments
  • HMRC, DBS, auditors, and professional bodies

Employee rights mirror those of patients under UK GDPR.

Freedom of Information

Requests for general information can be made under the Freedom of Information Act 2000.

Requests about personal data should be made as a Subject Access Request.

Data Controller and Contact Details

Data Controller:

Dr Laura Darby, GP Partner, Caldicott Guardian

Data Protection Officer (DPO):

Helen Holt – [email protected]

Unit 13, Ainley Bottom, Ainley Industrial Estate, Elland, HX5 9JP

Raising a Concern

If you have a concern about your care or how records are managed, contact the Practice Manager.

You can also contact:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Phone: 0303 123 1113

Website: www.ico.org.uk

This website collects some personal data from users, as stated in our website provider’s Privacy Policy.