Privacy Policy for Patients

This page was updated on 6th March 2024 by Matthew Payne


“We”, “Us”, “Data Controller” are your GP practice

“You” refers to the patient

“Third party” or “Data Processor” is Healthtech-1

Conditions and Privacy

To receive healthcare from the NHS You must complete a New Patient Registration Form, this can be done online or in person at the practice. So that we can provide you with the best care, we ask for more information than required to register you as a patient. In order to support the timely and accurate processing of your online Patient Registration Form we use third parties to process your data.

Practice Boundary

We are at liberty to choose whether to register patients inside and outside of our practice boundary. If We choose to register patients outside of our practice boundary area, those patients will have a restricted set of services. For example, we will not provide home visits. This is to prevent our staff from being obliged to travel long distances.

Providing an NHS Number

When registering it is important that You provide your NHS number. This number is used to locate your medical record. Without this number, there is a high chance the practice will experience delays in receiving your medical record, and it can even be lost.

For patients registering from outside of England, your medical record will not be electronically transferred. If You are from Scotland, Wales or Northern Ireland by providing your NHS number, We will be able to receive a physical copy of your medical record, which can be manually summarised into an electronic record.

You can find your NHS number using the following NHS service: https://www.nhs.uk/nhs-services/online-services/find-nhs-number/

Patient Demographic Service (PDS)

Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS). Basic information such as your name, address and date of birth is sent to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored to enable your registration to be matched to your NHS records. This data is retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in your registration needing to be done manually by the practice without the use of third party processing. Your NHS number will still be used by the practice.

If you wish to opt-out from the use of your NHS number by the third party to process your registration to the practice, you can contact us.

Your first GP

If this is your first GP and You do NOT have an NHS number, You will be asked to provide evidence of your identity. One of the following documents as proof of ID. It is not mandatory to provide these to be registered:

  • Passport
  • UK Driving Licence
  • Home Office Card with Photo
  • Birth Certificate (in English) for children under 16 years old.
  • For children under 6 years old, please bring Red Book or Immunisation Record.

We are a Safer Surgery. This means that We are committed to providing equal access to our services for everyone in our practice area, regardless of their immigration status. This is in line with our duties under NHS England guidelines for GP registration and informed by our knowledge of the barriers to healthcare faced by migrants in vulnerable circumstances.

Registration Refusal

To protect the wellbeing of our practice staff, We will not be registering patients that have in the past breached the Zero Tolerance Policy and as a result had been removed from the Practice Register. You can find our Zero Tolerance Policy on our website.

Third Parties

We use a third party to process your registration quickly, and to ensure We have the greatest chance at locating your medical record. Accordingly we’ve asked Healthtech-1, to process your personal and sensitive data with the purpose of improving your registration experience in both speed and accuracy. We are the Data Controller, and Healthtech-1 is the Data Processor.

This means that We (the practice) instruct the Data Processor on what data is processed and how this will be done. This role is undertaken in accordance with the General Data Protection Regularly (GDPR) and the Data Protection Act 2018.

For all requests regarding the control of your data, please contact the GP practice.

The purposes of the processing

To deliver GP practice services that are required by law. We’ve instructed, the Data Processor process your data to enable the online registration process to be completed. As a Controller, We need to collect this information to safely register You as a patient, and receive electronic copies of your GP notes from your previous practice.

The lawful basis for the processing

Providing services for:

  • the provision of health care or treatment
  • the management of health care systems or services or social care systems or services

The lawful basis lies within Article 6 of the UK GDPR.:

6(1)(e) Public task: the processing is necessary for You to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

The lawful basis of processing special category data lies within Article 9 of the UK GDPR:

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Here’s a helpful document provided by the ICO.

Additionally in Data Protection Act 2018 (Schedule 10, 8. Medical Purposes (1,b)):

Medical purposes:

8(1)The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

The legitimate interests for the processing

The provision of healthcare or treatment and the management of health or social care systems and services.

The categories of personal data obtained

A summary of the data is provided here, but please see all data fields collected listed in the appendix below.

Personal data: name, address, date of birth, contact information e.g. telephone number.

Special category data: ethnicity, gender identity

The recipients or categories of recipients of the personal data

We use other organisations to either store personal information or use it to help deliver our services to you:

  • The provider of the automated patient registration service, the Data Processor.
  • The Integrated Care Boards (ICBs) who fund the service and the Department of Health (including Public Health England) can receive anonymised data only. These reports include anonymised data and therefore do not include identifiable personal data such as: your name, date of birth, contact details, or full address.

We the controller (the GP practice) and the Data Processor have an agreement in place to make sure that the organisations that your data is shared with comply with data protection law.

Sometimes there is a legal duty to provide personal information to other organisations.

There may also be occasions that your personal information is shared, when We or the Data Processor consider/believe that there is a good reason to do so, which is more important than protecting your privacy. This doesn’t happen often, but in these circumstances your information may be shared:

  • to find and stop crime and fraud,
  • if there are serious risks to the public, our staff or to other professionals,
  • to protect a child,
  • to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

For all these reasons, the risk must be serious before We can override your right to privacy.

If in providing this service the practice, or the Data Processor are worried about your physical safety or feel they need to take action to protect You from being harmed in other ways, they will discuss this with You and, if possible, get your permission to tell others about your situation before doing so.

The Data Processor may still share your information if they believe the risk to others is serious enough to do so.

If this is the case, the Data Processor will make sure that a record of what information is shared and the reasons for doing so. We will let You know what We have done and why, if We think it is safe to do so.

The details of transfers of your personal data to any third countries or international organisations

The majority of your personal data is stored on secure servers in the UK only. However, limited personal data is processed outside of the UK (in the EU and US) in order to communicate with You via text message and email. This international transfer of data is compliant with UK GDPR (Appendix B).

The retention periods for the personal data

In line with national clinical guidelines (page 54), your online registration record (registration form) will be retained by the practice for a minimum of 6 years after the last recorded entry. As standard your online registration from will be kept for 10 years e.g. your last data entry was 1 January 2018, your personal information will be automatically deleted from the form on the 1 January 2028.

If You are aged 16 or 17 years old, your online registration form will be retained for 10 years after your 18th birthday. For example if your last data entry is 1 January 2018 and your 18th birthday is 1 February 2018 then your data will be deleted on 1 February 2028. After that point, your personal identifying information (e.g. name, house number, street name, telephone number and email) will be removed from your registration form only to provide an anonymised data set for statistical and research purposes only.

The Data Processor will only hold your personal information for as long as it is necessary to fulfil their legal duties or business purposes. If You register at another GP practice using the same Data Processor the 10 year period will be refreshed. This is based on national guidance. You can still register without agreeing to these terms, by visiting the GP practice and completing a paper registration form. We can ask the Data Processor to delete your personal data at any time, and the Data Processor will do this automatically if We cease to use their services.

The rights available to individuals in respect of the processing

The law gives You a number of rights in relation to what personal information We use. These rights are listed below.

After confirming your identity, You can ask Us to provide You with:

  • a copy of the personal information that We hold about You (Subject Access Request) within 1 month free of change with
  • correct personal information about You which You think is inaccurate
  • delete personal information about You if You think We should no longer be using it
  • stop using your personal information if You think it is wrong, until it is corrected
  • transfer your personal information to another provider in a commonly used format
  • review automated decision-making processes that have been used to make decisions about you.

The right to withdraw consent and the right to erasure do not apply due to the nature of the services being provided and the basis in law for processing this data. We, as the controller of your data, will consider requests to remove personal identifying information from your record. Your rights may exercised via the Data Processor.

The source of the personal data

The personal data provided by You when completing an online registration form, in the first instance is held by the Data Processor. If You subsequently contact Us via reception or the phone to register as a patient, We will inform the Data Processor of that attendance so that they can be sure that You have not been lost to care. No further details will be shared with the “Data Processor”. If You communicate with the Data Processor directly they will record the advice and support that they have provided to You.

The details of automated decision-making, including profiling

The Data Processor uses automated decision-making to verify your identity, and your address to broker out of catchment area registrations. Automated decision-making, based on national clinical guidelines is also used to determine whether the online service is clinically appropriate for your individual circumstances. If the automated decision-making process determines that You are unsuitable for the automated patient registration (e.g. a child registering without a person of parental responsibility registered at the practice), You can visit the practice to complete your patient registration.

No profiling is undertaken, and We have no plans to do so. Profiling would only ever be used to help Us to fulfil our duties under the Equality Act 2010 in advancing equality of opportunity between people who share a protected characteristic and people who do not share it.

Abandonment recovery on the online registration form

The online registration form allows us to follow up with you if you begin filling out but do not complete it. You accept that by starting the registration form you consent to the information you enter being used for abandonment recovery communications. These communications are seen as ‘Service Messages’ as per the Privacy and Electronic Communications Regulation.

When you pass the ‘Your Details’ part of the online registration form, we retain the name, email and mobile phone number you enter, even if you do not go on to complete the form. This is so that, if you partially complete a form and then abandon it, we may use the contact information you provided to send you an email or text informing you how to finish the form.

We use this information solely for the purpose of following up with you regarding the incomplete form and providing you with assistance. We do not use this information for any other purpose.

Your name, email and mobile phone number will be processed by Healthtech-1’s email and text messaging sub-processor, Customer.io and FireText (see Appendix B).

Any information entered to the form up to the point of abandonment is stored securely in the same UK data centre (Microsoft) as submitted registration forms. It will be deleted after 30 days if you do not recover and submit the registration form.

The right to lodge a complaint with a supervisory authority

For independent advice about data protection, privacy and data sharing issues, You can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office

Wycliffe HouseWater Lane



Tel: 0303 123 1113 (local rate) or 01625 545 745 if Youprefer to use a national rate number.

Alternatively, visit http://www.ico.org.uk or email casework@ico.org.uk.

Appendix A

List of variables and the questions on the form.

Variable Stored
First let's check We serve your address. What's the patient's postcode?
Your title
Your first name
Your middle name(s)
Your last name
Your email address
Your mobile number
Your home number
Who are you registering for?
Why are you registering today?
What's your title?
What's your first name?
What's your last name?
What's your email address?
What's your contact number?
What's your relationship to the patient?
What's your English NHS number?
How would you describe your gender identity?
Is your gender identity the same as the sex you were registered at birth?
What's your sexual orientation?
Your religion?
Whats your date of birth?
What's your ethnicity?
Are you are coming back from living abroad?
When did you leave the UK?
When did you return to the UK?
Were you born in England?
Where were you born?
When did you first come to live in England?
Do you need an interpreter?
Which language do you need translation for?
Have you been registered with an Armed Forces GP before?
What were you registered as?
What is your enlistment date?
Do you attend an educational institution?
What kind of institution is it?
What's the name of it?
Is the child one of multiple siblings with the same date of birth?
Is the patient a fostered child?
Do they have a social worker?
What is the social worker's full name?
The social worker's contact number
The social worker's email address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Please type the postcode of your address
Do you live in a residential care home or a nursing home?
Would you like to share a summary of your GP care record (SCR) with authorised care professionals? For example, NHS 111, 999 and Accident & Emergency departments.
Does the child also live with the person with parental responsibility?
What's their title?
What's their first name?
What's their last name?
What's their gender?
What's their date of birth?
What's their contact number?
What's their email address?
What's their relationship to the child?
Is the person with parental responsibility already registered at {gpCode}?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
What's the postcode of the person with parental responsibility's address?
The next of kin's title
The next of kin's first name
The next of kin's last name
Their gender
Their email address
Their contact number
What's the next of kin's relationship to you?
When did permission of care start?
Do they live with you?
In the case of an emergency, can We discuss your medical record with them?
Are they your carer?
Are they a patient with us already?
Have you had other first or last names in the past?
Previous first name(s):
Previous  last name(s):
Have you lived at an address in the UK that is different to your current address?
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Please type the postcode of your previous address:
Have you ever had a GP in England before?
Who was your previous GP practice?
Who was your previous GP practice?
Would you like to keep your current pharmacy?
What's the best way to contact you when it comes to your medical circumstances?
Can We contact you about updates at the practice?
How happy are you with this registration process?
Why did you gave that score?
Does the patient have any repeat prescription medication?
Does the patient have any repeat prescription medication?
Does the patient have any of the following long term conditions?
Would the patient like a blood borne virus screening test?
Do you have any disabilities?
Please provide more details about your disabilities
How tall are you in centimetres?
How much do you weigh in kilograms?
Do you have any allergies?
What's the allergy? / How does this allergy affect you?
How much exercise do you do?
What's your smoking status?
How many cigarettes did you or the patient smoke per day? An estimate is fine
Would you like free smoking advice and support?
Do you drink alcohol?
In the last year, how often have you had 8 (for men) / 6 (for women) or more units of alcohol on a single occasion?
In the last year, how often have you failed to do what was normally expected of you because of drinking?
In the last year, how often have you forgotten what happened because you had been drinking?
In the last year, has a relative, friend, doctor or other health worker been concerned about your drinking or suggested that you cut down?
Would the patient like to be tested for HIV?
Would the patient like to be tested for HIV?
Would the patient like to be tested for Chlamydia?
Are you happy with this medical survey?
Would you like to be part of our Patient Participation Group?

Appendix B

Full list of data points collected and stored by sub-processors outside of the UK. A full sub-processor list can be made available on request.

These data points are used to send personalised messaging (text and email) to patients. Examples include but are not limited to:

1) sending a confirmation of form receipt email

2) sending welcome emails with their new GP’s details

3) asking for more documentation because We are their first GP

4) suggesting that patients fill in the medical form

5) telling parents about their child’s registration

6) fulfil patient requests. E.g. with wantsSmokingAdvice, We send them a link to a local smoking cessation advice resource

European (Belgian) Subprocessor - Customer.io to send E-mails to patients:

●  id (identifier allocated by Healthtech-1)

●  gpCode

●  gpName

●  namedGp

●  gpWebsite

●  gpEmail

●  gpAppointmentsUrl

●  createdAt

●  firstName

●  lastName

●  hasMobileNumber

●  mobileNumber

●  email

●  registrationFor

●  dateOfBirth

●  isFirstGp

●  registrationReason

●  satisfaction

●  medicalSatisfaction

●  contactConsent

●  wantsSmokingAdvice

●  person of parental responsibilityRelationship

●  person of parental responsibilityTitle

●  person of parental responsibilityFirstName

●  person of parental responsibilityLastName

●  person of parental responsibilityDateOfBirth

●  person of parental responsibilityContactNumber

●  person of parental responsibilityEmail

●  withinPracticeCatchment

●  armedForcesRole

●  isCarer

These data / meta-data points in customerio are internal only, and help us understand where a patient is in their registration journey.

●  updatedAt

●  registrationType

●  registrationModifiers

●  internalStatus

●  lastCompletePage

●  internalStatusMedicalForm

●  lastCompleteMedicalPage

UK Subprocessor - FireText to send Texts to patients:

●  First name

●  Mobile number

●  GP Practice

●  Usual GP

US Subprocessor Postmark to send Emails to GP practices:

●  Patient last name

●  Patient DOB

●  Patient Title

●  Passover to practice reason - no sensitive information included