🔏

Privacy Policy for Patients

ℹ️
This page was updated on 6th March 2024 by Matthew Payne

Terms

“We”, “Us”, “Data Controller” are your GP practice

“You” refers to the patient

“Third party” or “Data Processor” is Healthtech-1

Conditions and Privacy

To receive healthcare from the NHS You must complete a New Patient Registration Form, this can be done online or in person at the practice. So that we can provide you with the best care, we ask for more information than required to register you as a patient. In order to support the timely and accurate processing of your online Patient Registration Form we use third parties to process your data.

Practice Boundary

We are at liberty to choose whether to register patients inside and outside of our practice boundary. If We choose to register patients outside of our practice boundary area, those patients will have a restricted set of services. For example, we will not provide home visits. This is to prevent our staff from being obliged to travel long distances.

Providing an NHS Number

When registering it is important that You provide your NHS number. This number is used to locate your medical record. Without this number, there is a high chance the practice will experience delays in receiving your medical record, and it can even be lost.

For patients registering from outside of England, your medical record will not be electronically transferred. If You are from Scotland, Wales or Northern Ireland by providing your NHS number, We will be able to receive a physical copy of your medical record, which can be manually summarised into an electronic record.

You can find your NHS number using the following NHS service: https://www.nhs.uk/nhs-services/online-services/find-nhs-number/

Patient Demographic Service (PDS)

Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS). Basic information such as your name, address and date of birth is sent to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored to enable your registration to be matched to your NHS records. This data is retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in your registration needing to be done manually by the practice without the use of third party processing. Your NHS number will still be used by the practice.

If you wish to opt-out from the use of your NHS number by the third party to process your registration to the practice, you can contact us.

Your first GP

If this is your first GP and You do NOT have an NHS number, You will be asked to provide evidence of your identity. One of the following documents as proof of ID. It is not mandatory to provide these to be registered:

  • Passport
  • UK Driving Licence
  • Home Office Card with Photo
  • Birth Certificate (in English) for children under 16 years old.
  • For children under 6 years old, please bring Red Book or Immunisation Record.

We are a Safer Surgery. This means that We are committed to providing equal access to our services for everyone in our practice area, regardless of their immigration status. This is in line with our duties under NHS England guidelines for GP registration and informed by our knowledge of the barriers to healthcare faced by migrants in vulnerable circumstances.

Registration Refusal

To protect the wellbeing of our practice staff, We will not be registering patients that have in the past breached the Zero Tolerance Policy and as a result had been removed from the Practice Register. You can find our Zero Tolerance Policy on our website.

Third Parties

We use a third party to process your registration quickly, and to ensure We have the greatest chance at locating your medical record. Accordingly we’ve asked Healthtech-1, to process your personal and sensitive data with the purpose of improving your registration experience in both speed and accuracy. We are the Data Controller, and Healthtech-1 is the Data Processor.

This means that We (the practice) instruct the Data Processor on what data is processed and how this will be done. This role is undertaken in accordance with the General Data Protection Regularly (GDPR) and the Data Protection Act 2018.

For all requests regarding the control of your data, please contact the GP practice.

The purposes of the processing

To deliver GP practice services that are required by law. We’ve instructed, the Data Processor process your data to enable the online registration process to be completed. As a Controller, We need to collect this information to safely register You as a patient, and receive electronic copies of your GP notes from your previous practice.

The lawful basis for the processing

Providing services for:

  • the provision of health care or treatment
  • the management of health care systems or services or social care systems or services

The lawful basis lies within Article 6 of the UK GDPR.:

6(1)(e) Public task: the processing is necessary for You to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

The lawful basis of processing special category data lies within Article 9 of the UK GDPR:

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Here’s a helpful document provided by the ICO.

Additionally in Data Protection Act 2018 (Schedule 10, 8. Medical Purposes (1,b)):

Medical purposes:

8(1)The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

The legitimate interests for the processing

The provision of healthcare or treatment and the management of health or social care systems and services.

The categories of personal data obtained

A summary of the data is provided here, but please see all data fields collected listed in the appendix below.

Personal data: name, address, date of birth, contact information e.g. telephone number.

Special category data: ethnicity, gender identity

The recipients or categories of recipients of the personal data

We use other organisations to either store personal information or use it to help deliver our services to you:

  • The provider of the automated patient registration service, the Data Processor.
  • The Integrated Care Boards (ICBs) who fund the service and the Department of Health (including Public Health England) can receive anonymised data only. These reports include anonymised data and therefore do not include identifiable personal data such as: your name, date of birth, contact details, or full address.

We the controller (the GP practice) and the Data Processor have an agreement in place to make sure that the organisations that your data is shared with comply with data protection law.

Sometimes there is a legal duty to provide personal information to other organisations.

There may also be occasions that your personal information is shared, when We or the Data Processor consider/believe that there is a good reason to do so, which is more important than protecting your privacy. This doesn’t happen often, but in these circumstances your information may be shared:

  • to find and stop crime and fraud,
  • if there are serious risks to the public, our staff or to other professionals,
  • to protect a child,
  • to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

For all these reasons, the risk must be serious before We can override your right to privacy.

If in providing this service the practice, or the Data Processor are worried about your physical safety or feel they need to take action to protect You from being harmed in other ways, they will discuss this with You and, if possible, get your permission to tell others about your situation before doing so.

The Data Processor may still share your information if they believe the risk to others is serious enough to do so.

If this is the case, the Data Processor will make sure that a record of what information is shared and the reasons for doing so. We will let You know what We have done and why, if We think it is safe to do so.

The details of transfers of your personal data to any third countries or international organisations

The majority of your personal data is stored on secure servers in the UK only. However, limited personal data is processed outside of the UK (in the EU and US) in order to communicate with You via text message and email. This international transfer of data is compliant with UK GDPR (Appendix B).

The retention periods for the personal data

In line with national clinical guidelines (page 54), your online registration record (registration form) will be retained by the practice for a minimum of 6 years after the last recorded entry. As standard your online registration from will be kept for 10 years e.g. your last data entry was 1 January 2018, your personal information will be automatically deleted from the form on the 1 January 2028.

If You are aged 16 or 17 years old, your online registration form will be retained for 10 years after your 18th birthday. For example if your last data entry is 1 January 2018 and your 18th birthday is 1 February 2018 then your data will be deleted on 1 February 2028. After that point, your personal identifying information (e.g. name, house number, street name, telephone number and email) will be removed from your registration form only to provide an anonymised data set for statistical and research purposes only.

The Data Processor will only hold your personal information for as long as it is necessary to fulfil their legal duties or business purposes. If You register at another GP practice using the same Data Processor the 10 year period will be refreshed. This is based on national guidance. You can still register without agreeing to these terms, by visiting the GP practice and completing a paper registration form. We can ask the Data Processor to delete your personal data at any time, and the Data Processor will do this automatically if We cease to use their services.

The rights available to individuals in respect of the processing

The law gives You a number of rights in relation to what personal information We use. These rights are listed below.

After confirming your identity, You can ask Us to provide You with:

  • a copy of the personal information that We hold about You (Subject Access Request) within 1 month free of change with
  • correct personal information about You which You think is inaccurate
  • delete personal information about You if You think We should no longer be using it
  • stop using your personal information if You think it is wrong, until it is corrected
  • transfer your personal information to another provider in a commonly used format
  • review automated decision-making processes that have been used to make decisions about you.

The right to withdraw consent and the right to erasure do not apply due to the nature of the services being provided and the basis in law for processing this data. We, as the controller of your data, will consider requests to remove personal identifying information from your record. Your rights may exercised via the Data Processor.

The source of the personal data

The personal data provided by You when completing an online registration form, in the first instance is held by the Data Processor. If You subsequently contact Us via reception or the phone to register as a patient, We will inform the Data Processor of that attendance so that they can be sure that You have not been lost to care. No further details will be shared with the “Data Processor”. If You communicate with the Data Processor directly they will record the advice and support that they have provided to You.

The details of automated decision-making, including profiling

The Data Processor uses automated decision-making to verify your identity, and your address to broker out of catchment area registrations. Automated decision-making, based on national clinical guidelines is also used to determine whether the online service is clinically appropriate for your individual circumstances. If the automated decision-making process determines that You are unsuitable for the automated patient registration (e.g. a child registering without a person of parental responsibility registered at the practice), You can visit the practice to complete your patient registration.

No profiling is undertaken, and We have no plans to do so. Profiling would only ever be used to help Us to fulfil our duties under the Equality Act 2010 in advancing equality of opportunity between people who share a protected characteristic and people who do not share it.

Abandonment recovery on the online registration form

The online registration form allows us to follow up with you if you begin filling out but do not complete it. You accept that by starting the registration form you consent to the information you enter being used for abandonment recovery communications. These communications are seen as ‘Service Messages’ as per the Privacy and Electronic Communications Regulation.

When you pass the ‘Your Details’ part of the online registration form, we retain the name, email and mobile phone number you enter, even if you do not go on to complete the form. This is so that, if you partially complete a form and then abandon it, we may use the contact information you provided to send you an email or text informing you how to finish the form.

We use this information solely for the purpose of following up with you regarding the incomplete form and providing you with assistance. We do not use this information for any other purpose.

Your name, email and mobile phone number will be processed by Healthtech-1’s email and text messaging sub-processor, Customer.io and FireText (see Appendix B).

Any information entered to the form up to the point of abandonment is stored securely in the same UK data centre (Microsoft) as submitted registration forms. It will be deleted after 30 days if you do not recover and submit the registration form.

The right to lodge a complaint with a supervisory authority

For independent advice about data protection, privacy and data sharing issues, You can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office

Wycliffe HouseWater Lane

WilmslowCheshire

SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if Youprefer to use a national rate number.

Alternatively, visit http://www.ico.org.uk or email casework@ico.org.uk.

Appendix A

List of variables and the questions on the form.

Variable Stored
Questions
catchmentPostcode
First let's check We serve your address. What's the patient's postcode?
title
Your title
firstName
Your first name
middleName
Your middle name(s)
lastName
Your last name
email
Your email address
hasMobileNumber
n/a
mobileNumber
Your mobile number
hasHomeNumber
n/a
homeNumber
Your home number
registrationFor
Who are you registering for?
registrationReason
Why are you registering today?
representativeTitle
What's your title?
representativeFirstName
What's your first name?
representativeLastName
What's your last name?
representativeGender
representativeEmail
What's your email address?
representativeContactNumber
What's your contact number?
representativeRelationship
What's your relationship to the patient?
nhsNumber
What's your English NHS number?
gender
How would you describe your gender identity?
isSameSexAtBirth
Is your gender identity the same as the sex you were registered at birth?
sexualOrientation
What's your sexual orientation?
religion
Your religion?
dateOfBirth
Whats your date of birth?
ethnicity
What's your ethnicity?
comingBackFromLivingAbroad
Are you are coming back from living abroad?
lastLeaveUk
When did you leave the UK?
lastReturnUk
When did you return to the UK?
ukBorn
Were you born in England?
birthCountry
Where were you born?
firstLiveUk
When did you first come to live in England?
needsInterpreter
Do you need an interpreter?
interpreterLanguage
Which language do you need translation for?
isArmedForces
Have you been registered with an Armed Forces GP before?
armedForcesRole
What were you registered as?
enlistmentDate
What is your enlistment date?
attendsEducationalInstitution
Do you attend an educational institution?
educationalInstitutionType
What kind of institution is it?
educationalInstitution
What's the name of it?
hasSiblingWithSameDateOfBirth
Is the child one of multiple siblings with the same date of birth?
isFostered
Is the patient a fostered child?
hasSocialWorker
Do they have a social worker?
socialWorkerName
What is the social worker's full name?
socialWorkerContactNumber
The social worker's contact number
socialWorkerEmail
The social worker's email address
roomNumber
Please type the postcode of your address
addressLine1
Please type the postcode of your address
addressLine2
Please type the postcode of your address
addressLine3
Please type the postcode of your address
postTown
Please type the postcode of your address
county
Please type the postcode of your address
dependantLocality
Please type the postcode of your address
ward
Please type the postcode of your address
postcode
Please type the postcode of your address
livesInCareOrNursingHome
Do you live in a residential care home or a nursing home?
summaryCareRecordConsent
Would you like to share a summary of your GP care record (SCR) with authorised care professionals? For example, NHS 111, 999 and Accident & Emergency departments.
childRegWithoutPersonOfParentalResponsibility
n/a
livesWithpersonOfParentalResponsibility
Does the child also live with the person with parental responsibility?
personOfParentalResponsibilityTitle
What's their title?
personOfParentalResponsibilityFirstName
What's their first name?
personOfParentalResponsibilityLastName
What's their last name?
personOfParentalResponsibilityGender
What's their gender?
personOfParentalResponsibilityDateOfBirth
What's their date of birth?
personOfParentalResponsibilityContactNumber
What's their contact number?
personOfParentalResponsibilityEmail
What's their email address?
personOfParentalResponsibilityRelationship
What's their relationship to the child?
personOfParentalResponsibilityIsPatientAlready
Is the person with parental responsibility already registered at {gpCode}?
personOfParentalResponsibilityRoomNumber
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityAddressLine1
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityAddressLine2
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityAddressLine3
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityDependantLocality
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityWard
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityPostTown
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityCounty
What's the postcode of the person with parental responsibility's address?
personOfParentalResponsibilityPostcode
What's the postcode of the person with parental responsibility's address?
emergencyContactTitle
The next of kin's title
emergencyContactFirstName
The next of kin's first name
emergencyContactLastName
The next of kin's last name
emergencyContactGender
Their gender
emergencyContactEmail
Their email address
emergencyContactContactNumber
Their contact number
emergencyContactRelationship
What's the next of kin's relationship to you?
emergencyContactStartedPermissionOfCare
When did permission of care start?
emergencyContactLivesWithPatient
Do they live with you?
emergencyContactCanDiscussMedicalRecords
In the case of an emergency, can We discuss your medical record with them?
emergencyContactIsCarer
Are they your carer?
emergencyContactIsPatientAlready
Are they a patient with us already?
hasHadPreviousNames
Have you had other first or last names in the past?
previousFirstNames
Previous first name(s):
previousLastNames
Previous  last name(s):
hasMoved
Have you lived at an address in the UK that is different to your current address?
previousAddressLine1
Please type the postcode of your previous address:
previousAddressLine2
Please type the postcode of your previous address:
previousAddressLine3
Please type the postcode of your previous address:
previousCounty
Please type the postcode of your previous address:
previousDependantLocality
Please type the postcode of your previous address:
previousWard
Please type the postcode of your previous address:
previousPostTown
Please type the postcode of your previous address:
previousPostcode
Please type the postcode of your previous address:
isFirstGp
Have you ever had a GP in England before?
previousGpCode
Who was your previous GP practice?
previousGpName
Who was your previous GP practice?
keepPharmacy
Would you like to keep your current pharmacy?
preferredContactMethod
What's the best way to contact you when it comes to your medical circumstances?
contactConsent
Can We contact you about updates at the practice?
satisfaction
How happy are you with this registration process?
satisfactionFeedback
Why did you gave that score?
has_repeatMedications
Does the patient have any repeat prescription medication?
repeatMedications
Does the patient have any repeat prescription medication?
longTermConditions
Does the patient have any of the following long term conditions?
wantsBBVScreening
Would the patient like a blood borne virus screening test?
hasDisabilities
Do you have any disabilities?
disabilityDescription
Please provide more details about your disabilities
weightKg
How tall are you in centimetres?
heightCm
How much do you weigh in kilograms?
hasAllergies
Do you have any allergies?
allergies
What's the allergy? / How does this allergy affect you?
exerciseFrequency
How much exercise do you do?
smokingStatus
What's your smoking status?
dailySmokingFrequency
How many cigarettes did you or the patient smoke per day? An estimate is fine
wantsSmokingAdvice
Would you like free smoking advice and support?
alcoholStatus
Do you drink alcohol?
alcoholOverGuidelineFrequency
In the last year, how often have you had 8 (for men) / 6 (for women) or more units of alcohol on a single occasion?
alcoholFailedToActNormally
In the last year, how often have you failed to do what was normally expected of you because of drinking?
alcoholLostMemory
In the last year, how often have you forgotten what happened because you had been drinking?
alcoholConcernFromOthers
In the last year, has a relative, friend, doctor or other health worker been concerned about your drinking or suggested that you cut down?
offeredHIVTest
Would the patient like to be tested for HIV?
wantsHIVTest
Would the patient like to be tested for HIV?
wantsChlamydiaTest
Would the patient like to be tested for Chlamydia?
medicalSatisfaction
Are you happy with this medical survey?
ppgConsent
Would you like to be part of our Patient Participation Group?

Appendix B

Full list of data points collected and stored by sub-processors outside of the UK. A full sub-processor list can be made available on request.

These data points are used to send personalised messaging (text and email) to patients. Examples include but are not limited to:

1) sending a confirmation of form receipt email

2) sending welcome emails with their new GP’s details

3) asking for more documentation because We are their first GP

4) suggesting that patients fill in the medical form

5) telling parents about their child’s registration

6) fulfil patient requests. E.g. with wantsSmokingAdvice, We send them a link to a local smoking cessation advice resource

European (Belgian) Subprocessor - Customer.io to send E-mails to patients:

●  id (identifier allocated by Healthtech-1)

●  gpCode

●  gpName

●  namedGp

●  gpWebsite

●  gpEmail

●  gpAppointmentsUrl

●  createdAt

●  firstName

●  lastName

●  hasMobileNumber

●  mobileNumber

●  email

●  registrationFor

●  dateOfBirth

●  isFirstGp

●  registrationReason

●  satisfaction

●  medicalSatisfaction

●  contactConsent

●  wantsSmokingAdvice

●  person of parental responsibilityRelationship

●  person of parental responsibilityTitle

●  person of parental responsibilityFirstName

●  person of parental responsibilityLastName

●  person of parental responsibilityDateOfBirth

●  person of parental responsibilityContactNumber

●  person of parental responsibilityEmail

●  withinPracticeCatchment

●  armedForcesRole

●  isCarer

These data / meta-data points in customerio are internal only, and help us understand where a patient is in their registration journey.

●  updatedAt

●  registrationType

●  registrationModifiers

●  internalStatus

●  lastCompletePage

●  internalStatusMedicalForm

●  lastCompleteMedicalPage

UK Subprocessor - FireText to send Texts to patients:

●  First name

●  Mobile number

●  GP Practice

●  Usual GP

US Subprocessor Postmark to send Emails to GP practices:

●  Patient last name

●  Patient DOB

●  Patient Title

●  Passover to practice reason - no sensitive information included