“We”, “Us”, “Data Controller” are your GP practice

“You” refers to the patient

“Third party” or “Data Processor” is Healthtech-1

To receive healthcare from the NHS You must complete a New Patient Registration Form, this can be done online or in person at the practice. So that we can provide you with the best care, we ask for more information than required to register you as a patient. In order to support the timely and accurate processing of your online Patient Registration Form we use third parties to process your data.

We are at liberty to choose whether to register patients inside and outside of our practice boundary. If We choose to register patients outside of our practice boundary area, those patients will have a restricted set of services. For example, we will not provide home visits. This is to prevent our staff from being obliged to travel long distances.

When registering it is important that You provide your NHS number. This number is used to locate your medical record. Without this number, there is a high chance the practice will experience delays in receiving your medical record, and it can even be lost.

For patients registering from outside of England, your medical record will not be electronically transferred. If You are from Scotland, Wales or Northern Ireland by providing your NHS number, We will be able to receive a physical copy of your medical record, which can be manually summarised into an electronic record.

You can find your NHS number using the following NHS service: https://www.nhs.uk/nhs-services/online-services/find-nhs-number/

Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS). Basic information such as your name, address and date of birth is sent to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored to enable your registration to be matched to your NHS records. This data is retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in your registration needing to be done manually by the practice without the use of third party processing. Your NHS number will still be used by the practice.

If you wish to opt-out from the use of your NHS number by the third party to process your registration to the practice, you can contact us.

If this is your first GP and You do NOT have an NHS number, You will be asked to provide evidence of your identity. One of the following documents as proof of ID. It is not mandatory to provide these to be registered:

We are a Safer Surgery. This means that We are committed to providing equal access to our services for everyone in our practice area, regardless of their immigration status. This is in line with our duties under NHS England guidelines for GP registration and informed by our knowledge of the barriers to healthcare faced by migrants in vulnerable circumstances.

To protect the wellbeing of our practice staff, We will not be registering patients that have in the past breached the Zero Tolerance Policy and as a result had been removed from the Practice Register. You can find our Zero Tolerance Policy on our website.

We use a third party to process your registration quickly, and to ensure We have the greatest chance at locating your medical record. Accordingly we’ve asked Healthtech-1, to process your personal and sensitive data with the purpose of improving your registration experience in both speed and accuracy. We are the Data Controller, and Healthtech-1 is the Data Processor.

This means that We (the practice) instruct the Data Processor on what data is processed and how this will be done. This role is undertaken in accordance with the General Data Protection Regularly (GDPR) and the Data Protection Act 2018.

For all requests regarding the control of your data, please contact the GP practice.

The purposes of the processing

To deliver GP practice services that are required by law. We’ve instructed, the Data Processor process your data to enable the online registration process to be completed. As a Controller, We need to collect this information to safely register You as a patient, and receive electronic copies of your GP notes from your previous practice.

Providing services for:

The lawful basis lies within Article 6 of the UK GDPR.:

6(1)(e) Public task: the processing is necessary for You to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

The lawful basis of processing special category data lies within Article 9 of the UK GDPR:

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Here’s a helpful document provided by the ICO.

Additionally in Data Protection Act 2018 (Schedule 10, 8. Medical Purposes (1,b)):

Medical purposes:

8(1)The processing is necessary for medical purposes and is undertaken by—

(a) a health professional, or

(b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

The provision of healthcare or treatment and the management of health or social care systems and services.

A summary of the data is provided here, but please see all data fields collected listed in the appendix below.

Personal data: name, address, date of birth, contact information e.g. telephone number.

Special category data: ethnicity, gender identity

We use other organisations to either store personal information or use it to help deliver our services to you:

We the controller (the GP practice) and the Data Processor have an agreement in place to make sure that the organisations that your data is shared with comply with data protection law.

Sometimes there is a legal duty to provide personal information to other organisations.

There may also be occasions that your personal information is shared, when We or the Data Processor consider/believe that there is a good reason to do so, which is more important than protecting your privacy. This doesn’t happen often, but in these circumstances your information may be shared:

For all these reasons, the risk must be serious before We can override your right to privacy.

If in providing this service the practice, or the Data Processor are worried about your physical safety or feel they need to take action to protect You from being harmed in other ways, they will discuss this with You and, if possible, get your permission to tell others about your situation before doing so.

The Data Processor may still share your information if they believe the risk to others is serious enough to do so.

If this is the case, the Data Processor will make sure that a record of what information is shared and the reasons for doing so. We will let You know what We have done and why, if We think it is safe to do so.

The majority of your personal data is stored on secure servers in the UK only. However, limited personal data is processed outside of the UK (in the EU and US) in order to communicate with You via text message and email. This international transfer of data is compliant with UK GDPR (Appendix B).

In line with national clinical guidelines (page 54), your online registration record (registration form) will be retained by the practice for a minimum of 6 years after the last recorded entry. As standard your online registration from will be kept for 10 years e.g. your last data entry was 1 January 2018, your personal information will be automatically deleted from the form on the 1 January 2028.

If You are aged 16 or 17 years old, your online registration form will be retained for 10 years after your 18th birthday. For example if your last data entry is 1 January 2018 and your 18th birthday is 1 February 2018 then your data will be deleted on 1 February 2028. After that point, your personal identifying information (e.g. name, house number, street name, telephone number and email) will be removed from your registration form only to provide an anonymised data set for statistical and research purposes only.

The Data Processor will only hold your personal information for as long as it is necessary to fulfil their legal duties or business purposes. If You register at another GP practice using the same Data Processor the 10 year period will be refreshed. This is based on national guidance. You can still register without agreeing to these terms, by visiting the GP practice and completing a paper registration form. We can ask the Data Processor to delete your personal data at any time, and the Data Processor will do this automatically if We cease to use their services.

The law gives You a number of rights in relation to what personal information We use. These rights are listed below.

After confirming your identity, You can ask Us to provide You with:

The right to withdraw consent and the right to erasure do not apply due to the nature of the services being provided and the basis in law for processing this data. We, as the controller of your data, will consider requests to remove personal identifying information from your record. Your rights may exercised via the Data Processor.

The personal data provided by You when completing an online registration form, in the first instance is held by the Data Processor. If You subsequently contact Us via reception or the phone to register as a patient, We will inform the Data Processor of that attendance so that they can be sure that You have not been lost to care. No further details will be shared with the “Data Processor”. If You communicate with the Data Processor directly they will record the advice and support that they have provided to You.

The Data Processor uses automated decision-making to verify your identity, and your address to broker out of catchment area registrations. Automated decision-making, based on national clinical guidelines is also used to determine whether the online service is clinically appropriate for your individual circumstances. If the automated decision-making process determines that You are unsuitable for the automated patient registration (e.g. a child registering without a person of parental responsibility registered at the practice), You can visit the practice to complete your patient registration.

No profiling is undertaken, and We have no plans to do so. Profiling would only ever be used to help Us to fulfil our duties under the Equality Act 2010 in advancing equality of opportunity between people who share a protected characteristic and people who do not share it.

The online registration form allows us to follow up with you if you begin filling out but do not complete it. You accept that by starting the registration form you consent to the information you enter being used for abandonment recovery communications. These communications are seen as ‘Service Messages’ as per the Privacy and Electronic Communications Regulation.

When you pass the ‘Your Details’ part of the online registration form, we retain the name, email and mobile phone number you enter, even if you do not go on to complete the form. This is so that, if you partially complete a form and then abandon it, we may use the contact information you provided to send you an email or text informing you how to finish the form.

We use this information solely for the purpose of following up with you regarding the incomplete form and providing you with assistance. We do not use this information for any other purpose.

Your name, email and mobile phone number will be processed by Healthtech-1’s email and text messaging sub-processor, Customer.io and FireText (see Appendix B).

Any information entered to the form up to the point of abandonment is stored securely in the same UK data centre (Microsoft) as submitted registration forms. It will be deleted after 30 days if you do not recover and submit the registration form.

For independent advice about data protection, privacy and data sharing issues, You can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office

Wycliffe HouseWater Lane

WilmslowCheshire

SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if Youprefer to use a national rate number.

Alternatively, visit http://www.ico.org.uk or email casework@ico.org.uk.

List of variables and the questions on the form.

Full list of data points collected and stored by sub-processors outside of the UK. A full sub-processor list can be made available on request.

These data points are used to send personalised messaging (text and email) to patients. Examples include but are not limited to:

1) sending a confirmation of form receipt email

2) sending welcome emails with their new GP’s details

3) asking for more documentation because We are their first GP

4) suggesting that patients fill in the medical form

5) telling parents about their child’s registration

6) fulfil patient requests. E.g. with wantsSmokingAdvice, We send them a link to a local smoking cessation advice resource

European (Belgian) Subprocessor - Customer.io to send E-mails to patients:

●  id (identifier allocated by Healthtech-1)

●  gpCode

●  gpName

●  namedGp

●  gpWebsite

●  gpEmail

●  gpAppointmentsUrl

●  createdAt

●  firstName

●  lastName

●  hasMobileNumber

●  mobileNumber

●  email

●  registrationFor

●  dateOfBirth

●  isFirstGp

●  registrationReason

●  satisfaction

●  medicalSatisfaction

●  contactConsent

●  wantsSmokingAdvice

●  person of parental responsibilityRelationship

●  person of parental responsibilityTitle

●  person of parental responsibilityFirstName

●  person of parental responsibilityLastName

●  person of parental responsibilityDateOfBirth

●  person of parental responsibilityContactNumber

●  person of parental responsibilityEmail

●  withinPracticeCatchment

●  armedForcesRole

●  isCarer

These data / meta-data points in customerio are internal only, and help us understand where a patient is in their registration journey.

●  updatedAt

●  registrationType

●  registrationModifiers

●  internalStatus

●  lastCompletePage

●  internalStatusMedicalForm

●  lastCompleteMedicalPage

UK Subprocessor - FireText to send Texts to patients:

●  First name

●  Mobile number

●  GP Practice

●  Usual GP

US Subprocessor Postmark to send Emails to GP practices:

●  Patient last name

●  Patient DOB

●  Patient Title

●  Passover to practice reason - no sensitive information included