Your information, what you need to know

This privacy notice explains why we collect information about you, how that information may be used, and how we keep it safe and confidential.

 

Why we collect information about you

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.

These records help ensure you receive the best possible healthcare.

We collect and hold data for the purpose of providing healthcare services to our patients and managing the health of the population we serve.

Information may be held in written and/or digital form and may include basic details such as your name, address, date of birth, NHS number, and contact details, as well as more sensitive information about your health.

 

Details we collect about you

Your GP record may include:

Personal details (name, address, date of birth, NHS number, next of kin)

Records of contacts with the practice (appointments, consultations, home visits)

Medical history and clinical notes

Test results and investigation reports (e.g. blood tests, imaging)

Medication history and allergies

Care plans and treatment records

Information from other health professionals or organisations involved in your care

Relevant information from relatives or carers where appropriate

 

How we use your information

Your information is used to:

Provide safe and effective care and treatment

Coordinate your care with other healthcare providers

Manage and plan health services

Support public health monitoring

Train healthcare professionals

Conduct clinical audit and quality improvement

Support approved research (with appropriate safeguards)

 

Legal basis for processing-

We process your personal data in accordance with:

UK General Data Protection Regulation (UK GDPR)

Data Protection Act 2018

Common Law Duty of Confidentiality

Health and Social Care Act 2012

NHS Act 2006

Human Rights Act 1998

For your direct care, the legal bases are:

Article 6(1)(e) — public task

Article 9(2)(h) — provision of health or social care

 

Confidentiality and security

Everyone working for the NHS is subject to strict confidentiality rules.

Your information is:

Stored securely (electronically and/or on paper)

Accessible only to authorised staff

Protected by technical and organisational security measures

Backed up in line with NHS standards

Used only for legitimate healthcare purposes

All staff receive regular information governance training.

 

Use of digital systems and data processors

We use approved NHS IT systems and external suppliers (data processors) to support our services. These organisations are contractually required to protect your information and comply with UK data protection law.

 

Use of clinical software and digital communication tools

PATCHS

We use PATCHS as our secure online consultation and patient request system. This allows patients to contact the practice digitally for medical queries, administrative requests, and appointment-related matters.

PATCHS may be used to:

Submit medical or administrative requests

Provide information about symptoms or concerns

Upload documents or photographs where appropriate

Request appointments or prescriptions

Communicate securely with the practice

Information submitted through PATCHS becomes part of your medical record where relevant and is accessible to authorised practice staff involved in your care.

PATCHS is an approved NHS supplier and operates under strict data protection and security standards. Information is transmitted securely and stored in accordance with NHS information governance requirements.

PATCHS may use automated processes to help route requests to the appropriate service or clinician. However, all clinical decisions are made by qualified healthcare professionals.

 

Accurx (including Accurx Scribe)

We use Accurx to communicate with patients by SMS, email, and online forms, and to support clinical documentation.

Accurx Scribe may use speech recognition technology to convert consultations into written notes. These notes are checked and approved by clinicians before being added to your medical record.

Accurx processes data on behalf of the practice under strict NHS information governance standards.

 

Abtrace

We use Abtrace software to support clinical decision-making and management of long-term conditions. It analyses information already held in your GP record to help clinicians identify patients who may benefit from reviews or interventions.

Abtrace does not make decisions about your care independently — clinicians remain responsible for all decisions.

 

Anima (Document Management Only)

We use Anima as a secure digital system to support the management of documents and administrative workflows within the practice.

Anima is used to:

Receive and manage incoming documents (e.g. letters, forms, reports)

Organise and route documents to appropriate staff

Support administrative processing of patient information

Maintain secure digital records

We do not use Anima to make clinical decisions or to triage patients.

Any information processed through Anima is handled securely and forms part of your medical record where relevant. All clinical decisions remain the responsibility of qualified healthcare professionals.

Anima operates under strict NHS data protection and security requirements, and only authorised staff have access to the information necessary to perform their duties.

 

Sharing your information for direct care

To provide you with safe care, we may share relevant information with organisations involved in your treatment, including:

NHS hospitals and community services

Other GP practices

Primary Care Networks (PCNs)

Integrated Care Boards (ICBs)

Pharmacies, opticians, dentists,

Ambulance services

Social care services

Information is shared on a need-to-know basis.

 

Summary Care Record (SCR)

The NHS uses the Summary Care Record to provide healthcare staff with essential information in emergencies or when you receive care away from your GP practice.

Core SCR information includes:

Current medications

Allergies

Adverse reactions

Additional information may be included with your consent.

You can opt out of having an SCR — please contact the practice for details.

 

Local care records and shared systems

Information from your GP record may be available to authorised professionals through local shared care systems to support urgent or out-of-hours treatment.

Your patient record is held securely and confidentially on our electronic system. If you require attention from a health professional such as an Emergency Department, Minor Injury Unit or Out Of Hours location, Greenwood Primary Care Network and those treating you are better able to give appropriate care if some of the information from your GP patient record is available to them. This information can be locally shared electronically via My Care Record.

In all cases, information is only used by authorised health and social care professionals involved in your direct care. Your permission will be asked before the information is accessed, unless the health and social care user is unable to ask you and there is a clinical reason for access, which will then be logged.

Access is logged and monitored.

 

 

 

National Data Opt-Out

The NHS uses patient information for planning and research purposes.

You can choose not to have your confidential information used for purposes beyond your individual care by registering a National Data Opt-Out.

This does not affect your care.

You can set your preference online or via NHS services.

 

Clinical audit, service planning and public health

Your information may be used to:

Monitor the quality of services

Improve patient care

Plan NHS services

Support public health activities

Where possible, information is anonymised.

 

Research

The practice supports ethically approved health research that aims to improve healthcare, treatments, and patient outcomes.

From time to time, we may be asked to assist with research studies by identifying patients who may be eligible to take part.

Research study mail-outs

We may contact you by letter, SMS, email, or other approved communication methods to invite you to participate in a research study.

This will only occur where:

The study has received appropriate ethical approval

The study has been reviewed and approved through NHS research governance processes

The research is relevant to general practice or patient care

Contact is permitted under data protection law

In most cases, the practice sends invitations directly on behalf of the research team so that your identifiable information is not shared outside the practice unless you choose to respond.

How your information is used

To identify eligible patients, authorised staff within the practice may search GP records using criteria provided by the research study (for example age range, diagnosis, or medication).

Only the minimum necessary information is used for this purpose.

Researchers will not normally see your identifiable information unless:

You respond to the invitation, OR

You give consent to be contacted directly, OR

There is specific legal approval (e.g. Section 251 of the NHS Act 2006)

Your choice to participate

Participation in research is entirely voluntary.

Choosing not to take part will not affect your care in any way

You can ignore the invitation if you are not interested

If you agree to participate, the research team will explain how your data will be used and ask for your consent

Sharing of information

Your identifiable information will only be shared with the research team if:

You give explicit consent, OR

There is a lawful basis approved under NHS regulations

Where possible, anonymised or pseudonymised data is used.

Opting out of research contact

If you do not wish to be contacted about research opportunities, please inform the practice. We can record your preference so that you are not contacted for research mail-outs in the future.

You can change your preference at any time.

 

National data use and research

Separately from practice-initiated contact, the NHS may use anonymised or pseudonymised information for research, planning, or public health purposes.

You can opt out of your confidential patient information being used for research beyond your individual care by registering a National Data Opt-Out.

Protection of your privacy

All research activity supported by the practice complies with:

UK data protection law

NHS research governance frameworks

Ethical approval requirements

Confidentiality standards

We will not disclose identifiable information to researchers without an appropriate legal basis.

 

Safeguarding

Information may be shared without consent where necessary to protect:

Children

Vulnerable adults

Public safety

 

Retention of records

We manage records in accordance with the NHS Records Management Code of Practice.

Health records are usually kept for many years or for the patient’s lifetime to ensure safe ongoing care.

 

Your rights

Under UK GDPR you have the right to:

Access your personal data (Subject Access Request)

Request correction of inaccurate information

Request restriction of processing

Object to certain uses of your data

Lodge a complaint

Some rights may be limited where information is required for healthcare provision.

 

Accessing your records

You can request a copy of your GP record.

Requests should be made in writing to the practice.

Identification may be required.

 

Keeping your information up to date

Please inform us if your personal details change (e.g. address, phone number, email).

You can also do this via the NHS app.

 

Contact methods

If you provide your mobile number or email address, we may use these to send:

Appointment reminders

Health screening invitations

Important service information

You can opt out of these communications at any time.

 

Who we share information with

Subject to strict controls, we may share information with:

NHS organisations

Integrated Care Boards

Primary Care Networks

Social care providers

Local authorities

Approved private or voluntary providers delivering NHS services

Regulatory bodies where required

Other “data processors”

We will not share your information outside healthcare purposes without your consent unless required by law.

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Cabinet Office

The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by the Cabinet Office is subject to a Code of Practice.

Information on the Cabinet Office’s legal powers and reasons why it matches particular information.https://www.gov.uk/government/publications/code-of-data-matching-practice-for-nationalfraud-initiative

Risk Stratification

Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services. Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice.

Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Further information is available from the following link:

https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/

If you do not wish information about you to be included in the risk stratification programme, please let us know. We can add a code to your records that will stop your information from being used for this purpose.

 

Individual Funding Request

An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that CCG has agreed to commission for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Invoice Validation

Invoice validation is an important process. It involves using your NHS number to check the CCG that is responsible for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

Data Controller

The GP Practice is the Data Controller responsible for your information.

Birkby Health Centre is registered with the Information Commissioners Office (ICO) to describe the purposes for which they process personal and sensitive information.

We are a registered Data Controller and our registration can be viewed online in the public register at: http://ico.org.uk/what_we_cover/register_of_data_controllers .

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is:

Afeera Aleem (Clinical manager)

Contact the Practice Manager for queries regarding data protection.

 

Clinical Safety and Clinical Safety Officer

We use digital systems and software to support the safe delivery of healthcare. To ensure these systems do not introduce risks to patient safety, the practice complies with NHS Clinical Risk Management Standards (DCB0129 and DCB0160).

The practice has a designated Clinical Safety Officer (CSO) — a suitably qualified healthcare professional responsible for overseeing the safe use of clinical information systems and digital tools within the practice.

The Clinical Safety Officer:

Provides clinical oversight of digital systems used in patient care

Assesses and manages clinical risks associated with health IT systems

Ensures systems are used safely and appropriately by staff

Reviews incidents or safety concerns related to digital systems

Works with system suppliers to maintain safe operation

Supports compliance with national NHS safety standards

All software used by the practice, including clinical systems and administrative tools, is assessed to ensure it meets appropriate safety, security, and governance requirements.

If new digital systems are introduced, they undergo safety review before being used in clinical practice.

 

Complaints and independent advice

If you are unhappy with how your information is handled, please contact the practice first.

You can also contact the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

 

Further information

More information about how the NHS uses your data can be found on the NHS England website.

 

Review of this notice

This privacy notice is reviewed regularly to ensure it reflects current law, NHS guidance, and practice systems. Last reviewed: March 2026