Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice') carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

How we use your personal information

This privacy notice explains why the practice collects information about patients, members of staff and visitors to the practice, known as Data Subjects and how we use your information.

So that we can provide you with the best possible service, a variety of information is collected about you from a range of sources, such as your local NHS hospitals. This information is used to support your healthcare. Under the UK General Data Protection Regulation (UK GDPR) information about your physical and mental health, racial or ethnic origin and religious belief are considered as special category (sometimes known as sensitive) personal information and is subject to strict laws governing its use. This page explains why the Practice collects personal information about you, the ways in which such information may be used, and your rights under the UK General Data Protection Regulation. The Practice is legally responsible for ensuring its processing of personal information is in compliance with the general data protection regulation. The practice becomes what is known as the data controller, which simply means that we are responsible for maintaining the security and confidentiality of the personal information that you provide us with.

Security of Information

Confidentiality affects everyone: Springfield Surgery collect's, stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personnel records and computerised information. This data is used by many people in the course of their work.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

The partners have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.


Legal Basis for processing your information

Under UK GDPR the Practice are mandated to identify a legal basis to process your personal information.  

Special Category data (Sensitive Data including Health Records)

Explicit consent
Employment, social security and social protection (if authorised by law)
Vital interests – Life and Death
Made public by the data subject
Legal claims or judicial acts
Reasons of substantial public interest (with a basis in law)
Health or social care (with a basis in law)
Public health (with a basis in law)


For personal data


Consent: the individual has given clear consent to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: Life & Death
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.


Why do we collect information about you

All clinicians and health and social care professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
Contact we have had with you such as appointments or clinic visits.
Notes and reports about your health, treatment and care – A&E visits, in patient spells or clinic appointments
Details of diagnosis and treatment given
Information about any allergies or health conditions.
Results of x-rays, scans and laboratory tests.
Relevant information from people who care for you and know you well such as health care professionals and relatives.
For visitors to the practice basic information such as name and vehicle registration number

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes to your contact details. This minimises the risk of you not receiving important correspondence.

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

How your personal information is used

In general, your records are used to direct, manage, and deliver the care you receive to ensure that:

The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
Health or social care professionals have the information they need to be able to assess and improve the quality and type of care you receive.
Your concerns can be properly investigated if a complaint is raised.
Appropriate information is available if you see another clinician or are referred to a specialist or another part of the NHS or social care.
We may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.


Risk Stratification

Risk stratification involves applying computer searches to your medical records  from a number of sources, including NHS trusts and GP practices, to identify those patients who are most at risk of certain medical conditions, such as heart disease, and who will benefit from clinical care to help prevent or better treat their condition.  It's a process for identifying and managing patients who are most likely to need hospital or other healthcare services, so that such patients can receive additional care/support from their GP or care team as early as possible. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.

Section 251 of the NHS Act 2006 provides a statutory legal basis to process personal health related data for risk stratification purposes.

Please be reassured that any information which identifies you - resulting from the aforementioned computer searches - will only be seen by this Practice.

If you do not wish information about you to be included in the risk stratification programme, please let us know. We can add a code to your health care record that will stop your information from being used for this purpose. 


The NHS care record guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:


The Records Management Code of Practice

This Records Management Code of Practice for Health and Social Care 2020 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.

The Code is based on current legal requirements and professional best practice.


How long are records retained

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

When do we share information about you

We share information about you with others directly involved in your care; and share more limited information for indirect care purposes, both of which are described below.

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.


Direct Care Purposes

NHS Trusts and hospitals that are involved in your care.
NHS Digital and other NHS bodies.
Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
Ambulance Services.
Clinical Commissioning Groups (CCG)

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

Social Care Services.
Education Services.
Local Authorities.
Voluntary and private sector providers working with or for the NHS. Such as Dentists, Pharmacies. Opticians & care homes

Indirect Care Purposes:

We also use information we hold about you to:

Review the care we provide to ensure it is of the highest standard and quality
Ensure our services can meet patient needs in the future
Investigate patient queries, complaints and legal claims
Ensure the hospital receives payment for the care you receive
Prepare statistics regarding NHS performance
Audit NHS accounts and services
Undertake heath research and development (with your consent – you may choose whether or not to be involved)
Help train and educate healthcare professionals
Health and social care policy, planning and commissioning purposes
GP Federations
Public health purposes, including COVID-19


Refusing or withdrawing consent

The possible consequences of refusing consent will be fully explained to the patient at the time and could include delays in receiving care.
In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.
In instances where the legal basis for sharing information relies on a statutory duty/power, such as disclosures of notifiable diseases the patient cannot refuse or withdraw consent for the disclosure.

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital's websites:

National Data Opt Out

“How the NHS and care services use your information”

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you're experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. 


OpenSAFELY COVID-19 Service

The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Further information can be found here:

Data Subject Rights

Under the UK General Data Protection Regulation (UK GDPR)

A right to confirmation that their personal data is being processed and access to a copy of that data which in most cases will be Free of Charge and will be available within 1 month (which can be extended to two months in some circumstances)
Who that data has or will be disclosed to.
The period of time the data will be stored for
A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed.
Data Portability – data provided electronically in a commonly used format
The right to be forgotten and erasure of data does not apply to an individual's health record or for public health purposes
The right to lodge a complaint with a supervising authority


Your right to object

You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.

Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.

SMS Text messaging

When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.


How you can access your health records

The UK GDPR gives you a right to access the information we hold about you on our records. Requests must be made in writing to the Practice. The Practice will provide your information to you within one month (this can be extended dependent on the complexity of the request) from receipt of your application.

Data Controller

The Data Controller responsible for keeping your information confidential is:

Springfield Surgery

Data Protection Officer (DPO)

The appointed DPO is Daljeet Sharry-Khan

Scorex House, 1 Bradford Road, Bradford, BD1 4AS

Raising a concern

Patients who have a concern about any aspect of their care or treatment at the Practice or about the way their records have been managed, should contact the Practice Manager.

If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.

UK GDPR requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from: 

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF
Telephone: 0303 123 1113  Website:


 Reviewed 10.10.2023