Privacy Policy

Print a copy of our Privacy Policy or view the information below.

Introduction

The Data Protection Regulations in the UK include two key pieces of law:

  • The Data Protection Act 2018
  • The UK GDPR

There are other regulations in specific areas which need to be taken into account. This Privacy Notice has been written within the legislative framework as at November 2024. It will be revised as the framework and case law change. This notice was last updated November 2024.

What is this Privacy Notice about?

This Privacy Notice is part of the information to data subjects about how personal data is used. Being transparent and providing accessible information to individuals about how organisations will use their personal information is a key element of Data Protection Regulations.

This Privacy Notice is part of our programme to make the data processing activities we are carrying out in order to meet our healthcare obligations transparent.

The Privacy Notice tells you about information we collect and hold about you, the legal basis for collecting and holding the information, what we do with it, how we keep it secure (confidential), who we might share it with, and what your rights are in relation to your information.

Who we are

Bounds Green Group Practice is a large GP Surgery in the Haringey CCG area. In this group practice, every clinician and non-clinician will support you to access medical care delivered to the highest standard in a timely fashion within a clean, safe environment which is maintained to the highest standard. Every patient, carer, or family member will be treated equally without discrimination and in complete confidence.

Types of information we use

We use the following types of information/data:

Personal data and special category personal data such as:

  • demographics – name, address, date of birth, postcode, NHS number
  • racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, medical/health data, sexual life or sexual orientation data.

(Special category personal data is sometimes called sensitive personal data.)

Pseudonymised – about individuals but with identifying details (such as name or NHS number) replaced with a unique code.
Anonymised – about individuals but with identifying details removed.
Aggregated – anonymised information grouped together so that it doesn’t identify individuals.

What we use your personal data and special category personal data for

We use and share information about you in a number of ways. These include, if you are a patient:

Primary uses – information from your GP medical record which can be made available to other NHS and public sector organisations, including doctors, nurses and care professionals, in order to help them make the best informed decision, and provide you with the best possible direct care delivery.

Secondary uses – information from your GP medical record involves extracting identifiable data and (usually) sharing that data with other NHS organisations for the purpose of indirect care. Examples include using your information for research, auditing, and healthcare planning (population health management).

If you’re a member of staff, we process your data for the purposes of your employment contract, professional monitoring requirements, your health and safety, and other employment-related matters.

You have rights to object to the use of your personal data in some circumstances, particularly for secondary use. These are often called “opt-outs.” Details of the available objections are given in section 15 below.

Identity and Contact details of the Data Controller and Data Protection Officer

Practice Contact Details

Bounds Green Group Practice,
Gordon Road,
Haringey,
N11 2PF

Practice ICO Reference Number: Z5025367

Data Protection Officer

You can contact the Data Protection Officer by post at the practice address, addressed for the attention of the Data Protection Officer, or by email to:

Name: Steve Durbin
Email: dpo.ncl@nhs.net

Please quote the practice name in any communication. The Data Protection Officer service is provided across NCL practices.

Organisations we share your personal information with

We share information about you with other GPs, NHS acute or mental health Trusts, local authorities, community health providers, pharmacists, commissioning organisations, medical research organisations, and some specific non-NHS organisations for the purposes of direct care and secondary uses.

We are required under the law to provide you with the following information: how we process your personal data, the purpose of processing, recipient/categories of your personal data, the identity of our Data Protection Officer (DPO), how long we retain personal information about you, the legal basis and justification for the processing, and your right to view, request access copies of your personal information, or object to the processing.

Included below is a table of the organisations we share information about you with, and data processors we use to process your information, split into the following categories:

  • Direct Medical Care and Administration
  • Other primary care services delivered for the purposes of direct care
  • Statutory Disclosures of Information
  • Processing for the Purposes of Commissioning, Planning, Research and Risk
  • Stratification
  • Data Sharing Databases
  • Data Processors

In most cases, the Data Controller and Data Protection Officer (DPO) are as listed in section 6 above. Where they are not, they are specified in the table.

Other care providers with NHS contracts (e.g. services providing ultrasound scans, medical imaging; specialist providers such as those providing day surgery, other direct care tests/services)

Personal data concerning your GP medical record may be shared with NHS Trusts in order to enable their healthcare professionals to make the best informed decision about your health needs, and provide you with the best possible care if you visit these providers for routine care and referrals.

Your information will also be shared with other care providers to provide best care, for example for medical imaging tests the practice cannot perform itself.

Note that NHS contracts are commonly delivered by private organisations; some of these providers will be partnerships, companies and other bodies, along with statutory NHS bodies such as NHS Trusts.

Your personal information may also be processed for local administrative purposes such as:

  • Waiting list management
  • Local clinical audit
  • Performance against local targets
  • Activity monitoring
  • Production of datasets to submit for commissioning purposes and national collections

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012
  • Common Law of Duty of Confidentiality

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Emergency Services (Ambulance trusts, police, A&E departments, out of hours services, 111)

There are circumstances when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for example, during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate.

Medical professionals have a duty of care to share data in emergencies to protect their patients or other persons. In these circumstances, your GP medical record will be shared with emergency healthcare services, the police or fire service in order to enable you to receive the best treatment or service.

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(d) – the processing is necessary in order to protect the vital interests of the data subject
Article 9(2)(c) – the processing is necessary to protect the vital interests of the data subject

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012
  • Common Law of Duty of Confidentiality

You have the right to:

  • Make pre-determined decisions about the type and extent of care you will receive in an emergency. These are known as “Advance Directives” and are held in Universal Care Plans (formerly called “Urgent Care Plans”)
  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: You have the right to object to some or all of your personal information being shared with the recipients. You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

GP Federations and Primary Care Networks

(Groups of Practices working together, and with other providers, to provide joined-up and effective care)

North Central London Integrated Care Service

GP Federations are groups of GPs (patient-centred organisations) working collaboratively and developing closer integration with other partners across health, social and third sector partners to facilitate an enhanced delivery of health and care services.

Primary Care Networks (PCNs) are similar, but are led at the GP level and may involve a variety of other organisations also noted in this privacy notice.

North Central London Integrated Care Service is a wider grouping performing shared functions across health and care.

In each case, the Practice remains the data controller for the information about you.

Through various hubs in the community, the GP Federations and PCNs provide direct health and care services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across North Central London (which covers the boroughs of Barnet, Camden, Enfield, Haringey and Islington).

If you receive treatment/consultation on any of these services, personal data concerning your GP medical record may be shared with the GP Federation and Multidisciplinary Teams (MDT) in order to enable them to make the best informed decision about your health/care needs, and provide you with the best possible care.

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012
  • Common Law of Duty of Confidentiality

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Pharmacists

Medicines Optimisation – Delivery of direct care, e.g. vaccination, prescription fulfilment.

Medicines optimisation looks at the value which medicines deliver, making sure they are clinically effective and cost-effective. It is about ensuring patients get the right choice of medicines, at the right time, and are engaged in the process by their clinical team.

Medicines optimisation enables community pharmacies to request medication electronically from the Practice and view relevant information from your GP record in order to provide you with the best medicines.

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Local Authority – Social Services

The Practice works closely with Local Authorities to support and care for people of all ages to deliver the best possible social care.

Personal data concerning your GP medical record may be shared with Local Authorities and Multidisciplinary Teams (MDTs) delivering social care in order to enable them to make the best informed decision about your social care needs if required.

The source of the information shared in this way is your electronic GP record and your Local Authority social care records. Your GP is the data controller for your electronic GP record; your local authority is the data controller for your social care record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(d) – processing for vital interests of data subject and/or
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Multidisciplinary Care Teams and Clinics (MDTs)

Personal data concerning your GP medical record may be shared with clinics delivering care or Multidisciplinary Teams (MDTs) in the area in order to provide you with the best possible care. For example, if you suffer from a long-term condition, specialist MDTs may deliver services alongside your GP. These MDTs commonly run clinics for conditions, so that you can receive the best possible care from practitioners specialising in the treatment area.

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

Care Homes

Personal data concerning your GP medical record may be shared with Care Homes delivering your care in order to enable their care professionals to make the best informed decision about your care needs, and provide you with the best possible care if you are resident in a Care Home.

Note that many care homes are private sector organisations.

The source of the information shared in this way is your electronic GP record.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(c) – processing for legal obligation
Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the Practice (data controller) or the DPO and your request will be carefully considered.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details are given at section 6), or if not satisfied, with the Information Commissioner (ICO), whose contact details are given at section 8.

The NHS Account and the NHS App

The NHS Account and the NHS App are available to all patients over 13 years of age registered with a GP in England. Details are available online from: https://www.nhs.uk/nhs-app/.

The purpose of the processing is to allow you to access NHS services more easily and to be able to see information about your health and care. The app includes a wide range of services which vary with each provider.

You need to have verified your NHS account to access all the services on the NHS account and app; some services are available without full verification.

If you are an NHS App user, we use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care.

The data controller for data on the NHS app depends on the use and provider. Full details can be found at: https://www.nhs.uk/nhs-app/nhs-app-legal-and-cookies/nhs-app-privacy-policy/privacy-policy/.

All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.

Article 6(1)(e) – public interest or in the exercise of official authority
Article 9(2)(b) – processing necessary in the field of employment, social security and social protection law
Article 9(2)(h) – processing is necessary for medical or social care treatment or the management of health or social care systems and services

Related Legislation:

  • Data Protection Act 2018 Section 10
  • Section 251B Health and Social Care Act 2012

You have the right to:

  • Access, view or request copies of your personal information
  • Request rectification of any inaccuracy in your personal information
  • Restrict the processing of your personal information where:
    • Accuracy of the data is contested
    • The processing is unlawful
    • Where we no longer need the data for the purposes of the processing

Right to object: In line with the UK GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.

If you wish to exercise any of your rights, please contact the appropriate data controller or DPO and your request will be carefully considered. Note that the practice is data controller only for its data on the NHS app, not for that of other organisations, nor for the account or the app itself.

Right to complain: If you are dissatisfied with the way the Practice processes your data, you have the right to appeal/complain. You may raise the issue with the Practice’s Data Protection Officer (contact details provided), or if not satisfied, with the Information Commissioner (ICO), whose contact details are provided.