Privacy Notice


1. Introduction

1.1. Policy statement

NHS England collects information with the purpose of improving health and care for everyone. The information collected is used to: 

  • Run the health service 
  • Manage epidemics 
  • Plan for the future 
  • Research health conditions, diseases and treatments 

NHS England is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using patient data and what data is being used. Similarly, Staverton Surgery has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed. 

All staff should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the organisation will share that information.  

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the UK GDPR. 

Find further information on how ee look after your health and care 

1.2. Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies. 

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors. 


2. Compliance with regulations 

2.1. UK GDPR 

The background to the UK GDPR was that in May 2018, GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.  

Post-Brexit, in January 2021, the GDPR became formally known as UK GDPR and was incorporated within the Data Protection Act 2018 (DPA18) at Chapter 2. 

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be: 

  • Concise, transparent, intelligible and easily accessible 
  • Written in clear and plain language, particularly if addressed to a child 
  • Free of charge 

DPA18 will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit. 

2.2. Article 5 compliance 

For clarity, a data controller is an entity that determines the purposes, conditions and means of the processing of personal data, whereas a data subject is a natural person whose personal data is processed by a controller or processor.

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is:  

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject 
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed 
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay  
  • Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed 
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures 

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.

2.3. Communicating privacy information 

A privacy notice is to provide a statement that discloses some or all the ways in which the organisation gathers, uses, discloses and manages a patient’s data, its purpose it to fulfil a legal requirement to protect a patient’s privacy. 

At this organisation, this privacy notice is displayed on our website, through signage in the waiting room and in writing during patient registration. We will: 

  • Inform patients how their data will be used and for what purpose 
  • Allow patients to opt-out of sharing their data, should they so wish 

2.4. What data will be collected? 

The following data will be collected: 

  • Patient details (name, date of birth, NHS number) 
  • Address and NOK information 
  • Medical notes (paper and electronic)  
  • Details of treatment and care, including medications 
  • Results of tests (pathology, X-ray, etc.) 
  • Any other pertinent information  

2.5. National data opt-out programme 

The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used solely for their individual care and treatment or also used for research and planning purposes. 

NHSE have provided a document titled Understanding the national data opt-out

Patients who wish to opt-out of data collection can register a national data opt-out. Further reading can be found at this NHSE webpage titled Setting or changing a national data opt-out choice. This includes information regarding children and their privacy. 

This organisation has proved compliance by publishing the organisational privacy notice and submitting the Data Security and Protection Toolkit assessment.  

Further information about opting out can be found in the NHS England webpage titled Make a choice about sharing data from your health records

2.6. Patients in secure settings 

There are special arrangements for patients in prison or other similar secure settings known as detained and secure estates. A health and care professional can help register a patient’s opt-out choice.  

Further reading can be found at the NHS Digital webpage titled Guidance for detained and secure estates


3. General practice data for planning and research data collection  

3.1. About 

This data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this.  

The GPDPR is designed to help the NHS to: 

  • Monitor the long-term safety and effectiveness of care 
  • Plan how to deliver better health and care services 
  • Prevent the spread of infectious diseases 
  • Identify new treatments and medicines through health research

3.2. Data sharing 

Data may be shared from GP medical records for: 

  • Any living patient registered at a GP practice in England when the collection started. This includes children and adults 
  • Any patient who died after this data sharing started and was previously registered at a GP practice in England when the data collection started 

NHS England will not share the patient’s name or demographic details.  

Any other data that could directly identify the patient will be replaced with unique codes which are produced by de-identification software before the data is shared with NHSE including: 

  • NHS number 
  • General Practice Local Patient Number 
  • Full postcode 
  • Date of birth 

This process is called pseudonymisation and means that no one will be able to directly identify the patient in the data.   

It should be noted that NHSE will be able to use the same software to convert the unique codes back to data that could directly identify the patient in certain circumstances, and where there is a valid legal reason.  

For further reading, refer to the NHSE webpage titled About the GPDPR programme

3.3. What information can and cannot be shared  

NHSE will collect structured and coded data from patient medical records including: 

  • Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments including information about physical, mental and sexual health 
  • Data on sex, ethnicity and sexual orientation 
  • Data about staff who have treated patients 

NHSE will not collect: 

  • Name and address (except for postcode, protected in a unique coded form) 
  • Written notes (free text), such as the details of conversations with doctors and nurses 
  • Images, letters and documents  
  • Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old 
  • Coded data that GPs are not permitted to share by law – for example certain codes about gender re-assignment 

Further reading can be sought from the NHSE webpage titled Looking after your data

3.4. Opting out 

Primary care organisations have been required to honour the National Data Opt-out (NDO-O) since 31 July 2022 and practices should now be complying with the NDO-O unless there is a specific reason not to do so. 

This means that patients who do not want their identifiable patient data to be shared for purposes except for their own care can opt-out by registering to Type 1 opt-out on the NHS website, completing our Type 1 opt-out form or, set out their data opt-out choice via the national data opt-out (NDO-O).  

Patients can do both. 

Further reading can be found in NHS E webpage titled Compliance with the national data opt-out

3.5. Available resources 

The following resources are available for staff at this organisation: 


4. Further information 

4.1. Privacy notice checklists 

The Information Commissioner’s Office has provided a privacy notice checklist that can be used to support. 

4.2. Privacy notice 

A practice privacy notice can be found at Annex A.  

4.3. Notifications for patients