We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Privacy Notice
This privacy notice explains why The Firs (henceforth, ”we”, ”us”, or ”our”) collect information about you and how that information may be used. We keep medical records confidential, complying with all Data Protection obligations. The use of data in the UK is mainly governed by:
- UK GDPR 2021
- Data Protection Act 2018,
- Human Rights Act 1998
- Codes of Confidentiality, Information Security, and Records Management
The use of healthcare data specifically is also governed by other laws such as the Access to Health Records Act 1990, the Health and Social Care Act 2012, and more.
The information we hold about you
All patients who receive NHS care are registered on a national database. This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. The database is held by NHS Digital - a national organisation which has legal responsibilities to collect NHS data. More information can be found at: https://digital.nhs.uk/ or the phone number for general enquires at NHS Digital is 0300 303 5678.
Your care records may exist in several formats including electronic, paper or a mixture of both, and we deploy many approaches to ensure that such information is maintained within a confidential and secure environment. The records which we could hold about you may include the following information:
- Personal details relating to you, including your address and contact details, carer, legal representative and parents’ emergency contact details
- Any contact we have had or intend to have with you such as appointments, clinic or surgery visits, home visits, etc.
- Notes and reports about your health which is deemed to be of a sensitive nature
- Details about your referral, diagnostics procedures, treatment and care
- Results of any additional relevant investigations
- Relevant information from other health professionals, relatives or those who care for you
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service. There are also a number of Digital Tools that are centrally managed by North East London Integrated Care Board which help support your direct care and improve the way care is delivered in the future. To view the fair processing notice for these tools follow this link: www.northeastlondon.icb.nhs.uk/legal-information
How we use your information
We will use your information for direct care purposes and to check and review the quality of the service we provide. This helps us to improve our services to you. Anonymised information held about you could, on occasions, be used to help protect the health and well-being of the general public and to help us manage our contracts with commissioners. Information could also be used within our Practice for the purposes of clinical audits which in turn will provide monitoring of the quality of the services we provide.
Some of this information will be used for statistical purposes and we will ensure that individuals cannot be identified. For situations where we may contribute to research projects we will always gain your explicit consent before releasing any relevant information.
We may occasionally run automated searches through our database to identify patients at high risk for certain diseases or medical conditions in order to provide them with additional and early support. This process will involve linking information from your GP record with information from other health or social care services you have used. We may use a third-party provider to help us perform the searches, however they will only be provided with pseudonymised data, so data which can directly identify you will only be viewable to the GP Practice.
Legal Basis for Processing
Our legal basis for processing your personal data relies on GDPR Article 6(1)(e), “...necessary for the performance of a task carried out in the public interest...”;
Our legal basis for processing your special category data relies on Article 9(2)(h), “necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” underpinned by the Data Protection Act 2018 Schedule 1 2(2)(d), “provision of healthcare or treatment”.
On occasion, we may also rely on other Article 9 conditions such as explicit consent, vital interests, legal claims, substantial public interests (with a basis in law), public health (with a basis in law), or archiving, research and statistics purposes (with a basis in law).
Maintaining the Confidentiality of Your Records
We will take all possible care to protect your privacy and will only use information collected with the law. Our staff are briefed on data protection principles and understand they have a legal obligation to keep information about you confidential. They also understand that information about you will only be shared with other parties if there is an agreed or legal requirement.
We will only share your data without your permission under exceptional circumstances, subject to the exceptions given by the GDPR and UK Data Protection act, which includes:
- prevention and detection of crime
- substantial public interest
- vital interests (life-threatening emergencies)
This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles.
All personal information that we manage is stored in the UK within a secure environment and we always use suitably protected methods and systems to transfer your personal information.
Who your data is shared with
We will share relevant information from your medical record with other health or social care staff or organizations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
In general, your data may be shared with:
- healthcare professionals and staff in this surgery;
- local hospitals (e.g., for referrals);
- out-of-hours services (e.g., for staff treating you in an emergency may check if you have allergies. They will use your Summary Care Record. For more information, see: https://digital.nhs.uk/summary-care-records);
- diagnostic and treatment centres; or
- other organisations involved in the provision of direct care to individual patients (e.g. NELFT), or organisations which we have contracted to help us process data (see below for more information on our data processors).
In addition, we are legally required to share data with NHS Digital for purpose under section 259(1)(a) of the Health and Social Care Act 2012 to support vital planning and research for COVID-19 purposes. For further details, please refer to: https://digital.nhs.uk/binaries/content/assets/website-assets/corporate-information/directions-and-data-provision-notices/data-provision-notices/gpesdatapandemicplanningresearchdpnv1.0.pdf
We may also participate in national clinical audits to monitor and improve healthcare quality. Medical record data helps healthcare professionals assess the standard of care provided. Audit results highlight areas of good practice and identify opportunities for improvement in patient care, so this data is submitted to NHS Digital. Shared data may include identifiers such as your NHS Number and date of birth, along with coded health information (e.g., conditions like diabetes or high blood pressure). Information is only shared when permitted by law.
For further details, visit the Healthcare Quality Improvement Partnership website or call 020 7997 7370.
You have the right to object to your identifiable information being shared for national clinical audits. To do so, please contact us.
Your data will never be transferred internationally.
Processors of personal data
In order to deliver the best possible service, the Practice contracts Processors to process personal data, including patient data on our behalf.
When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient-facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.
- Delivery services (for example if we were to arrange for delivery of any medicines to you).
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Payment providers (if, for example, you were paying for a prescription or a service such as travel vaccinations).
Your Rights as a Data Subject
You have a right under the Data Protection Act 2018 to request access to view or to obtain a copy of what information the Practice holds about you and to have it modified should it be inaccurate. The process to access your records is known as a Subject Assess Request (SAR) and the way it works is outlined below:
- You can submit a request for your information either in person, over the phone, or electronically, by yourself or through your proxy (such as a law firm or a relative). You do not need to mention, “Subject Access Request”, “GDPR” or any other legal terms. Our staff are trained to recognise a SAR upon receipt.
- You will need to provide adequate proof of your identity before we can release the requested details, typically a passport or driving license. If you are using a proxy such as a legal firm or a relative to make a request on your behalf, you must provide them with a signed consent form, specifying exactly which information you wish for us to disclose to them.
- The request will be reviewed and completed within a maximum of one calendar month after verifying any necessary ID and other documents, as required by the GDPR, unless the SAR is complicated, in which case we may extend the deadline.
- The latest regulations state that we cannot charge you to have a copy of your information unless the request is manifestly unfounded or excessive.
In addition to the right of access, under the Data Protection Act 2018, you will also have the following rights:
- Rectification - you have the right to have any errors or mistakes in your records corrected. Please speak to a member of staff if you wish to do this.
- Objection – you have the right to object to information being shared between parties for your own, direct care. Please speak to the Practice if you wish to object, however note that this may affect the care you receive. You are not able to object to:
- your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.
- You are not able to object when information is legitimately shared for safeguarding reasons (as described earlier) as it is a legal and professional requirement to share information for safeguarding reasons in appropriate circumstances to protect people from harm.
- Withdrawal of consent - If you have provided us with your consent to process your data for the purpose of providing our services, you have the right to withdraw this at any time. In order to do this should contact us by emailing or writing to the Practice.
- Erasure - We are required to follow strict data retention guidelines (see below) and so are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention of your data
GP medical records will be kept in line with our retention policy, the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.
National Data Opt-Out
The National Data Opt-Out gives you the choice to stop your health and care information from being used for purposes beyond individual care, such as for research or planning, where such processing requires Section 251 approval under the NHS Act 2006. This does not affect:
- Your care or treatment,
- The sharing of your information for direct care or other essential services, and
- Data used anonymously for research or planning
In line with NHS policy, our practice complies with the National Data Opt-Out scheme, and you can choose to opt-out at any time.
If you choose to opt out, your confidential patient information will no longer be used for purposes beyond your individual care. Your choice is respected by all organizations within the health and care system in England.
You can view or change your data-sharing preference at any time by visiting the official NHS website at www.nhs.uk/your-nhs-data-matters, by calling the NHS helpline on 0300 303 5678, or by contact our Practice.
For further details about the National Data Opt-Out, please visit the NHS Digital website.
Cookies
This website makes use of cookies to optimise user experience. By using our website, you consent to all cookies in accordance with our Cookie Policy.
Website Privacy
We are committed to protecting your privacy. You can access our website without giving us any information about yourself. But sometimes we do need information to provide services that you request, and this statement of privacy explains data collection and use in those situations.
In general, you can visit our website without telling us who you are and without revealing any information about yourself. However, there may be occasions when you choose to give us personal information, for example, when you choose to contact us or request information from us. We will ask you when we need information that personally identifies you or allows us to contact you.
We collect the personal data that you may volunteer while using our services. We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. We do not collect or use personal data for any purpose other than that indicated below:
- To send you confirmation of requests that you have made to us
- To send you information when you request it
We intend to protect the quality and integrity of your personally identifiable information and we have implemented appropriate technical and organisational measures to do so. We ensure that your personal data will not be disclosed to State institutions and authorities except if required by law or other regulation.
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we don’t have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.
Notification
The Data Protection Act 2018 requires organisations that control data to register with the Information Commissioners Office (ICO) website
Our Practice is registered with the ICO as a Data Controller under the Data Protection Act 1998.
Complaints
By law, we are required to appoint an independent Data Protection Office (DPO) to advise us on our data protection practices and obligations, in order to make sure we are complying with the law. Our DPO is:
- Name: Radha Muthuswamy
- Email: r.muthuswamy@nhs.net
Should you have any concerns about how your information is managed by the Practice, you can raise a complaint according to our complaints procedure.
If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO) website via their website, or in writing to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact us.
Population Health Management Data Platform (Optum Pathfinder)
July 2025
Population Health Management (PHM) Privacy Notice
Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.
What is Population Health Management (PHM)?
PHM is aimed at improving the health of both local and national populations. It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely, and equal. It helps to reduce the occurrence of ill health and looks at all the wider factors that affect health and care.
PHM is an approach being implemented across the NHS and this Practice. Population Health Management requires health and social care, to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers. Organisations will share and combine de-identified information (where information identifying you has been removed) with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements and risk assessments.
How will my Personal Information be used?
The information needed for PHM will include information about your health and social care. Information about you and your care will be used in a format that does not directly identify you, which we refer to within this privacy notice as pseudonymised. This information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code. This means that the people working with the data will only see the code and cannot see which patient the information relates to. The information will be used for a number of health and social care related activities such as -
• Identifying groups of patients that could benefit from direct interventions
• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services
Who will my personal information be shared with?
Your GP, other health or care providers, Local Councils within NE London and the NHS NEL Integrated Care Board may send the information they hold on their systems to each other. All of these organisations are legally obliged to protect your information and maintain confidentiality in the same way that your GP or hospital provider is.
Is using my personal data in this way lawful?
Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally. The legal basis for sharing your information is GDPR Article 6 (1) (e) “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in this case, anonymised data is used so that you cannot be identified.
Can I object to my data being used as part of this programme?
Yes. You have the right to opt out of sharing your personal data being used in this way. You can do this in two ways -
1. Opt out of all sharing of your data for other uses outside your GP Practice. This is called a Type 1 opt out and you should request this directly to us, your GP practice. This will be applied not only to this programme but to any others we take part in.
2. National Data Opt-out (opting out of NHS Digital sharing your data). You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.
This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared with other organisations for purposes except your own care - either GP data, or other data it holds, such as hospital data - you can register a National Data Opt-out.
If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.
