Privacy Notice

COVID-19 data sharing for health and social care in South East London

What is the lawful basis for processing your information?

The General Data Protection Regulations/Data Protection Act 2018, (Article 6(1) (a), 6(1)(e) and  9(2)(h) legally provides the GP practice the right to process your information. The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health services in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.

To do this we will need to process your information in accordance with current data protection legislation to:

    • Protect your vital interests
    • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
    • Perform tasks in the public’s interest
    • Deliver preventative medicine, medical diagnosis and medical research
    • Manage the health and social care system and services.  

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.GP Practice – Privacy notice template as of 31st January 2020

How we use your personal information

This information explains why the GP practice collects information about you and how that information will be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received. This can include care received within the GP practice, NHS Trusts, Walk-in clinics, Urgent Care centres, and the out of hours GP services. These records help to provide you with the best possible healthcare. Barnard Medical Group is a registered data controller and must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z512700X and our entry can be found in the Data Protection Register on the ICO website.

What type of personal data is used?

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technologies to ensure that your information is kept confidential and secure. Records which this GP practice holds about you may include the following information;

      • Details about you, such as your address, telephone number, carer, legal representative, emergency contact details and NHS number
      • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
      • Notes and reports about your health
      • Details about your treatment and care
      • Results of investigations such as laboratory tests, x-rays, images etc.
      • Relevant information from other health professionals, relatives or those who care for you
      • Sensitive information, such as racial, ethnic origin, religious beliefs and sexual orientation
      • Criminal offence information and/or safeguarding

How is your data used?

To ensure you receive the best possible care, your records are used to facilitate the care and treatment you receive. Information held about you may also be used to protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audits to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. This information can be used by other NHS statutory organisations to improve and develop services and information is de-identified so that your personal identifiable information is not seen.

All patients who receive NHS care are registered on a national database. The database is held securely by NHS Digital, a national organisation which has legal responsibilities to collect NHS data. More information can be found on the NHS Digital website

Purposes for using your information

To meet your healthcare needs

In line with our statutory duty as a general practitioner, information is processed to provide direct health or social care to individual patients. When a patient agrees to a referral for direct care, such as to a hospital, relevant information about you will be shared with the other healthcare organisations and staff to enable them to give appropriate advice, investigations, treatment and/or other care. This will include providing details of prescription information to pharmacists and advising you of other beneficial health information.

Preventing ill health (Risk stratification)

The NHS are increasingly using technology to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission to hospital, this is known at ‘Risk Stratification’.   Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. De-identified information is analysed using special software and is provided back to your GP in identifiable form. This information enables your GP to focus on preventing ill health and not just the treatment of sickness. Examples of these are;

      • Frailty
      • Diabetes 

Quality and clinical audit

Your information may be used within the surgery for the purpose of clinical audit, to monitor the quality of the services we provide and improve care.

Medicines management

The GP Practice may conduct medicines management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. The practice works closely with the Clinical Commissioning Group medicines management team.

Patient and public involvement

If you are a member of the GP practice patient participation group (PPG) information will be held about you so the practice can keep you informed regarding the work the practice is involved in, as well as details of meetings and consultation events. When you submit your details to us for involvement purposes, we will only use your information for this purpose and you can opt out at any time by contacting Gill Collins Practice Manager at the Barnard Medical Group.

Accessible Information Standard and translation services

In line with the Accessible Information Standard (AIS) which was introduced in July 2015, the practice aims to ensure that people who have a disability, impairment or sensory loss receive information that they can access and understand. For example, in large print, braille or via email or professional communication support if it is required. i.e. British Sign Language (BSL) interpreter.

The GP practice also offers translation services to support patients with their translation needs.

In both cases, this will require support from another service provider to assist with your requirements. Organisations that provide these services may maintain small amounts of information about you, such as your name, address, contact and NHS number.

When these services are used, it will be done so with your consent and the information you provide will be handled in strict confidence in line with the data protection laws.

Your preferences for communication can be provided to the GP practice and will be registered on your records.


The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.

Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).

Further information regarding how information is used for research and planning can be found below under ‘National Data Opt-Out’.

Safeguarding adults and children

Sometimes, health and social care professionals may need to share information so that other people, including healthcare staff, children or other safeguarding needs are protected from risk of harm.

These circumstances are rare and we do not need your consent or agreement to do this.

People’s wellbeing is at the heart of the care and support system under the Care Act 2014 and the prevention of abuse and neglect is one of the elements identified under a person’s wellbeing

Our GP practice is committed to working in partnership with local authorities and the Clinical Commissioning Group’s safeguarding team to fulfill their safeguarding responsibilities.

GP practice website

As part of the enhanced services available on the GP practice website, personal information will be gathered when accessing on-line consultation services, such as, name, address/postcode, date of birth, gender, phone number and email address.

Staff and job applications

When individuals apply to work at our practice the information is used to process applications and recruit GP practice staff. Where the GP practice needs to disclose information to a third party, for example, to gain a reference, or to obtain a ‘disclosure’ from the Disclosure and Barring Service, the GP practice will not do so without informing the applicant beforehand, unless the disclosure is required by law.

Once a person has taken up employment the GP practice will maintain an employment file. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment.  

What is the lawful basis for processing your information?

The General Data Protection Regulations/Data Protection Act 2018, (Article 6(1) (a), 6(1)(e) and  9(2)(h) legally provides the GP practice the right to process your information. The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health services in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.

To do this we will need to process your information in accordance with current data protection legislation to:  

    • Protect your vital interests
    • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
    • Perform tasks in the public’s interest
    • Deliver preventative medicine, medical diagnosis and medical research
    • Manage the health and social care system and services.

    Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

    Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

    Keeping your information private

    We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of practice on confidential information.

    Every member of staff who works for our practice has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation or health care service, or processes it on their behalf, has a legal and contractual duty to keep it confidential.

    The practice will not share your information with third parties without your consent unless there are exceptional circumstances, such as when the health and safety of you or others is at risk, to protect the health and wellbeing of children and vulnerable adults, or where the law requires us to do so.

    Processors of personal data

    In order to deliver the best possible service, the practice contracts Processors to process personal data, including patient data on our behalf.

    When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:

      • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services
      • Delivery services (for example if we were to arrange for delivery of any medicines to you).
      • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

    Sharing information for your care and well-being

    We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.

    Healthcare staff working in A&E/Urgent Care Centres and the out of hours GP care service will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions and the medication you are taking. This will involve the use of your Summary Care Record For more information see: or alternatively speak to your practice.

    Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This may include your name, address, NHS number and treatment date.  All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

    We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as;

      • Through a court order, where a judge has ordered that specific and relevant information should be disclosed – in such an event as preventing crime or fraud
      • When it is necessary for the reasons of public interest in the area of public health such as protecting again serious cross-border threats to health, such as a flu pandemic or rare infectious disease
      • When it is necessary to protect the vital interests of an individual to protect the safety and welfare of vulnerable children and adults
      • When there are specific lawful conditions to do so under the General Data Protection Regulations; or any subsequent data protection laws.

    Caldicott Principle 7

    The duty to share information can be as important as the duty to protect patient confidentiality. This means that health and social care professionals will share information in the best interest of their patients with the framework which is set out in the Caldicott principles.

    Caldicott Guardian details

    All NHS organisations are required to nominate a Caldicott Guardian. This role has the responsibility for protecting the confidentiality of patient information and enabling appropriate information sharing.

    The name of our GP practice Caldicott Guardian is:    Dr Richard Scott.

    National data opt-out preference

    The National data-opt-out was introduced on 25 May 2018, following recommendations of the National Data Guardian review of Data Security, Consent and Opt-Outs. This enables patients to opt out from their data being used for research and planning purposes. 

    Patients and public who decide they do not want their personal identifiable data used for planning and research purposes will be able to set their national opt-out preference.

    Residents have the right to opt out of their personal identifiable data being used for the following purposes.

      • Providing local services and running the NHS and social care
      • Supporting research and improving treatment of care

    To set an opt-out preference, NHS Digital provides an online and non-digital non-digital national data opt-out service.

    For further information on the National Data Opt-out and to see how ‘Your Data Matters’ please visit  Or call 0300 303 5678 (Monday to Friday, 9am to 5pm, excluding bank holidays)

    Exceptional circumstances

    The opt-out will not apply where there is a mandatory legal requirement or an overriding public interest. These will be areas where there is a legal duty to share information (for example a fraud investigation) or an overriding public interest (for example to tackle the ebola virus).

    Who are our partner organisations?

    Below are just some of the organisations that we may have to share your information with. This would only be done in line with the lawful basis for sharing information under the data protection laws.

      • NHS Trusts / Foundation Trusts
      • Other GP’s (Including Primary Care Networks)
      • NHS Commissioning Support Units
      • Independent Contractors such as dentists, opticians, pharmacists
      • Private Sector Providers
      • Voluntary Sector Providers
      • Ambulance Trusts
      • Clinical Commissioning Groups
      • Social Care Services
      • NHS Digital
      • Primary Care Support England
      • Local Authorities
      • Education Services
      • Fire and Rescue Services
      • Police & Judicial Services
      • Other ‘data processors’ which you will be informed of 

      We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

      Sharing your information to improve your care

      To be able to provide the best care for our patients a system called Connect Care was developed. A similar system called Local Care Record is used in other parts of south east London. These systems  allows GP staff, hospital staff, district nurses and other local organisations involved in your care to share important information about the people they care for. This could include checking which medications a patient is taking or a child's immunisation history.

      Only authorised staff will have access to these systems on a need to know basis and the information is operated over a secure network.

      You will be asked your permission at the point of care before viewing your record. If you are unable to give permission e.g. in an emergency, your care provider may access your record if they believe it is in your best interest.

      Health providers who have access to your records will be better informed about your care and it enables faster and effective delivery of your care, without the need for sharing information by letter, email, fax or phone.

      You have the right to choose not to have your information available through Connect Care and the Local Care Record. If you don’t want your information to be available through this service and want to find out how to opt-out, or want to find out how this might affect your care, visit the Connect Care web page. If you do not have access to the website, you can call 020 8836 4592 and leave your name and number for someone to contact you.

      Our Healthier South East London (OHSEL)

      Our Healthier South East London (OHSEL) is a partnership of health and social care providers and professionals who provide health and care services for people living in South East London, London, nationally and internationally. More information about the services provided and the can be found on the OHSEL website, along with details of their privacy notice.

      Ways we may communicate with you

      Our practice may need to contact you for a variety of reasons including to:

        • discuss your care and treatment
        • Offer you a new appointment or alter an existing one
        • Send you a reminder of an existing appointment
        • Ask your opinion of our services
        • Tell you about other care services (such as flu jabs)
        • Arrange for transport to be provided
        • Arrange for a home visit
        • If you are a member of the patient participation group

      It is important to confirm with your GP practice your communication preferences at the time of registering.

      Our standard way to contact you is by letter or telephone.  We may also use emails and SMS text messaging.

      When our practice uses text messaging services, no confidential information will be contained in the message; it will generally be a reminder for an appointment or care service message.

      It is important that you advise your GP practice of any change of details in relation to your phone and contact details as soon as possible.

      You can change your communication preferences or opt out of the SMS text service at any time by contacting the surgery. Please note: Changes of address must be done in writing or in person at the surgery and will not be taken over the telephone

      Contact that is made to and from the GP practice from an individual’s private email account, are not secure. Any patient or service user using this method, do so at their own risk (however small).

      How do I gain access to my personal information?

      You have a right to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. You are able to either view or receive copies of records held in electronic or paper format.

      This type of request is known as a ‘Subject Access Request’ (SAR) and can be made in writing to the GP via email or post. For information from the hospital you will need to write direct to them. In special circumstances your right to see some details in your health records may be limited, to protect you and others mentioned in your records from harm, and to maintain the confidentiality of others.

      Under the Data Protection laws our GP practice are required to respond to your request within 30 days. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

      No fee will be charged for this service, unless a request is manifestly unfounded, excessive or repetitive.

      GP patient on-line service

      Patients with access to internet or a personal computer can register for ‘Patient On-line service’. Patients can sign up and register with the practice to view parts of your GP record, including information about medication, allergies, vaccinations, previous illnesses and test results. This service also offers booking and cancelling appointments on-line and ordering repeat prescriptions. For more information see GP Online services

      Other additional information rights

      As well as the right to have access to your personal information, under the data protection laws of 2018, individuals also have;

        • the right to be informed (Through this privacy notice and other methods of communication)
        • the right for information to be rectified
        • the right to erasure (subject to conditions, and does not include information relating to your care)
        • the right to restrict processing
        • the right to portability
        • the right to object
        • rights in relation to automated decision making and profiling

      There are various exception and circumstances where your request may be refused and therefore individuals should always consult with Barnard Medical Group when making a request under your individual rights.

      Can I access the records of my children?

      You may be able to access the records of your child/children.  However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child/children.

      As above, there may be legal exceptions when it will not be appropriate or possible to obtain information, such as safeguarding or a court order.

      To apply for access, please use the procedure above.

      To carry out your rights or request a copy of your information please contact:

      Data Protection Lead

      Name: Gill Collins

      Address: Barnard Medical Group 43 Granville Road Sidcup DA14 4TA

      Contact: 0208 302 7721

      How long do we keep your information?

      GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:

      Transfer of information outside the European Union to third countries or international organisations.

      There are legal restrictions imposed on health and care organisations regarding the transfer of personal data outside the European Union, to third countries or international organisations. Our GP practice does not share or transfer information outside of the European Union, to third countries or international organisations.

      Automated individual decision-making (Profiling)

      Automated individual decision-making is defined as making decisions or evaluating things about an individual solely by automated means without any human involvement.

      Most GP practices in Bexley provide an on-line healthcare consultation process which provides self-care advice. This on-line consultation service may use automated clinical decision making tools.

      Personal data breaches

      All organisations that process personal data have a duty to report certain types of personal data breach to the Information Commissioners Office within 72 hours of an incident occurring

      What to do if you have any questions?

      Should you have any concerns about how your information is managed at the practice, please contact Gill Collins.

      If you are still unhappy following a review by the GP practice, you can contact NHS England or the Information Commissioners Office.

      NHS England leads the National Health Service (NHS) in England and set the priorities and direction of the NHS and encourages and informs the national debate to improve healthcare. The NHS England website provides information on how to provide your feedback or make a complaint.

      The Information Commissioners Office is a UK independent body which has been established to uphold information rights for individuals.


      Covid-19 and your information - Updated on 8th April 2020

      supplementary privacy note on Covid-19 for Patients


      This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.

      The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

      Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

      During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

      In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

      During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

      We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here 

      NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

      In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

      We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

      Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website