Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this Privacy Notice carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

A poster of how we handle your data is available in the waiting area.

About Us

We, at the Stanhope Surgery situated at Stanhope Road, Waltham Cross EN8 7DJ, are a Data Controller of your information. This means we are responsible for determining the purpose for collecting, storing and handling your personal and healthcare information when you are registered with us as a patient.

Our aim is to provide you with the highest quality healthcare. To do this we must keep information about you, your health, and the care that is provided, or is planned to be provided, to you. This information is collectively known as your ‘health record’. The purposes for which we use the information held in your health record are set out in this Privacy Notice.

It is important to us that you are informed about how we use the information we hold about you. If you have any questions about this Privacy Notice or any other concern regarding how your personal and healthcare information is used, then please contact us.

Contact Us

A. Data Controller

The contact details of the named, responsible Data Controller at the practice is Mr. Anthony Wood Practice Manager

You can contact at the above address if:

  1. You have any questions about your information being held
  2. You require access to your information or if you wish to make a change to your information.
  3. Any other query in relation to this Privacy Notice and your rights as a patient.

B. If you have a concern

If you have a concern or complaint about the way we handle your personal data or how we have used or handled your personal and/or healthcare information, please contact the Data Controller on the contact information provided, so we can review your concern in accordance with our internal policy.

In the event that your concern was not resolved by your contact with our named Data Controller, then please contact our Data Protection Officer on the details below.

You also have the right to raise any concern or complaint with the UK supervisory authority, at the Information Commissioner’s Office (ICO): or telephone: 0303 123 1113.

C. Data Protection Officer

(DPO) function for this practice is provided by HBL ICT services, hosted by ENHCCG. If you wish to contact the DPO for further information on how we use your data, or if you have a concern about anything to do with the personal and healthcare information we hold about you (that was not resolved by your enquiry with the practice), please contact the DPO at HBL ICT hosted by ENHCCG.

Information We Collect About You and Why

In order to provide healthcare services we collect personal information from you, such as your contact details: your name, address, telephone number(s), email address, date of birth, gender, NHS Number, details and contact number(s) of your next of kin, or carers as applicable.

We also collect health information and other related information from you and from health care professionals, or any other person involved in your general healthcare. This may include such information as:

  • contact we have had with you, such as appointments and services
  • information related to the services provided
  • notes and reports about your health
  • details and records about your treatment and care
  • results of x-rays, laboratory tests etc.

The information collected from you and others is collectively known as your ‘health record’.

Your health record may be held in hand written format (manual record) or on a computer system (electronic). Information held within your health record is used for your direct care purposes and to check and review the quality of care you have received. (This is called audit and clinical governance).

We may contact you using SMS messaging for appointment and other services on the mobile number you have provided and where you have given us permission to do so. If you no longer wish to receive messages via SMS, please contact the practice to let us know.

Your care providers will endeavour to ensure that your health record is kept up-to-date, accurate, secure and appropriately accessible to those providing your care and treatment. Please ensure you update us on any changes to your contact information or any other relevant details. You have the right to access information held about you. For details on access requests, please see Section 7A of this Privacy Notice.

Lawful Basis Relied on for Processing Information About You

A. The primary lawful basis that we rely on to collect, store, use, and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment), and the planning of healthcare services under Data Protection Legislation are as follows:

i. For processing personal data: 'The performance of a task carried out in the public interest or in the exercise of official authority…' Article 6(1)(e)


ii. For Personal data concerning health or special categories of personal data:

Article 9(2) (h) '…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…'

B. Vital Interests:

There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual's life.

C. Legal Obligation:

Sometimes we are required by law to share your information. Examples of this may include such reasons as: to safeguard children or vulnerable adults, where it is in the wider public interest (public health), detection or prevention of crime, to defend a legal claim, reporting to DVLA, or where required by court order. In these instances, the lawful basis for sharing information is Legal Obligation.

D. Consent:

Your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information (see Section 4A-C). For example, if you wish to sign up to our practice newsletter or to release your information to a third party who we do not have a lawful basis to share your information with, your consent will be required. When consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.

We will never sell or share your information for direct marketing.

Direct Care Services and Who We May Provide Your Information to and Why

Safe and effective care is dependent upon relevant information being shared between all those involved in caring for a patient. When an individual agrees to being treated by the wider care team, it creates a direct care relationship between the individual patient, the health and social care professional, and their team. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the Common Law Duty of Confidentiality and the GDPR and Data Protection Act 2018.

Your personal information will only be shared in accordance with your rights under the General Data Protection Regulation, Data Protection Act 2018, the Common Law Duty of Confidentiality, the NHS Constitution, and in keeping with professional and NHS Codes of Practice.

For further information on the use and sharing of confidential information visit NHS Digital.

You have the right to object to your information being shared for direct care, but in some circumstances this may delay or affect the care you receive. Always consult your GP or relevant health professional before deciding to opt out of sharing your information, as they will be able to advise you on the possible outcomes of this decision. Please see Section 7E for further information on the right to object.

A. Case Findings and Risk Stratification

Sometimes your information will be used to identify whether you may benefit from a new or existing service; based on case findings. To do this, we may use automated technology to help us identify people that might require support or benefit from services, but ultimately, the decision is made by those involved in your care. Those involved in your care might look at particular ‘indicators’ (such as particular conditions) and contact you or take action for healthcare purposes. For example, this might be to prevent you from having to visit accident and emergency by supporting you in your own home or in the community.

The automated review may be completed at the practice or in conjunction with Clinical Commissioning Group’s (CCG) Risk Stratification processes. The information we pass to the CCG is via our computer systems and cannot identify you to them.

This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This protects you from being identified by anyone not involved in your care who may have access to this information.

See how the CCG use information to provide services and improve care

We may provide your information to the following people or organisations, where there is a legitimate reason to do so i.e.: they require your information to assist them in the effective provision of your direct healthcare needs.

B. People and Organisations involved in your care

Health and Social Care Professionals, including support personnel who have, or will have a direct care relationship with you to meet your healthcare needs:

C. Diagnostic Organisations

Diagnostic testing organisations are provided with relevant information to allow contact with you and to book a test/procedure to assist in your direct healthcare needs.

D. Pharmacies

Pharmacists are provided with relevant information to allow contact with you and to provide relevant prescriptions and supporting advice, assisting in your direct healthcare needs.

E. Referrals such as Hospital Appointments/Specialists/Dentists/Continuing Health Care Services, Community Services (including Mental Health), and CCG approvals for certain NHS health services

When referrals are made for patients to an NHS or private healthcare provider, a summary of the patient's health history is typically included to assist the receiving healthcare professional to make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant may affect the outcome of referrals and treatment. If there are areas of your healthcare history that you do not want shared, please raise this with your GP or healthcare professional.

F. National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes currently include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

G. Record Sharing Programmes

1. My Care Record

2. Summary Care Record (SCR)

H. Clinical Commissioning Group (CCG)

The CCG manages the majority of contracts for primary care, in order for us to deliver healthcare services to you. At times, they may assist us with our delivery of direct care services through reviews, or coordination and follow up with other organisations involved in your care. This may include such functions as coordinating community pharmacy services, providing medication optimisation reviews, arranging continuing health care services, contacting a hospital about important discharge information or a diagnostic organisation about a test result, or other health or social care services involved in your care.

We have contracts in place with the CCG. This means that they cannot do anything with your personal information unless we have instructed them to. They will only share information about you that is relevant and necessary to fulfil the requirement of a particular service to you. Information about you is only shared with organisations that have a relationship with you or will have a relationship through a referral. They will hold your information securely and retain it for only as long as necessary. If you require further information please contact the practice or the DPO.

I. Third Party Technical Support Processors

We use data processors who are third parties, who provide technical administration services for us to deliver health care services to you. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. If you require further information please contact the practice or the DPO.

Non Direct Care Services Where Your Information May Be Used

Whenever you use a health or care service, such as attending GP appointments, Accident & Emergency, admission to hospital, or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. In addition, this information may also be used by other approved organisations for non-direct care purposes, where there is a lawful basis to help with: planning services, improving care, research into developing new treatments, and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. However, confidential information about your health and care is only used in this way where the law allows and in alignment with the National Data Opt-Out Policy.

National Data Opt-Out

You have a choice about whether you want your confidential patient information to be used for research and planning. If you are happy with this use of information you do not need to do anything, but if you do choose to opt out, your confidential patient information will still be used to support your individual care and will not affect care and services available to you.

However, if there is an overriding public safety concern or legal requirement to share information, we must do so (See Section 4D).

Further information on the Nation Data Opt-Out Policy

If you choose to opt out, you can still agree to your data being used for specific purposes i.e: a specific research project.

You can change your mind at any time on the NHS Digital website.

This practice is compliant with the National Data Opt-Out from March 2020 and will use your NHS number to apply your choice in line with the National Data Opt-Out Policy.

Please note: In addition to the National Data Opt-Out, the existing ‘type 1’ opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian. Therefore, until further notice, if you have informed the practice that you dissent from the practice sharing your confidential data for purposes beyond your direct care (type 1), your data will not be shared without your expressed permission.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your explicit consent.

Please see Section 7E for further information on the right to object.

To obtain a full copy of this privacy notice, please contact the practice.