Privacy Notice

Higham Hill Medical Centre Privacy Notice

GPES Data for Pandemic Planning and Research (COVID-19)
We are legally required to share data with NHS Digital for purpose under section 259(1)(a) of the Health and Social Care Act 2012 to support vital planning and research for COVID-19 purposes. For further details, please refer to:

Dear all:

NHS Digital want to collect

  • data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data on sex, ethnicity and sexual orientation
  • data about staff who have treated patients

    in a pseudonymised way (which is still personal data, as the data can be linked back.


    Full details of the collection are here.


    We need to inform the patients about this data collection and provide them the possibility of opting out through our privacy notice. The Department of Health and Social Care have advised that until they conduct a consultation with the National Data Guardian, Type 1 opt-out will continue to be respected. Type 1 opt-out can only be set at a GP practice.


    A type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.  Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. Our practice declared ourselves compliant on National Data Opt-out as on 30 Sept 2020 after our practice managers completed the actions I provided them for compliance with this opt-out.


    NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. A patient can register a Type 1 Opt-out at any time. They can also change your mind at any time and withdraw a Type 1 Opt-out.


    If a patient wishes to register a Type 1 Opt-out with our GP practice before data sharing starts with NHS Digital, this should be done by returning the attached form to our GP practice by 23 June 2021 to allow time for processing it. If they have previously registered a Type 1 Opt-out and would like to withdraw this, they can also use the form to do this. They can send the form by post or email to your GP practice or call 0300 3035678 for a form to be sent out to the patient.


    More details are here:



    What is a Privacy Notice?

    This privacy notice, which is a requirement of General Data Protection Regulation (GDPR), gives a better explanation on how we use any personal information we collect about you when you register with us. Also this privacy notice is part of our commitment to ensure that we process your information/data fairly, transparently and lawfully.


    Who are we governed by?

    The legislations/guidances we are governed by include but not exhaustive to:

    • General Data Protection Regulation (GDPR) - this include Data Protection Act 2018 within this regulation.
    • Caldicott Report 1997
    • Access to Health Records Act 1990
    • Freedom of Information Act 2000
    • Health and Social Care Act 2012, 2015
    • Public Records Act 1958
    • Computer Misuse Act 1990
    • The Common Law Duty of Confidentiality
    • The Social Care Record Guarantee for England
    • NHS Confidentiality Code of Conduct
    • Information Security Management – NHS Code of Practice
    • Records Management – Code of Practice for Health and Social Care 2016
    • Department of Health –
    • Information Commissioners Office –
    • Care Quality Commission –
    • NHS England – our doctors are regulated and governed by professional bodies including numerous royal colleges and the London Deanery.What Information will be collected and how will it be collected? can deliver and provide appropriate treatment and care plans to care for you effectively.Information will be collected via registration forms and when the medical records are received from your previous GP.How will we use your information?      Everyone working under Higham Hill Medical Centre has a Common Law Duty of Confidentiality and the Data Protection Act (General Data Protection Regulation (GDPR) and will include Data Protection Act 2018 within this regulation) to make sure information is secure, as per Article 32 of the GDPR. Information that you provide us will only be used for purposes to which you consented to, inform you how it is used and will allow you to decide if and how your information can be shared.Confidentiality is maintained through induction training for new staff and mandatory annual training for all our staff. We never leave unattended confidential information lying around; we always return them to a secure place after use. Your electronic records are kept in a password protected system. Also, your records are never taken off premises. If an access request is made for your records, we would confirm your ID and your consent.Categories of Recipients of the Processed Data
    • The practice discloses personal data to the following categories of recipients:
    • How Confidentiality is maintained?
    • Also, this practice contributes in medical research and may send relevant information to medical research databases, such as the Clinical Practice Research Datalink, when the law allows, under GDPR Article 9(2)(j), and when research is carried out for the public interest, under GDPR Article 6(1)(e).
    • In order to comply with its legal obligation, this practice contributes to national clinical audits and may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012, as per “Articles 6(1)(c) and 9(2)(h)” of GDPR.
    • The below two circumstances, where it is not practical to obtain your explicit (written) consent, we are informing you through this notice, which is referred as a Privacy Notice, under the Data Protection Act.
    • We recognise your rights under UK Law collectively known as “Common Law Duty of Confidentiality”. This is a law formed from past court cases decided by judges. The law is applied by reference to previous cases, so common law is based on precedent. The overall position is if information is given in a situation where it is expected that a duty of confidence applies, then that information cannot be disclosed with the information provider’s consent.
    • We may ask for and hold personal confidential information about you, which would be used for direct patient care as per “Articles 6(1)(e) and 9(2)(h)” of the GDPR. For example improve your care, plan new services and develop new treatments and prevent diseases.
    • Also sensitive information (also known as Special Category) such as race, beliefs, whether you have a disability, health issues, allergies and etc. will be collected. This would give us a better picture, so that staff that are directly treating you,
    • The information that would be collected about you would include, but not restricted to: personal details, past and current medical history, results of x-rays and blood tests, and information from people who previously treated and cared for you, such as health professionals and relatives.
    • NHS Trusts/Foundation Trusts
    • GPs
    • NHS Commissioning Support Units
    • Independent contractors, such as pharmacists, opticians
    • Private Sector Providers
    • Voluntary Sector Providers
    • Ambulance Services
    • Clinical Commissioning Groups
    • Social Care Services
    • Education Services
    • Fire and Rescue Services
    • Police and Judicial Services
    • Third party services providers, such as IT System management, information security payroll providers.


    Processors of personal data

    In order to deliver the best possible service, the practice contracts Processors to process personal data, including patient data on our behalf.


    When we use a Processor to process personal data we will always have an appropriate legal agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by a Processor include:

    • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services and document management services.
      • Delivery services (for example if we were to arrange for delivery of any medicines to you).
    • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).Dealing with requests regarding your confidential Information 
    • However, there are exceptional circumstances, where disclosure of confidential information is lawful (Articles 6(1)(c) and 9(2)(h) of GDPR) which are:
    • From time to time, we may receive requests from non-NHS organisations (including, though not restricted to: social services, the police, solicitors and private sector providers) asking to share information about you. However, we will not disclose any health information to them without your explicit (written) consent (via hand written letter given to practice or via non-NHS Organisation).
    • Where the disclosure is in the public interest; and
    • Where the law requires the disclosure of information, such as a court order.


    Risk Stratification

    This practice performs computerised searches of all your records to identify patients who may be at an increased risk of certain conditions and diagnoses and need hospital or other healthcare services e.g. therapists or specialist Information is collected from this practice and other NHS/Non-NHS organisations to help provide appropriate advice, investigations, treatment, therapies and care.


    Invoice Validation

    This is an important process because it involves using your NHS Number to check with CCG, who is responsible for paying your treatment and to check whether your care has

    been funded through specialist commissioning, which NHS England would pay.


    Section 251 of NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes. Thereby this process makes sure organisations that are providing your care are paid correctly.


    Your rights to withdraw consent for us to share your information

    You have the right to refuse/withdraw your consent to sharing information at any time. This right applies unless the staff can demonstrate compelling, legitimate grounds for processing your information.


    Your right to access your medical record

    You have the right to view your medical record for free of charge. You also have the right to have inaccurate information corrected, where a note would be written/typed in the record to explain what needs to be corrected. Please enquire more at reception.


    How long information is retained

    Your records will be retained in line with the Record Management NHS Code of Practice for Health and Social Care. For more information, please use the link:


    Other Privacy Notices

    We will have privacy notices made available on our pamphlet and websites: NHS Choices and


    If you have a Question and Your Right to make a Complaint.

    We encourage people to bring their concerns and/or questions to our attention and we take them seriously. You can submit your complaint on our website or write to the address shown above. We try our best to meet the high standards of collecting and using personal information to give you the best direct patient care.


    If you still remain dissatisfied with practice’s decision following your complaint, you may wish to escalate to our Data Protection Officer, Ms Radha Muthuswamy,

    Higham Hill Medical Centre

    260 Higham Hill Road


    London, E17 5RQ


    You have the right to complain to the Information Commissioner if you are unhappy with the Data Protection Officer’s response.


    Information Commissioner's Office

    Wycliffe House

    Water Lane

    Wilmslow, Cheshire SK9 5AF


    Their website is


    The information commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the practice.


    Changes to the Privacy Notice

    This Privacy Notice would be reviewed and updated monthly to ensure it is complaint with the GDPR.

    Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website