top of page

Practice privacy notice


As a registered patient, My Specialist GP has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in electronic format.


Why do we have to provide this privacy notice?


We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer [Cathy Stewart at].


The main things the law says we must tell you about what we do with your personal data are:

  • We must let you know why we collect personal and healthcare information about you

  • We must let you know how we use any personal and/or healthcare information we hold about you

  • We need to inform you in respect of what we do with it

  • We need to tell you about who we share it with or pass it on to and why

  • We need to let you know how long we can keep it for


What is a privacy notice?


A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).


Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with a patient’s personal information. This means that the organisation must:

  • Have lawful and appropriate reasons for the use or collection of personal data

  • Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)

  • Be open about how the data will be used and provide appropriate privacy notices when collecting personal data

  • Handle personal data in line with the appropriate legislation and guidance 

  • Not use the collected data inappropriately or unlawfully 


What is fair processing?


Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.


This organisation manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and Social Care (DHSC) and the General Medical Council (GMC).


We are committed to protecting your privacy and will only use information collected lawfully in accordance with:



This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way. 


The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.


The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received. These records help to provide you with the best possible healthcare.


My Specialist GP health records will be processed electronically and use technology to ensure that your information is kept confidential and secure.


Who is the data controller?


This organisation is registered as a data controller under the Data Protection Act 2018. Our registration number is ZA459769 and our registration can be viewed online in the public register at This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.


We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.


What type of information do we collect about you?


Information held by this organisation may include the following:


  • Your contact details (such as your name, address and email address)

  • Details and contact numbers of your next of kin

  • Your age range, gender, ethnicity

  • Details in relation to your medical history

  • The reason for your visit to the organisation

  • Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.

  • Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare

  • Details about the treatment and care received

  • Results of investigations such as laboratory tests, x-rays, etc.

  • Relevant information from other health professionals, relatives or those who care for you


Information collected about you from others


We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:


  • It is required by law

  • You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes

  • It is justified to be in the public interest


Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may be used for statistical purposes. Where we do this, we ensure that patient records cannot be identified.

Screenshot 2024-03-05 at 10.42.31.png

The legal justification for collecting and using your information


The law says we need a legal basis to handle your personal and healthcare information.

Screenshot 2024-03-05 at 10.44.08.png

How do we use your information?


Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest. 


In order to comply with its legal obligations, this organisation may have to send data to NHS England when directed by the Secretary of State for Health under the Health and Social Care Act 2012


Under the UK General Data Protection Regulation, we will be lawfully using your information in accordance with: 


  • Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller


  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems


Who can we provide your personal information to and why?


As explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.


We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:


  • Hospital professionals (such as doctors, consultants, nurses etc.)

  • Other GPs/doctors

  • Primary Care Networks

  • NHS Trusts/Foundation Trusts/Specialist Trusts

  • NHS England (NHSE) 

  • Independent contractors such as dentists, opticians, pharmacists

  • Any other person who is involved in providing services related to your general healthcare including mental health professionals

  • Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.

  • Local authority

  • Social care services


You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.


Who may we provide your information to:


  • For the purposes of complying with the law, e.g., the police or court order


  • Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed


  • Computer systems – we operate a clinical computer system on which staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.

Your rights as a patient


The law gives you certain rights to your personal and healthcare information that we hold as set out below:

Screenshot 2024-03-05 at 10.45.47.png

How long do we keep your personal information?


We are required under UK law to keep your information and data for the full retention periods as specified by the NHSE – Records Management Code of Practice 2023 


Where do we store your information electronically?


All the personal data we process is processed by our staff in the UK via cloud based secure system.


No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.


This organisation uses a clinical system provided by a data processor called Meddbase. 


Data does remain in the UK and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. 


Maintaining your confidentiality and accessing your records


We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act and the Common Law Duty of Confidentiality. Every staff member who works at My Specialist GP has a legal obligation to maintain the confidentiality of patient information.


All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. 


We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” 


This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.


Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected. 


In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.


Sharing your information without consent


We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example: 


  • Where there is a serious risk of harm or abuse to you or other people

  • Safeguarding matters and investigations

  • Where a serious crime, such as assault, is being investigated or where it could be prevented

  • Notification of new births

  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)

  • Where a formal court order has been issued

  • Where there is a legal requirement, for example if you had committed a road traffic offence.


Third party processors


To enable us to deliver the best possible services, 


Third parties mentioned on your medical record


Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.


Anonymised information


Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.




Auditing of clinical notes is done by this organisation as part of its commitment to the effective management of healthcare whilst acting as a data processor.


Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’” No consent is required to audit clinical notes for this purpose. 


Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.


Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary. It is also prudent to audit under Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17: Good Governance.


Computer System


This organisation operates a clinical computer system on which staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.


Patient communication


As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details. 


We may contact you using email should we need to notify you about appointments and other services that we provide to you involving your direct care 




The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do. 


Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:


  • Article 6(1)(e) ‘…exercise of official authority…’.


For the processing of special categories data, the basis is: 


  • Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’


Safeguarding information such as referrals to safeguarding teams is retained by this organisation when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).


Shared care


To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to Your NHS GP upon your explicit request. 


Organisation website


Our website does use cookies to optimise your experience. Using this feature means that you have agreed to the use of cookies as required by the EU Data Protection Directive 95/46/EC. You have the option to decline the use of cookies on your first visit to the website. The only website this privacy notice applies to is this organisation’s website. 


If you use a link to any other website from the organisation’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.


What to do if you have any questions


Should you have any questions about our privacy policy or the information we hold about you, you can:


  1. Contact the organisation via email at GP practices are data controllers for the data they hold about their patients (for more information, refer to the BMA guidance on this subject) 


  1. Write to the Data Protection Officer (DPO) Cathy Stewart 


  1. Ask to speak to the Practice Manager Cathy Stewart or their deputy [Marieke Richardson]


Objections or complaints


If you are unhappy with any element of our data processing methods, contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). 


The ICO can be contacted on and select “Raising a concern” or telephone: 0303 123 1113.


The ICO is the regulator for data protection and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.


Changes to our privacy policy


We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.

bottom of page