How we use your information

Our GP practice has a legal duty to explain how we use any personal information we collect about you as a registered patient at the practice.  This document, therefore, outlines how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.

Employees at this practice maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP surgery, community clinics or staff etc.).  These records help to provide you with the best possible healthcare.  The records may be electronic, on paper, or a mixture of both  and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

What kind of information do we collect about you?

  • Details about you, such as address and next of kin and carer information, etc.
  • Any contact the surgery has had with you such as appointments, clinic visits, emergency appointments etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other HCPs, relatives or those who care for you

How we will use your information

Your data is collected for the purpose of providing you with direct patient care.  We can, however, disclose this information if it is required by law, if you give consent, or if it is justified in the public interest e.g. to help protect the health of the public.

Some of this information will be held centrally and used for statistical purposes.  Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – however, the practice will always endeavour to gain your consent before sharing your information.

In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.  Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows.  This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(10(e) and 9(2)(h) of the General Data Protection Regulation (GDPR).

How do we maintain confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the EU General Data Protection Regulation (GDPR) 2018 (which is overseen by the Information Commissioner’s Office), Data Protection At 1998, Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  Anyone who received information from an NHS organisation has a legal duty to keep it confidential.

We maintain our duty of confidentiality to you at all times.  We will only ever use or pass on information about you if others involved in your care have a genuine need for it.  We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed.

We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the practice is Dr Alice Walling.  We also have a Senior Information Risk Owner (SIRO) who is responsible for owning the practice’s information risk. The SIRO is Gillian Bevan, General Manager.

We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our practice name.

Accessing your records

You have a right to access/view the information we hold about you.  If we do hold information about you we will:

– give you a description of it
– tell you why we are holding it
– tell you who it could be disclosed to, and
– let you have a copy of the information in an intelligible form

If you would like to access this information, you will need to complete a Subject Access Request (SAR).  Our Subject Access Request Form can be downloaded below:

Claypath Patient Subject Access Request Form.doc

Furthermore, should you identify any inaccuracies you have a right to have the inaccurate data corrected.

Risk Stratification

Risk stratification tools are increasingly being used in the NHS to help determine a person’s risks of suffering from a particular condition, preventing an unplanned or (re)admission and identifying a need for preventative intervention.  Information about you is collected from a number of sources including NHS Trusts and from this general practice.   A risk score is then arrived at through an analysis of your anonymised information using software managed by the North of England Commissioning Support Service (NECS). The risk score is relayed back to your GP who can then decided on any necessary actions to ensure that you receive the most appropriate care.

Invoice validation

If you have received treatment within the NHS, access to your personal information is required in order to determine which Clinical Commissioning Group (CCG) should pay for the treatment or procedure you have received. The validation of invoices is undertaken within a controlled environment for finance within the North of England Commissioning Support Service (NECS). This is carried out via a section 251 agreement and is undertaken to ensure that the CCG is paying for treatments relating to its patients only. The dedicated NECS team receives patient level information (minimal identifiers are used for this purpose, such as NHS number, post code, date of birth) direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.


In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. To support this patients are able to register objections with the GP Practice to either prevent their identifiable data being released outside of the GP Practice (known as a Type 1 objection) or to prevent their identifiable data from any health and social care setting being released by NHS Digital (known as a Type 2 objection) where in either case it is for purposes other than direct patient care. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. There are certain circumstances where a person is unable to opt out but these are only where the law permits this such as in adult or children’s safeguarding situations.

You have a right in law to refuse or withdraw previously granted consent to the use of your personal information. There are possible consequences of not sharing such as the effect this may have on your care and treatment but these will be explained to you to help with making your decision.

If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact a member of staff.

Retention Period

All records held by the practice will be kept for the duration specified by national guidance from the Department of Health, The Records Management Code of Practice for Health and Social Care 2016. Confidential information is securely destroyed in accordance with this code of practice.

What to do if you have any questions

The practice acts as a controller and processor of data for the purposes of General Data Protection Regulation (GDPR).

If you have any concerns as to how your data is processed you should in the first instance contact Gillian Bevan, General Manager, who is the practice’s nominated Data Controller.  You can do this via e-mail (  or in writing to the following practice address: Claypath Medical Centre, 26 Gilesgate, Durham DH1  1QW.

The Data Protection Officer for the practice for the purposes of GDPR is:

Liane Cotterill (e-mail:
Senior Governance Manager & Data Protection Officer
North of England Commissioning Support, Teesdale House,
Westpoint Road, Thornaby, Stockton on Tees       TS17  6BL


In the unlikely event that you are unhappy with any element of our data processing methods, you have the right to lodge a complaint with the Information Commissioner’s Office.  For further details, visit and select “Raising a concern”.

Changes to our Policy

We regularly review our Patient Privacy Policy and any updates will be published on our website, in our newsletter and on posters to reflect the change.   This policy is to be reviewed:  May, 2019