UK General Data Protection Regulations (UKGDPR) Privacy Statement

This is the privacy notice of Lancaster Medical Practice.  In this document, “we”, “our”, or “us” refers to Lancaster Medical Practice, 8 Dalton Square, Lancaster, Lancashire, LA1 1PN. 

Lancaster Medical Practice aims to ensure the highest standard of medical care for our patients and we are committed to protecting and respecting your privacy.  To do this, we keep records about you, your health, and the care we provided or plan to provide to you.  

The United Kingdom General Data Protection Regulation (UKGDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK. The UKGDPR was drafted as a result of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer. The UKGDPR sits alongside an amended version of the Data Protection Act (DPA) 2018.

The Caldicott Guardian/IG Lead is responsible for; 

– Ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data 

– Ensuring that the Practice processes satisfy the highest practical standards for handling patient information and provide advice and support to Practice staff as required 

– Ensuring that patient identifiable information is shared appropriately and in a secure manner. The Caldicott Guardian will liaise where there are reported incidents of person identifiable data loss or identified threats and vulnerabilities in Practice information systems to mitigate the risk. 

 The aim of the Caldicott Guardian is to ensure the organisation implements the Caldicott principles and data security standards; there is no need to appoint a Caldicott Guardian, but there is a need to have an Information Governance lead (sometimes referred to as a Caldicott lead) who, if they are not a clinician, will need support from a clinically qualified individual. 

The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.  

Further information about the CQC can be found here.

Lancaster Medical Practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of UKGDPR. 

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. We may also use your medical records to carry out research within the Practice.  

We share information with accredited medical research organisations with your explicit consent or when the law allows. 

More information about our research can be found here.

You have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioners Office (ICO) by visiting their website or calling 0303 123 1113.

In order to look after your health and care needs, health and social care bodies may share your confidential patient information contained in your Summary Care Record with clinical and non-clinical staff in other health and care organisations, for example hospitals, NHS 111 and out of hours organisations. These changes will improve the healthcare that you receive away from your usual GP practice. 

Further information regarding COVID-19 supplementary privacy notice from NHS UK.

The Data Controller, responsible for keeping your information secure and confidential is Lancaster Medical Practice.  

Data processors are responsible for the processing of personal data on behalf of the data controller. Processors must ensure that processing is lawful and that at least one of the following applies: 

– The data subject has given consent to the processing of his/her personal data for one or more specific purposes 

– Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract 

– Processing is necessary for compliance with a legal obligation to which the controller is subject 

– Processing is necessary in order to protect the vital interests of the data subject or another natural person 

– Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 

– Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child 

At our Practice all staff are classed as data processors as their individual roles will require them to access and process personal data. 

We may use the services of an external data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the UK General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply. 

The Data Protection Officer is responsible for ensuring the Practice remains compliant at all times with Data Protection, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall: 

– Lead on the provision of expert advice to the Practice on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards 

– Inform and advise the organisation and its employees of their data protection obligations under the UKGDPR 

– Monitor the organisation’s compliance with the UKGDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits 

– Advise on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and outcomes 

– Serve as the contact point to the data protection authorities for all data protection issues, including data breach reporting. 

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information then please contact our Data Protection Officer via post at: 

Data Protection Officer 

Lancaster Medical Practice,  

8 Dalton Square,  


LA1 1PN 

The Data Protection Officer (DPO) for Lancaster Medical Practice is Mrs Kayleigh Harrison.  

We manage patient records in line with the Records Management NHS Code of Practice for Health and Social Care, which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. This is based on current legal requirements and professional best practice. If you transfer to another GP and we are asked to transfer your records we will do this to ensure your care is continued. Currently the NHS is required to keep GP records for 10 years after a patient has died. Exceptions to these rules are detailed in the code of practice.

Our Practice is legally required to provide anonymised data on patients who have been issued with a fit note under the Fit for Work scheme. The purpose is to provide the Department for Work and Pensions with information from Fit Notes to improve the monitoring of public health and commissioning and quality of health services. 

The DWP performs a weekly anonymous extract of fit note usage data for collection, storage, transmission and publication by NHS Digital. As data controllers, we will make you aware of the data collection and ask you about your consent preferences. This could be: 

– In person when you come in for a fit note. 

– On our practice website. 

– On our practice notice board. 

If you do not consent to secondary use of GP patient identifiable data, we will code it on your care record. If you don’t actively express dissent, implied consent is assumed. 

To comply with the Department of Health’s patient objection policy, data about patients who have dissented from secondary use of their data will not be included in the extract. 

Electronic submission of non-identifiable patient data to the DWP will only be sent if you have not opted out.  

What data is included in the extract? 

The data extracted is completely anonymous to protect patient privacy and consists of: 

– How many eMED3 fit notes are issued. 

– How many patients are recorded as ‘unfit’ or ‘maybe fit’ for work. 

– Fit note duration. 

– Gender. 

– Health condition type aggregated to a high level diagnosis code, for example, paranoid schizophrenia would be classed as a Mental Disorder. 

– Location, including CCG areas. 

– Whether workplace adaptations were recommended. 

Lancashire and South Cumbria has been chosen by NHS England to be a national pilot for the digitisation of Medical Records.  Scanning these paper based records and making them digital will enable better utilisation of space, creating more clinical space, staff areas, multi team space and video hubs, removing the need for some practices to build extensions. In addition it will also make your record more easily and speedily accessible to clinical staff within your practice.  

Your complete GP medical record will be digital and stored in a secure cloud based clinical system (only accessible by your GP practice) with the paper based records being securely destroyed following BS EN 15713:2009 Secure destruction of confidential material.  Your GP will still be able to access your records easily within this system. The scanning and destruction of the paper records will follow strict data protection guidelines adhered to by the NHS.  As with paper based records, digital records are stored for the durations specified in the Records Management Codes of Practice for Health and Social Care. For GP patient records, this states that they may be destroyed 10 years after the patient’s death if they are no longer needed. 

If you wish to discuss the scheme, please inform the Practice direct either by letter or via e-mail us at [email protected].  

Lancaster Medical Practice is committed to protecting your personal information.  In the fight against this global pandemic we are currently working with all of our partners in Health and Social Care to ensure information is shared with the right people at the right time to ensure you receive the best possible care.  

Data Protection rules will not hinder the sharing of personal information during these unprecedented times and we will continue to process information in accordance with national law and UKGDPR.  

The processing of personal information relating to this is necessary for reasons of planning and providing health and social care to both individual data subjects and is in the substantial public interest in the area of public health and specifically to support the control of an epidemic.  For more detailed information regarding the lawful basis to undertake these activities please see the links below:  

– Public Task Art 6 (1e)

– Provision of Health and Social Care / Management of Health Care Systems Art 9(2h)

– Public Interest / Public Health Art 9(2j)

– Vital Interests of a Data Subject Art 9(2c)

– Monitoring Epidemics Recital 46

At Lancaster Medical Practice we are continually trying to optimise the care of our patients. Sometimes we need to discuss a patient’s care in a Multidisciplinary Team Meeting (MDT). An MDT is a collection of health and social care professionals who meet on a regular basis in order to discuss how to best manage a patient’s care. We would normally discuss patients in very specific circumstances: 

– Frail and / or complex patients with long term conditions

– Patients presenting in multiple settings and / or attending health care settings frequently

– Patients who are struggling to manage their health

– Patients who are struggling to cope at home

We do not routinely contact patients before we discuss them in an MDT but we will contact a patient if they have been discussed in an MDT and they require extra care and / or support. We will only discuss information that is relevant to ongoing care and all members of the MDT are bound by the NHS code of practice on confidentiality. If you wish you may opt of the MDT process by contacting the practice. Please do contact us if you require any more information regarding MDTs at Lancaster Medical Practice. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment. 

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, where allowed by law. 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out, your confidential patient information will still be used to support your individual care. 

We do not share your confidential patient information for purposes beyond your individual care without your permission. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required. 

Information being used or shared for purposes beyond individual care does not include your confidential patient information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement. 

Health and care organisations that process confidential patient information must put systems and processes in place so they can be compliant with the national data opt-out. They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care.  

Lancaster Medical Practice are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission. 

To find out more or to register your choice to opt out, please visit NHS: Your Data Matters. You can change your choice at any time.

The NHS provides several national health screening programs to detect diseases or conditions earlier such as cervical and breast cancer, aortic aneurysm and diabetes. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised. Further information about the screening programmes can be found here.

The NHS App is a nationally run service that allows individuals to access a range of services within the Practice and beyond. NHS England and NHS Digital are joint data controllers of the NHS App and any personal data that is necessary for accessing the App. The data controller or processor of your personal data within a service accessed via the App will depend on the organisation accessed. Please see the NHS App privacy notice for further information.

NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

Our legal basis for sharing data with NHS Digital 

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the UK General Data Protection Regulation (UKGDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under UKGDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction. 

The type of personal data we are sharing with NHS Digital 

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of: 

– diagnoses and findings 

– medications and other prescribed items 

– investigations, tests and results 

– treatments and outcomes

- vaccinations and immunisations 

How NHS Digital will use and share your data 

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative. 

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations). 

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.  

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out 

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information. 

Your rights over your personal data 

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see: 

 - the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19) Transparency Notice

 - the NHS Digital Coronavirus (COVID-19) Response Transparency Notice

– the NHS Digital General Transparency Notice

 - how NHS Digital looks after your health and care information

To help the NHS during the COVID-19 outbreak, NHS Digital are improving the access that doctors, nurses, and healthcare professionals have to medical records and information, so that they can more safely treat and advise patients who are not in their usual GP practice, who call 111 or are seen in hospitals and other healthcare settings. 

You can read more about GP Connect here.

We have engaged Patchs as our supplier, which is approved to NHS England technical standards and has gone through stringent scrutiny and achieved all necessary requirements to provide Online Consultations. NHS England, on behalf of your GP, contracts with the supplier and acts as a Joint Controller with your GP for this system.  

However, NHS England will not receive any of your personal information, so Lancaster Medical Practice as your GP remains responsible for your data and will ensure that any data you provide to use this service is used for the online consultation purposes only.  

The name of the organisation we have engaged to provide this service is Patchs, who will act as a Processor of your personal data under UKGDPR.  

Full details about how Patchs will process your personal information can be found in their privacy notice here.

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs andP practices may also receive incomes relating to a variety of non patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research. 

In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws – NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs and the GMS regulations 2004 (73)1). 

Processing of prescriptions 

We process prescription requests on a daily basis. This involves our staff accessing information held about you on our computer database, to produce prescription(s) that you, your carer, nominated person, or Pharmacy has requested. Prescriptions can be requested using various methods: by telephone, online via our computer system, Electronic prescriptions, by post, or in person. Please refer to our Prescription Procedure for further information. If using the postal service always allow extra time so you do not run out of your medication. 

Collection/uplift of prescriptions 

We will always ask for your details when a prescription uplift request is received; this could be your name, date of birth and address, medication you requested, or Community Health Index Number (which uniquely identifies you). This ensures that we can produce your prescription(s) efficiently, and reduces the risk of an incorrect prescription being given to you or your nominated person/carer/Pharmacy. 

Please allow the allotted time before uplifting your prescription. Prescriptions can be collected/sent via the following methods: 

– In person 

– Via your nominated choice of person/organisation, this could be your carer, pharmacy, family member or friend (please be aware if you are not uplifting your own prescription we may ask for proof of identification from that person before we issue your Prescription, and we may also require a signature for our own records) 

– Post – if using the postal service, please always allow extra time when ordering your medication, as we cannot guarantee postal delivery schedules 

– Home delivery service – some Pharmacies may deliver your prescription directly to your home; please check with your local Pharmacist to see if they can provide this service for you. 

The basis on which we process information about you 

The Law requires us to determine under which of six defined bases we process different categories of your personal information, and to notify you of the basis for each category. If a basis on which we process your personal information is no longer relevant then we shall immediately stop processing your data. If the basis changes then, if required by Law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information. 

Lawful basis for processing 

The legal basis will be 

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” 


Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards ” 

Information we process because we have a contractual obligation with you 

When you join our Practice, receive medical services from us, or otherwise agree to our terms and conditions, a contract is formed between you and us. In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information. 

We may use it in order to: 

– verify your identity for security purposes 

– provide you with our services 

– provide you with suggestions and advice and how to obtain the most from using our website 

We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract. Additionally, we may aggregate this information in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable. 

We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract. 

Why do we collect this information? 

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to: 

– Protect your vital interests; 

– Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;  

– Perform tasks in the public’s interest; 

– Deliver preventative medicine, medical diagnosis, medical research; and 

– Manage the health and social care system and services. 

About the personal information we use 

We use personal information on different groups of individuals including:   

– Patients  

– Staff 

– Contractors 

 - Suppliers 

– Complainants, enquirers 

– Survey respondents 

– Professional experts and consultants 

The personal information we use includes information that identifies you like your name, address, date of birth and postcode.  We also use more sensitive types of personal information, including information about racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic and biometric data, health; sex life or sexual orientation.  The information we use can relate to personal and family details; education, training and employment details; financial details; lifestyle and social circumstances; goods and services; visual images; details held in the patient record; responses to surveys. 

Information we process with your consent 

Through certain actions when otherwise there is no contractual relationship between us, such as when you browse our website or ask us to provide you with more information about our business, including job opportunities and our services, you provide your consent to us to process information that may be personal information. 

Wherever possible, we aim to obtain your explicit consent to process this information, for example, by asking you to agree to our use of cookies. 

Sometimes you might give your consent implicitly, such as when you send us a message by e-mail to which you would reasonably expect us to reply. 

Except where you have consented to our use of your information for a specific purpose, we do not use your information in any way that would identify you personally. We may aggregate it in a general way and use it to provide class information, for example to monitor the performance of a particular page on our website. 

We continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists. 

You may withdraw your consent at any time by instructing us in writing. However, if you do so, you may not be able to use our website or our services further. 

Information we process for the purposes of legitimate interests 

We may process information on the basis there is a legitimate interest, either to you or to us, of doing so. 

Where we process your information on this basis, we do after having given careful consideration to: 

– whether the same objective could be achieved through other means 

– whether processing (or not processing) might cause you harm 

– whether you would expect us to process your data, and whether you would consider it reasonable to do so 

For example, we may process your data on this basis for the purposes of: 

– record-keeping for the proper and necessary administration of our business or profession 

– responding to unsolicited communication from you to which we believe you would expect a response 

– protecting and asserting the legal rights of any party 

– insuring against or obtaining professional advice that is required to manage business or professional risk 

– protecting your interests where we believe we have a duty to do so 

Information we process because we have a legal obligation 

We are subject to the Law like everyone else. Sometimes, we must process your information in order to comply with a statutory obligation. 

For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. 

This may include your personal information. 

Information we process may be categorised as special category data 

Special category data is personal data which the UKGDPR says is more sensitive, and so needs more protection. For example, information about an individual’s: 

– race 

– ethnic origin 

– health 

– sex life or 

– sexual orientation 

We may process this information for the purposes of medical diagnosis, provision of health treatment and management of the health of our patients and the community we serve. 

Specific uses of information you provide to us 

Healthcare Professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records are used to help to provide you with the best possible healthcare. 

NHS healthcare records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records we hold about you may include the following information; 

– Details about you, such as your name, address, carers, legal representatives and emergency contact details 

– Any contact the Surgery has had with you, such as appointments, clinic visits, emergency appointments, etc. 

– Notes and reports about your health 

– Details about your treatment and care 

– Results of investigations such as laboratory tests, x-rays, etc. 

– Relevant information from other Healthcare Professionals, relatives or those who care for you 

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our GP Practice for clinical audit to monitor the quality of the service provided. Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. 

Sometimes your information may be requested to be used for research purposes – the Surgery will always gain your consent before releasing the information for this purpose. 

Who else may ask to access your information 

– The Court can insist that we disclose medical records to them 

– Solicitors often ask for medical reports. These will always be accompanied by your signed consent for us to disclose information. We will not normally release details about other people that are contained in your records (e.g. wife, children parents etc.) unless we also have their consent 

– Social Services – The Benefits Agency and others may require medical reports on you from time to time. These will often be accompanied by your signed consent to disclose information. Failure to cooperate with these agencies can lead to loss of benefit or other support. However, if we have not received your signed consent we will not normally disclose information about you 

– Insurance Companies frequently ask for medical reports on prospective clients. These are always accompanied by your signed Consent Form. We will only disclose the relevant medical information as per your consent. You have the right, should you request it, to see reports prepared for Insurance Companies or employers before they are sent. We may contact you on receipt of a third party request to discuss your consent and clarify what will be shared 

– If you have any questions about the above points please contact the Practice. 

Access to your own information 

– Confirmation that your personal information is being held or used by us 

– Access to your personal information 

– Additional information about how we use your personal information 

Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.  

If you would like to access your personal information, you can do this by submitting a written request to the Practice at the address shown at the top of this page. 

Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay.  

Rights to object 

You have the right under Article 21 of the UKGDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance. 

GP Practices process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with: 

– The UK General Data Protection Regulation (UKGDPR) 

– The Freedom of Information Act 

– The NHS Constitution 

– The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009 

By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object. 

The right to rectification  

If the personal information we hold about you is inaccurate or incomplete you have the right to have this corrected. 

If it is agreed that your personal information is inaccurate or incomplete we will aim to amend your records accordingly, normally within one month, or within two months where the request is complex. However, we will contact you as quickly as possible to explain this further if the need to extend our timescales applies to your request. Unless there is a risk to patient safety, we can restrict access to your records to ensure that the inaccurate or incomplete information is not used until amended. 

If for any reason we have shared your information with anyone else, such as for a referral to another service, we will notify them of the changes required to ensure their records are accurate.   

If on consideration of your request we do not consider the personal information to be inaccurate then we will add a comment to your record stating your concerns about the information. If this is the case we will contact you within one month to explain our reasons for this. 

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever. 

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations. 

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002.

‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops. 

Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health. Risk-stratification data may also be used to improve local services and commission new services, where there is an identified need. In this area, risk stratification may be commissioned by the NHS Integrates care Board (ICB) . Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. 

Further information about risk stratification.

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

The partners of Lancaster Medical Practice are also the shareholders of Lancaster Medical Group Limited, which incorporates Rosebank Pharmacy, Highland Brow, Galgate, LA2 0NB. 

The Pharmacy and Practice therefore work closely together to ensure the best care for Patients and, as such, the Pharmacy Team may, on occasion, access your GP record.

The Pharmacy Team are bound by the Rosebank Pharmacy, Lancaster Medical Practice and NHS Confidentiality Agreements and will only access your record where there is a genuine need to do so.

The primary purpose of accessing your record would be to answer queries around the issue of repeat medication or to perform a medication review.

The basic data accessed would be current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient.

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.  

Our legal basis for processing for the UK General Data Protection Regulation (UKGDPR) purposes is: – 

Article 6(1)(e) ‘…exercise of official authority…’.  

For the processing of special categories data, the basis is: – 

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’ 

How will we share your personal information? 

We work with a number of other NHS and Partner agencies to provide healthcare services to you.  Below is a list of organisations that we may share your information with: 

– Other NHS hospitals 

– Relevant GP Practices 

– Dentists, opticians and pharmacists 

– Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS) 

– Voluntary Sector Providers who are directly involved in your care 

– Ambulance Trusts 

– Specialist Trusts 

– NHS Digital (formally The Health & Social Care Information Centre) 

– ICBs 

– NHS 111 

– Out of hours medicals services/centres 

– NHS England 

– Local Authorities 

– Other ‘data processors’ which you will be informed of 

We may also share your information, with your consent, and subject to strict sharing protocols about how it will be used, with: 

– Local authority departments, including social care and health (formerly social services), education and housing and public health 

– Police and fire services. 

Who else may ask to access your information? 

– The law courts can insist that we disclose medical records to them. 

Solicitors often ask for medical reports.  These will always be accompanied by your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (e.g., wife, children, parent etc.) unless we also have their consent 

Life Insurance Companies frequently ask for medical reports on prospective clients.  These are always accompanied by your signed consent form.  We must disclose all relevant medical conditions unless you ask us not to do so.  In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them.   

You have the right, should you request it, to see reports to insurance companies or employers before they are sent. 

Any medical or health related personal information will be treated with confidence in line with the common law duty of confidentiality and the Confidentiality NHS Code of Practice.  

We may be required to share information with organisations to comply with our legal and regulatory obligations. This may include: 

Public Health England: The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information on Public Health England can be found here.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to. 

Social Prescribing enables GPs, nurses and other primary care professionals to refer people to a range of local, non-clinical services. NHS England describes social prescribing as “enabling all local agencies to refer people to a link worker”. Link workers – known locally as Community Connectors – give people time, and focus on what matters to the person. They connect people to community groups and agencies for practical and emotional support. If you have an appointment with a Community Connector, only limited information would be passed on. There are agreements in place to protect your data. 

The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. 

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement. 

Please be aware that if you choose to opt-out of SCR, NHS Healthcare Staff caring for you outside of this Surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, fax or phone. 

You have the option to opt out of the summary care record, if you wish to do this please contact the surgery and we will update your record accordingly. 

If you have provided your mobile telephone number or email address, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit. 

If you do not wish to receive these messages, please let the reception team know. 

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members. 

You have a right to: 

– ask for a copy of the information we hold about you 

– correct inaccuracies in the information we hold about you 

– withdraw any consent you have given to the use of your information 

– complain to the relevant supervisory authority in any jurisdiction about our use of your information 

In some circumstances: 

– ask us to erase information we hold about you 

– request a copy of your personal data in an electronic format and require us to provide this information to a third party 

– ask us to restrict the use of information we hold about you; and 

– object to the use of information we hold about you.  

 You can exercise these rights by contacting us as detailed below.  

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare and help us to protect your safety. 

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing. 

 We may collect the following types of personal information: 

– Your name, address, email address, telephone number and other contact information 

– Gender, NHS Number and date of birth and sexual orientation 

– Details of family members and next of kin details 

– Health (Medical) information, including information relating to your sex life 

– Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls. 

– Results of investigations such as laboratory tests or x-rays 

– Biometric data 

– Genetic information  

We may use your personal information in the following ways: 

– To help us assess your needs and identify and provide you with the health and social care that you require 

– To determine the best location to provide the care you require 

– To comply with our legal and regulatory obligations   

– To help us monitor and manage our services 

– To support medical research  

We keep our privacy notice under regular review, and we will place any updates on this webpage. This privacy notice was last updated on 29/06/2023.

Patient Confidentiality Charter Booklet