Privacy Notice

Statham Grove Surgery - General Practice Privacy Notice

Background

This practice’s primary purpose is to provide the best care possible for you. In order to do this, we need to collect, store and share information about you.

This privacy notice is designed to explain what happens to any personal data that you give us or any information concerning you that is collected by other organisations, for instance, if you attend an Accident and Emergency department. This includes how your data is held and/or processed by us.

This notice includes:

Who we are and how we use your information
The kinds of information we hold and how we process them
The legal grounds for processing your personal data, including when it is shared with others
What to do if your personal information changes
The length of time that your information is stored and retained by us
Information about your rights under the 2018 Data Protection Act incorporating the UK General Data Protection Regulations (GDPR)
Information about what to do if you have a query or problem

Under the 2018 Data Protection Act incorporating the UK General Data Protection Regulation –(GDPR) the practice is known as the Data Controller. As such we are responsible for keeping your data up to date and accurate, as well as storing it safely and sharing it securely. If you have a problem or a question, you should contact the Practice Manager in the first instance. The Act stipulates also that public sector organisations should provide access to an independent Data Protection Officer able to advise and investigate complaints on your behalf. Their contact details are provided in the summary below.

The information we hold on you

Our practice keeps data on you relating to who you are, where you live, your contact details, your family, details of your occupation -if any - and possibly your employers- your life habits, your health problems and diagnoses, the reasons you seek help at your appointments. Your record also contains details if you have a carer, where you are seen, when you are seen, and who by: as well as all referrals to specialists and other health and social care providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other health care workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care. The reason for holding and processing all of this data is that it helps us in providing you with the best possible care.

All health related data is seen as ‘special category’ or ‘sensitive data’ under the 2018 Data Protection Act which means that it is shared and processed with particular care. This applies to your data whether it is in electronic formats or on paper.

When registering for NHS care, all patients who eligible for NHS care receive a unique NHS Number and are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.

Why we hold and process your data

We hold and process your personal data in order to provide you with direct care. Anonymised and pseudonymised patient data, in other words data that cannot be used to identify you is also used to:

Improve the quality and standard of care that we and other organisations provide
Researching and developing new treatments
Developing preventative treatment of illness and disease
Monitoring standards of patient safety
Planning future services.

You also have a choice over whether you wish to use your confidential data – i.e. data that CAN be traced back to you for these purposes. If you are content with this then you do not need to do anything. If you are not sure or wish to opt out, please see section on Opting-Out of Research and Planning below.

Who do we share information with.

As GPs, we cannot provide all your treatment ourselves, so we need to delegate this responsibility to others within the practice and with other organisations such as pharmacies or hospitals.

If your care requires treatment outside the practice, we will exchange data with those providing such care and treatment whatever information may be necessary to provide you with joined-up, safe, high-quality care. This will include the London Care Record which allows different organisations to view personally identifiable data in order to provide you with integrated care. The practice also delivers services and treatment to our patients as part of, and in association with local Primary Care Networks and Neighbourhood Multi-disciplinary teams.

Once you have seen any outside care provider, they will normally send us details of the care they have provided you with, so that we can understand and support your health and treatment better.

The sharing of personal data, within the practice and with those other organisations involving the practice, such as Primary Care Networks (PCNs) and Neighbourhood Multidisciplinary Teams as well as secondary care organisations and social prescribing organisations is assumed and is allowed by law (including the Data Protection Act 2018). However, we will gladly discuss this with you in more detail if you would like to know more. We keep a register of our Information Assets which also sets out our dataflows and a Record of Processing Activity. The majority of patient data processing and storage happens via our EMIS and EMIS Community clinical systems.

We have an overriding responsibility to do what is in your best interests under the 2018 Data Protection Act ‘in performance of a public task’ (see legal bases in the summary below). The Practice team (clinicians, administration and reception staff) only access the information they need to allow them to perform their function and fulfil their roles. A list of the types of organisation we share with is provided below. This summary also contains details of your rights in relation to your data under the Act and how to exercise them.

We do also share anonymised data across our Primary Care Network, relevant Clinical Commissioning Groups, London Integrated Care Systems, The City and Hackney GP Confederation and NHS England. This data is extracted by secure data extraction tools such as EMIS Enterprise and/or Apollo.

This practice does NOT share your data with insurance companies, except by your specific instruction or consent.

We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

Your data is NOT shared or sold for any marketing purpose.

Use of AI scribe in patient consultations

Our practices are committed to delivering the best possible care to our patients. To enhance the quality and efficiency of our consultations, clinicians (your GP or a member of the multidisciplinary team within your practice) may use an artificial intelligence (AI) enabled scribe software during your appointment. The AI scribe is specifically designed to be used in a clinical setting and will convert your conversation with your clinician into text to generate a comprehensive note from your consultation.

We are currently using Accurx Scribe powered by Tandem.

What is Accurx Scribe?

Accurx Scribe transcribes audio from a patient contact or free-dictation and uses AI to summarise them into structured form for medical notes, including any relevant coding. Clinicians can instantly modify notes and generate other documents, save these notes to the patient record and share documents with patients and other services. More information about the software can be found on the Accurx website at: Accurx for patients.

Informing patients when we use an AI scribe

Whilst the use of an AI scribe is designed to improve patient care, your privacy is important to us. Accurx Scribe only processes information discussed during your appointment and operates within strict data protection and security controls. Before using Accurx Scribe, your clinician will inform you that they are planning to use this tool. You have the option to decline its use at any time during your appointment, you just need to let your clinician know.

Population Health Management Data Platform (Optum Pathfinder) July 2025

Population Health Management (PHM) Privacy Notice

Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.

What is Population Health Management (PHM)?

PHM is aimed at improving the health of both local and national populations. It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely, and equal. It helps to reduce the occurrence of ill health and looks at all the wider factors that affect health and care.

PHM is an approach being implemented across the NHS and this Practice. Population Health Management requires health and social care, to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers. Organisations will share and combine de-identified information (where information identifying you has been removed) with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements and risk assessments.

How will my Personal Information be used?

The information needed for PHM will include information about your health and social care. Information about you and your care will be used in a format that does not directly identify you, which we refer to within this privacy notice as pseudonymised. This information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code. This means that the people working with the data will only see the code and cannot see which patient the information relates to. The information will be used for a number of health and social care related activities such as -

Identifying groups of patients that could benefit from direct interventions
improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

Who will my personal information be shared with?

Your GP, other health or care providers, Local Councils within NE London and the NHS NEL Integrated Care Board may send the information they hold on their systems to each other. All of these organisations are legally obliged to protect your information and maintain confidentiality in the same way that your GP or hospital provider is.

Is using my personal data in this way lawful?

Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally. The legal basis for sharing your information is GDPR Article 6 (1) (e) “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in this case, anonymised data is used so that you cannot be identified.

Can I object to my data being used as part of this programme?

Yes. You have the right to opt out of sharing your personal data being used in this way. You can do this in two ways -

Opt out of all sharing of your data for other uses outside your GP Practice. This is called a Type 1 opt out and you should request this directly to us, your GP practice. This will be applied not only to this programme but to any others we take part in.
National Data Opt-out (opting out of NHS Digital sharing your data). You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.

This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared with other organisations for purposes except your own care - either GP data, or other data it holds, such as hospital data - you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

Communication with Patients

The practice will use your contact details in order to inform you of progress in your treatment or to work with you in managing your health. Because we can communicate and get data to you more quickly and more securely, we prefer to use email and text messaging services. Please ensure that we have your current, up to date, email address and mobile telephone so that we can do this. If you would prefer us NOT to communicate with you in these ways, please let us know.

CCTV and Telephone Calls at Statham Grove Surgery

Statham Grove Surgery operates CCTV on its premises and external property, this is in order to review any actual or potential incident in the premises or environs of the surgery. This data is recorded and will be kept for up to 6 weeks, it will then be deleted.

All telephone calls are recorded for training purposes and to monitor service delivery, with Storacall Technology LTD acting as the data processor on the practice’s behalf. This data is recorded and will be kept for up to 12 weeks, it will then be deleted

Safeguarding and the Caldicott Guardian

The practice is dedicated to safeguarding all its patients, including children and vulnerable adults. This means that information will be shared by the practice in their best interests. Such decisions are the ultimate responsibility of the practice’s Caldicott Guardian. The Caldicott Guardian is the senior person - always a doctor and often a partner within a practice- responsible for protecting the confidentiality of people’s health and care information. The duty to share data for the benefit of individuals is as important as the duty to protect patient confidentiality and actions taken as a result of safeguarding concerns will override data protection. Their decision to share or not to share data is final and there is no appeal process.

Medical Audits and Medicines Management

The practice will conduct audits of its services and treatment as well as reviews of medicines prescribed to its patients. Reviews of patient data are necessary to allow us to test and update our services and prescribing to ensure that you receive the most appropriate and cost-effective treatments. These reviews may take the form of internal audits or those conducted by other commissioned healthcare organisations such as the local Medicine Management Team.

Risk Stratification

Electronic tools of prediction, based upon algorithms and artificial intelligence are used within the NHS to determine a patient’s future risks and treatment needs. Wherever we can, we want to prevent admissions to A&E and secondary care which would be otherwise necessary. Such preventative care may, for instance, use these tools to determine the risk and consequence of a future fall in an elderly patient.

Research and Planning

The practice takes part in research that uses anonymised or pseudonymised data. This means that patient data cannot be traced back to individuals and is therefore no longer personal data under the 2018 Data Protection Act.

Anonymised or pseudonymised patient data held by the practice may also be used to evaluate present services that provide direct care or to plan future ones within the practice or across the local area.

Sometimes, the practice is contacted to ask whether its patients would consider taking part in research on a particular condition but where the data used would identify those individuals. In all such cases, patient data can only be used where patients have given their consent.

Data Opt-Outs (The National Data Opt-out) and Your Right to Object.

You cannot opt-out of your data being shared for the purposes of providing you with direct care. You can exercise your right to object to a specific process involving your data. If you wish to do this for data processed at this practice then you must contact the practice’s Data Protection Officer at NHS North East London ICB.

You can opt-out from having your confidential data (i.e. data that can identify you) being used for purposes beyond direct care, such as research and planning. To do this, you can check or change your preferences at NHS Your Data Matters on-line and read the information and follow the instructions if you wish to opt out. This opt-out is recorded against your NHS number on the NHS ‘spine’.

There are some situations where your data will be shared in addition to providing you with direct care. These include:

Situations where data is needed in the “public interest”, e.g in cases of epidemic where communicable diseases need to be diagnosed and the spread of their infection prevented or controlled;
To monitor and deliver vaccination programmes
To manage risks of infection from food or water supplies or the environment.

You can find out more about how your patient information is used

Patient information and health and care research - Health Research Authority

This practice is compliant with the national data opt-out policy.

How is your information stored?

The practice stores the main patient record via a contracted data processor in the cloud. The contracted processor for the practice is Egton Medical Information Systems (EMIS). They can be contacted via EMIS, Rawdon House, Green Lane, Yeadon, Leeds LS19 7BY.

How long is the information retained ?

The medical record is retained at the patient’s practice for the lifetime of the patient, after which it is sent to Primary Care Services England (PCSE). If you move to another practice your records will be transferred to that practice.

Summary

Data Controller	Statham Grove Surgery
Data Protection Officer	DPO Name: NHS North East London ICB DPO Address: 4th Floor, Unex Tower, 5 Station Rd. London. E15 1DA Tel: 0800 917 8607
Purpose of Processing your personal information	Direct Care delivered to the individual alone, much of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare and social care professionals to provide the most appropriate advice, investigations, treatments, therapies and or care
Lawful Basis for Processing your personal information	The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: Article 6 (1) (c) – the processing is necessary for compliance with a legal obligation to which the controller (the practice is subject) and/or Article 6(1)(e) ‘…the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Health data is defined as a special kind of personal data and is also processed by the practice under Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..’ The sharing of your personal data also takes place in accordance with the common law duty of confidentiality. Performance of this duty does not require consent from the patient where the proposed use of their data is either for individual care or in the public interest.
Recipient or categories of recipients of your personal data	The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. GPs Hospitals Primary Care Networks Local GP provider organisation NHS Commissioning Support Units Social Care Services Health and Social Care Information Centre (HSCIC) Clinical Excellence Group Community Pharmacists District Nurses Independent Contractors such as dentists, opticians, pharmacists Private Sector Providers Voluntary Sector Providers Ambulance Trusts Clinical Commissioning Groups Local Authorities Education Services Fire and Rescue Services Police & Judicial Services The Child Health Information Service Substance Misuse Remote Workers London Coroner’s Service Voluntary Sector Providers Private Sector Providers Social Prescribers Many organisations across London share an aggregated summary view of your data, held in a secure Health Information Exchange and using a Local Health Care Exemplar format known as the One London patient record, in order to make quicker and better informed decisions in providing you with care. This practice is also part of a Neighbourhood Multi-Disciplinary Team based within the Woodberry Wetlands Primary Care Network designed to bring together a number of service providers to help patients with more than one need.
Your right to object	You have the right to object to some or all of the information being processed, which is detailed under Article 21. Exercising your right to object may well prevent the referral or course of treatment from going ahead. Please contact the Data Protection Officer at NHS North East London ICB. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.
Your right to access and correction	You have the right to access your data and to have any inaccuracies corrected. You can access your medical record electronically via the NHSApp, or by making a Subject Access request to the Practice Manager Please let us know if there are any mistakes in your record. There is no right to have medical records deleted except when ordered by a court of Law.
How long do we hold your personal data for?	We retain your personal data in line with both national guidance and law, which can be found by clicking here
Your right to complain	If you have a question or wish to complain about the use of your data, you should approach the Practice Manager or contact the Data Protection Officer NHS North East London ICB. The use of personal data is overseen by the Information Commissioners Office, often known as the ICO. If you wish to complain or raise a concern with the ICO, they can be contacted via their website Or you can also call their helpline Tel: 0303 123 1113 (local rate) 01625 545 745 (national rate) Or you can write to them at The ICO, Wycliffe House, Water Ln, Wilmslow SK9 5AF

Data Processor Update

This practice acts as Data Controller for your data. It uses a number of suppliers as Data Processors. These suppliers may be procured, national regionally or locally and support the practice by providing various clinical services under instruction.

Patients receiving warfarin treatment are monitored by a system called INR Star. This system is owned by LumiraDX Care Solutions.

LumiraDx Care Solutions are planning to migrate INRstar from its current location to a new Cloud-First technology. During this move, the data residency will remain in England in a UK Government approved data centre. There is no threat to patient confidentiality and data will not be modified in any way, and the way it is processed will remain the same following the migration. Lumira DX Care Solutions privacy policy and data protection impact assessment can be found at on there website

Functional Cookies

3rd Party Cookies