Privacy Notice - Tattenham Health Centre

Date issued: 20 May 2021
Last reviewed: 20 December 2023, 12 January 2026
Next review: January 2027 (or sooner if legislation changes)

1.    Introduction

Tattenham Health Centre (“the Practice”) is committed to protecting your personal information and respecting your privacy.

This Privacy Notice explains:

·         what information we collect about you,

·         how and why we use it,

·         who we share it with,

·         how we keep it secure, and

·         the rights you have under data protection law.

The Practice is registered with the Information Commissioner’s Office (ICO) as a Data Controller. Our registration details can be viewed on the ICO Register at:
https://ico.org.uk/ESDWebPages/Search

 

2.    The information we collect about you

We collect personal data and special category (health) data, including:

·         Name, date of birth, NHS number

·         Address, telephone number, email address

·         Next of kin, carers and emergency contacts

·         Gender, ethnicity and preferred language

·         Medical history, diagnoses and conditions

·         Medications, allergies and adverse reactions

·         Vaccinations and immunisations

·         Test results, investigations and referrals

·         Consultation notes and clinical observations

·         Correspondence with other health and care providers

·         Audio, video or photographic recordings (where applicable)

·         Reports for third parties (e.g. insurance or legal reports, with consent)

 

We collect information:

·         directly from you,

·         from other NHS organisations involved in your care (e.g. hospitals, community services),

·         from social care providers where relevant.

 

3. How we use your information (purposes)

A. Direct care

We use your information to provide you with safe and effective healthcare, including:

 

·         assessing and diagnosing conditions,

·         planning and delivering treatment,

·         prescribing medication,

·         referrals to other services,

·         managing appointments and recalls,

·         medicines management reviews,

·         sharing relevant information with 111, ambulance services, out-of-hours services and hospitals where appropriate.

Some aspects of care support may be provided by non-clinical staff (e.g. scanning documents into records), who are subject to strict confidentiality obligations.

B. Digital communications

·         We may use SMS text messaging for appointment reminders, recalls and health campaigns.

·         With your consent, we may use email to communicate information about your care or services.

·         You can opt out of these communications at any time.

C. Extended Access & shared care services

If you are seen as part of an Extended Access or shared service arrangement, we will share relevant parts of your GP record with clinicians providing that service to ensure continuity and safety of care.

D. Remote consultations and call recording

We may offer telephone or video consultations. Where calls or consultations are recorded, you will be informed.

4.    Lawful basis for processing

We process your personal data under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

For direct care:

·         Article 6(1)(e) – task carried out in the public interest / official authority

·         Article 9(2)(h) – health or social care purposes

Consent is not the primary legal basis for direct care, although we respect patient choices wherever possible.

Where consent is required:

·         Article 6(1)(a) – consent

·         Article 9(2)(a) – explicit consent
(e.g. reports for third parties, some communications)

You may withdraw consent at any time.

Other lawful bases used where appropriate:

·         Article 6(1)(c) – legal obligation

·         Article 6(1)(f) – legitimate interests (limited use, e.g. CCTV)

·         Article 9(2)(i) – public health

·         Article 9(2)(f) – legal claims

 

5. Vital interests

In emergencies where you are unable to provide information or consent, we may use or share your information to protect your vital interests or those of another person.

 

5.    Risk stratification

We use risk stratification tools to identify patients who may benefit from preventative care or additional support (e.g. frailty, long-term conditions).

·         Data is analysed in de-identified form

·         Results help improve health outcomes and service planning

You may object to participation in risk stratification; however, this may limit proactive care.

 

6.    Summary Care Record (SCR)

Your Summary Care Record contains key information such as medicines and allergies and is held securely by NHS England.

·         It supports safe care in urgent or emergency situations

·         You can choose to include additional information or opt out

·         You can restrict access if you wish

More information is available at:
https://www.nhs.uk/your-nhs-data-matters

 

7.    National clinical audits

We participate in legally approved national clinical audits, including:

 

·         National Diabetes Audit

·         National Cancer Diagnosis Audit

Data is shared only when permitted by law and helps improve care quality.

 

8.    National screening programmes

We share limited contact details with NHS England screening services so you can be invited to programmes such as:

·         Breast cancer

·         Cervical cancer

·         Bowel cancer

·         Abdominal aortic aneurysm

·         Diabetic eye screening

 

9.    Operational and commissioning support

We receive support services from Surrey Heartlands Integrated Care Board (ICB) to assist with:

·         service planning and redesign,

·         performance monitoring,

·         reducing health inequalities,

·         patient safety and quality improvement.

Robust data sharing agreements are in place.

 

10. CCTV

CCTV is used on the premises for crime prevention and safety.

·         Areas are clearly signposted

·         Footage is retained for a limited period unless required for investigation

 

Lawful basis:

·         Article 6(1)(f) – legitimate interests

 

11. National registries & public health

Certain information must be shared by law with:

 

·         National disease registries (e.g. cancer registries)

·         UK Health Security Agency (UKHSA) for notifiable diseases

 

12.  Research and planning

We may use:

·         anonymised data (not personal data), or

·         pseudonymised data (still personal data)

for research, service evaluation and planning.

Where identifiable data is required, your explicit consent will be sought unless the law allows otherwise.

 

13. Who we share your information with

This may include:

 

·         NHS trusts and hospitals

·         Community and mental health services

·         Ambulance and 111 services

·         Social care services

·         Surrey Heartlands ICB

·         NHS England

·         Regulatory bodies (CQC, ICO)

·         Local authorities (safeguarding)

·         Approved third-party service providers

We only share information that is necessary and lawful.

 

14. Third-party service providers

We use trusted providers for:

·         clinical systems and IT support,

·         patient websites and online services,

·         appointment and prescription systems,

·         document management,

·         interpretation and translation services.

All providers are subject to contractual confidentiality and security obligations.

 

15. Your rights

You have the right to:

 

·         access your information,

·         rectification,

·         restriction of processing,

·         object to processing,

·         erasure (where applicable),

·         data portability (limited),

·         withdraw consent (where used).

 

Requests can be made verbally or in writing. Proof of identity may be required.

 

16. National Data Opt-out

You can opt out of your confidential patient information being used for research and planning.

This does not apply to direct care or legally required disclosures.

Visit:
https://www.nhs.uk/your-nhs-data-matters

 

17. Retention of records

Records are retained in line with the NHS Records Management Code of Practice 2021. Secure disposal methods are used when records are no longer required.

 

18. Security of your information

We use technical and organisational measures to protect your data, including:

·         access controls,

·         staff training,

·         encryption and secure systems,

·         audits and monitoring.

 

19. Data Protection Officer

Our Data Protection Officer is:

Daniel Lo Russo

Email: syheartlandsicb.informationgovernance@nhs.net

Telephone: 07811 355 274

 

Address:

Surrey Heartlands
Block C, 1st Floor
Dukes Court
Duke Street
Woking
Surrey
GU21 5BH

20. Complaints

If you have concerns, please contact the Practice first.

You may also complain to the ICO:

Website: https://ico.org.uk/global/contact-us/
Telephone: 0303 123 1113

21. Review of this notice

We review this Privacy Notice regularly and update it when required by changes in law or practice.

Date Published: 10th April, 2025
Date Last Updated: 13th January, 2026