Privacy policy
How we use your personal information
This fair processing notice explains why the GP practice collects information about you and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice hold about you may include the following information;
• Details about you, such as your address, carer, legal representative, emergency contact details
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency
appointments, etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc
• Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.
Risk Stratification
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by EMIS, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.
Medicines Management
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided to practices within Bristol through BNSSG Clinical Commissioning Group.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in
accordance with:
• Data Protection Act 2018
• GDPR Act 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management
Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the
framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Our practice Caldicott Guardian is: Mrs Sarah Monteith, Practice Manager
Our practice Information Governance Lead GP is: Dr Nicholas Gwilliam GP Partner
Our practice Data Protection Officer can be contacted at: gp-igenquiries.scwcsu@nhs.net
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
• NHS Trusts / Foundation Trusts
• GP’s
• NHS Commissioning Support Units
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers • Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• Health and Social Care Information Centre (HSCIC)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Voluntary Sector Providers
• Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.
Other NHS and non-NHS Organisations who we share your data with and why
Sometimes the practice shares information with other organisations that do not directly treat you, for example, our Integrated Care Board (ICB). Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The ICB also collects information about whether patients have long term conditions such as diabetes, blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you. (Please note this is not an exhaustive list and will change from practice to practice the main systems are included in the list below.)
Sirona
Sirona Community nurses and other health care professionals can access GP information about people on their caseloads who have recently been discharged from hospital, or who are housebound, or who require longer term rehabilitation from the GP record. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record.
You can find more information available on their website and view their Privacy Notice
Connecting Care is a digital care record system for sharing information in Bristol, North Somerset and South Gloucestershire. It allows instant, secure access to your health and social care records for the professionals involved in your care.
Relevant information from your digital records is shared with people who look after you. This gives them up-to-date information making your care safer and more efficient.
Beechwood Medical Practice uses the system in the following way:
- We can access your data stored within the system and provide relevant information about you and your health
You can find more information available on their website and view their Privacy Notice
One Care (BNSSG) C.I.C - Data Analysis and Insights
Purpose - We share your data with One Care to:
- Improve healthcare services and planning
- Help make better decisions about your care
- Support decisions about treatments and services
One Care may analyse your health data to find ways to improve healthcare services and planning. Your data helps One Care provide insights that support medical decisions and improve patient care.
Type of Data
Identifiable/Pseudonymised/Anonymised/Aggregate Data
Legal Basis
- Article6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
- Article 6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine’
- Article 9(2)(j) necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…. based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Patients may opt out of having their personal confidential data used for planning or research. Please contact your surgery to apply a Type 1 Opt out or logon to https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ to apply a National Data Opt Out
South Central and West Commissioning Support Unit
Thomas Manning. CIPP/E
Data Protection Officer
One Care (BNSSG) C.I.C
Econsult
Econsult Health is a collection of digital triage solutions for Primary and Emergency Care eConsult enables NHS based GP practices to offer online consultations to their patients. This allows patients to submit their symptoms or requests to their own GP electronically, and offers around the clock NHS self-help information, signposting to services, and a symptom checker.
Find more information available on their website and view their Privacy Notice
St Peter’s Hospice
This agreement enables hospice staff to read the records of patients in their care. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record.
You can find more information available on their website and view their Privacy Notice
Accurx
Accurx is a British software company that has developed a messaging service for doctor surgeries to communicate with patients via SMS and Video messaging.
You can find more information available on their website and view their Privacy Notice
EMIS Health
EMIS Health-formerly known as Egton Medical Information Systems, supplies electronic patient record systems and software used in primary care, acute care and community pharmacy in the United Kingdom.
You can find more information available on their website and view their Privacy Notice
IGPR
We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. IGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.
Patient Access
Patient Access connects you to local health services when you need them most. Book GP appointments, order repeat prescriptions and discover local health services for you or your family via your mobile or home computer.
You can find more information available on their website and view their Privacy Notice
National Obesity Audit
The audit will make use of data already collected from hospitals, community settings and general practices (GPs). This will include data from all weight management services and interventions commissioned (funded) by local authorities and the NHS.
We may also use external companies to process personal information, such as for mailing to invite you for recall purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
You can find more information available on the NHS Digital website
GetUbetter
GetUbetter app provide NHS Organisatons with new ways to support people with common MSK conditions via end-to-end digital injury support and condition management.
You can find more information available on their website and view their Privacy Notice
Vision/Splicecom
Splicecom is a cloud based phone system designed for health care. Our phone integrates with our clinical medical records system, EMIS, enabling us to identify patient phone numbers on incoming and outbound calls. We can also audit call volumes for operational planning.
For more information please see their Privacy Notice
Healthtech-1 Automated Patient Registration
Purpose: The aim of the Healthtech-1’s service is to reduce the time practice staff spend on administration and improve the patient’s experience of engaging with the practice. For Healthtech-1 to complete an automated patient registration, the primary data source is from the patient who will manually enter their personal details using their digital device onto the website. Additional special category data points are collected from the patient for the purpose of increasing quality of care for that patient at the relevant GP surgery.
Legal Basis: Article 6(1)e - “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”; Article 9(2)h - “processing is necessary for the purposes of preventive or occupational medicine”;
Processor: Healthtech-1,
Further information can be found on their website.
National Diabetes Prevention Programme
Purpose: Our practice has an agreement in place that allows the National Diabetes Prevention Programme provider, Living Well Taking Control (LWTC) to contact you on behalf of us. They will inform you about the support available to help reduce your risk of developing type 2 diabetes.
Legal Basis:
Article 6(1)e “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 9(2)h “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”
Processor: Living Well Taking Control
Keeping Bristol Safe Partnership’s Children Safeguarding, Adult Safeguarding and Community Safety
Purpose:
The Safeguarding and Community Safety DSA helps make sure that personal, sensitive, and criminal information is shared and stored safely and legally. This protects children and adults who may be at risk, supports safeguarding teams, and helps prevent crime.
Legal Basis:
Article 6 1(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 2 (g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; Article 9 2(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
Population Health Management
Purpose:
- Health and care services work together as ‘Integrated Care Systems’ (ICS) and are sharing data to:
- Understand the health and care needs of the care system’s population including health inequalities
- Provide support to where it will have the most impact
- Identify early actions to keep people well, not only focusing on people in direct contact with services but looking to join up care across different partners.
Type of Data:
Identifiable/Pseudonymised/Anonymised/Aggregate Data. NB only organisations that provide your care will see your identifiable data.
Legal Basis:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine
Data Processors - SCW CSU, One Care
OpenSAFELY COVID-19 and Data Analytics Services
Purpose:
"NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Legal Basis:
UK GDPR – Article 6 basis:
UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject (the Directions).
UK GDPR Article 9 basis:
UK GDPR Article 9(2)(g) - processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, by virtue of compliance with a direction supplemented by:
Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.
Here you can find additional information about OpenSAFELY."
Processor:
- NHS England
- The Phoenix Partnership (TPP)
- EMIS
Heidi Health
Purpose: We use Heidi for clinical documentation and, where enabled, for certain non‑clinical meetings such as team or HR sessions. Heidi is a documentation aid for qualified and registered clinicians. It is not a clinical decision‑making tool and does not replace medical assessment. Clinicians are responsible for ensuring any notes accurately reflect the encounter. Patient audio is not retained; audio is streamed for transcription and discarded immediately after processing. We may share limited personal data about Heidi service usage with One Care so they can provide organisation‑level analytics and shared services to participating practices. For these activities, One Care processes personal data on our behalf under terms compliant with UK GDPR. Data shared are minimised for the stated purpose and do not include clinical note content unless strictly necessary and minimised. Participants are notified at the start of non‑clinical sessions. Data is processed within the UK and protected by appropriate technical and organisational measures. Transcripts, draft notes, and generated documents are subject to organisation‑controlled automatic deletion between 1 and 90 days; clinicians can also delete manually at any time.
Legal Basis:
Article 6(1)e:“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 9(2)h:“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”
Processor: Heidi Health
Access to personal information
You have a right under the Data Protection Act 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
• Your request must be made in writing to the GP – for information from the hospital you should write direct to them
• There may be a charge to have a printed copy of the information held about you if this is considered too excessive
• We are required to respond to you within 30 days
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
Objections / Complaints
Should you have any concerns about how your information is managed at the GP practice, please contact the GP Practice Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
Notification
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
The practice is registered with the Information Commissioners Office (ICO). Registration Number Z7276243.
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is:
Beechwood Medical Practice
Complaints
Should you have any concerns about how your information is managed by the Practice please contact the Practice Manager at the following address:
Beechwood Medical Practice
Fishponds Primary Care Centre
Beechwood Road
Fishponds
Bristol
BS16 3TD
If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk, casework@ico.org.uk, telephone: 0303 123 1113 (local rate) or 01625 545 745.
Sarah Monteith- Practice Manager
Site search
Please DO NOT add any personally identifiable information – such as your name, NHS number, address or any other distinguishing detail – when using the site search function. The site search is intended to return information displayed on the website ONLY, and is not linked to our practice management system or your individual NHS records. Site search data is recorded in our analytics and cannot be deleted.