Your Information, Your Rights

Our Fair Processing Notice explains why we collect information about our GP practice patients and how that information may be used to deliver their direct care and manage the local health and social care system.

The notice reflects:

What information we collect about our patients;
How and why we use that information;
How we retain their information and keep it secure;
Who we share their information with and why we do this.

The notice also explains patients’ rights in relation to consent to use their information, the right to control who can see their data and how to seek advice and support if they feel that information has not been used appropriately.

Coronavirus (COVID-19) pandemic and your information

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently  need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.

Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.

How we look after your personal information during the Covid-19 pandemic when staff work from home

In accordance with government guidance and in order to protect the health and safety of our staff during this difficult period we will be requiring all staff who are able to, to work from home.

This means that staff may have access to any necessary personal and/or medical information in order to look after your healthcare needs.

We would like to assure you that our staff will be subject to all relevant security procedures  and policies of the Practice to ensure that any information is kept safe, secure and confidential at all times.

If you have any concerns about how your information may be used please contact our DPO who will be happy to assist with your enquiry.

The full Fair Processing Notice is provided below.

Fair Processing Notice

Your Information, Your Rights

Our Fair Processing Notice explains why we collect information about our GP practice patients and how that information may be used to deliver their direct care and manage the local health and social care system.

The notice reflects:

What information we collect about our patients;
How and why we use that information;
How we retain their information and keep it secure;
Who we share their information with and why we do this.

The notice also explains patients’ rights in relation to consent to use their information, the right to control who can see their data and how to seek advice and support if they feel that information has not been used appropriately.

The full Fair Processing Notice is provided below.

Being transparent and providing accessible information to patients about how we will use personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).

The following notice reminds patients of their rights in respect of the above legislation and how their GP Practice will use their information for lawful purposes in order to deliver care and the effective management of the local NHS system.

This notice reflects how we use information for:

    • The management of patient records;
    • Communication concerning patients’ clinical, social and supported care;
    • Ensuring the quality of care and the best clinical outcomes are achieved through clinical audit and retrospective review;
    • Participation in health and social care research; and
    • The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.

Data Controller

As a registered GP practice and provider of primary care services, we are the data controller for any personal data that we hold about patients.  A Data Controller has overall control of the practice data and is responsible for keeping information secure and confidential.  The contact details are:

Data Controller
Salford Primary Care Together
2 City Approach
Albert Street
M30 0BL

Data Protection Officer (DPO)

The GDPR requires that public authorities appoint a DPO.  The primary role of the DPO is to ensure that the processing of personal data of staff, patients and any other individuals processed by the organisation is in compliance with the relevant data protection rules.  Although the DPO oversees compliance with data protection regulations, the responsibility for compliance is held by the Data Controller.

The DPO for Salford Primary Care Together is Salford CCG. For all queries please email:

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether is it received directly from patients or from a third party in relation to their care.

We will collect the following types of information from patients or about them from a third party (provider organisation) engaged in the delivery of care:

    • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.  This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number;


    • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with patients, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Patient healthcare records contain information about health and any treatment or care they have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services).  These records may be electronic, a paper record or a mixture of both.  We use a combination of technologies and working practices to ensure that we keep information secure and confidential.

Why do we collect this information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.  To do this we will need to process patient’s information in accordance with current data protection legislation to:

    • Protect patient’s vital interests;
    • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
    • Perform tasks in the public’s interest;
    • Deliver preventative medicine, medical diagnosis, medical research; and
    • Manage the health and social care system and services.

How is the information collected?

A patient’s information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection.  In addition physical information will be sent to the patient’s practice.  This information will be retained within the patient’s GP’s electronic patient record or within their physical medical records.

Who will we share patients information with? 

In order to deliver and coordinate our patients’ health and social care, we may share information with the following organisations:

    • Local GP Practices in order to deliver extended primary care services
    • Hospitals
    • NHS 111 and Out of Hours Service
    • Local Social Services and Community Care services
    • Voluntary Support Organisations commissioned to provide services

Information will only be shared if it is appropriate for the provision of care or required to satisfy our statutory function and legal obligations.

Information will not be transferred outside of the European Union.

Whilst we might share a patient’s information with the above organisations, we may also receive information from them to ensure that a patient’s medical records are kept up to date and so that we can provide the appropriate care.

In addition we may receive data from partnering organisations and healthcare providers.  This information is used to help us improve ‘out of hospital care’. Data may include (but is not limited to) interventions such as flu vaccinations or health checks provided in the community or notifications of urgent medicine supplies by community pharmacies.

At Salford Primary Care Together, we may send out SMS text message to patients in order to support the delivery of direct care.  This will most commonly be in the form of ‘2-Way’ text messaging to remind patients of upcoming pre-booked appointments and to allow patients to cancel unwanted appointments through reply SMS without needing to phone the surgery.  We may also contact patients by this means to support delivery of other direct care services.  This may include, (but is not limited to) invitations to book in for flu vaccination clinics or annual review appointments. We will never use this text messaging service to contact patients for marketing or any other purposes which fall outside the definition of direct care.

Our SMS solution is provided by the iPLATO, a web-based company that is hosted securely within N3 (the NHS network), and is compliant with the NHS Information Governance Statement of Compliance. There is a clear and unambiguous ability and legal basis for sharing data with iPLATO for processing patient data to deliver healthcare services under GDPR.  Nevertheless, we operate a consent based approach to managing patient communication preferences and any patients who wish to withdraw or ‘opt-out’ of receiving text messages should contact the practice reception team.

We will never under any circumstances sell patients’ personal information.

How do we maintain the confidentiality of patient records?

We are committed to protecting our patients’ privacy and will only use information that has been collected lawfully.  Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Furthermore, allSalford Primary Care Together staff are bound by confidentiality agreements as part of their contracts of employment.  This obligation applies at all times, whether before or after termination of employment.

Information is not held for longer than is necessary.   We will hold a patient’s information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Consent and Objections

 Do I need to give my consent?

The GDPR sets a high standard for consent.  Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps organisations to build trust and enhance their reputation.  However consent is only one potential lawful basis for processing information.  Therefore Salford Primary Care Together may not need to seek a patient’s explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.  A patient’s GP Practice will contact the patient if they are required to share information for any other purpose which is not mentioned within this notice.  A patient’s consent will be documented within their electronic patient record.

What will happen if I withhold my consent or raise an objection?

Patients have the right to write to withdraw their consent to any time for any particular instance of processing, provided consent is the legal basis for the processing.  Please contact Salford Primary Care Together for further information and to raise an objection. Patients can do this by either directly contacting our reception team or by emailing us at

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps our team to determine whether a patient is at risk of an unplanned admission or deterioration in health.  By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care we will be able to judge if a patient is likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise, Risk Stratification is used in the NHS to:

    • Help decide if a patient is at a greater risk of suffering from a particular condition;
    • Prevent an emergency admission;
    • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
    • Review and amend provision of current health and social care services.

We will use computer based algorithms or calculations to identify registered patients who are at most risk, with support from NHS Salford Clinical Commissioning Group (CCG), NHS Greater Manchester Shared Services (GMSS) and/or a third party accredited Risk Stratification provider. Neither GMSS nor Salford CCG will at any time have access to patients’ personal or confidential data.  They will only act on our behalf to organise the risk stratification service with appropriate contractual technical and security measures in place.

Salford Primary Care Together staff will routinely conduct the risk stratification process outside of your GP appointment.  Resulting reports are then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with patients if alterations to the provision of their care are identified.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.

As mentioned above, patients have the right to object to their information being used in this way.  However patients should be aware that their objection may have a negative impact on the timely and proactive provision of direct care.  Patients are welcome to contact the practice to discuss how disclosure of their personal data can be limited.

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where patients receive healthcare.  Electronic systems used in the practice enable a patient’s record to be shared with organisations involved in their direct care, such as:

    • GP practices
    • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
    • Child health services that undertake routine treatment or health screening
    • Urgent care organisations, minor injury units or out of hours services
    • Community hospitals
    • Palliative care hospitals
    • Care Homes
    • Mental Health Trusts
    • Hospitals
    • Social Care organisations
    • Pharmacies

At a national level, NHS England have implemented the Summary Care Record which contains information including medication patients are taking and any bad reactions to medication that patients have had in the past.

In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health.  Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so.  The shared record means patients do not have to repeat their medical history at every care setting.

A patient’s record will be automatically setup to be shared with the organisations listed above, however patients have the right to ask their GP to disable this function or restrict access to specific elements of your record.  This will mean that the information recorded by the GP will not be visible at any other care setting.

Patients can also reinstate their consent at any time by giving their permission to override their previous dissent.

In addition, Salford has its own local patient record sharing system known as the Salford Integrated Record (SIR).  SIR contains the information held on a patient’s GP record as well as information from clinic and hospital records.  This record is only accessible by health and social care professionals directly involved in the patient’s care.  Patients will be asked for permission to view their record each time they come into contact with a health professional and every time a record is viewed the identity of the reader is recorded  Patients can request details of all the people who have accessed their SIR.  Staff can be asked to give a reason why they have viewed a patient’s record and will be disciplined if rules on confidentiality are broken.  As this forms an element of direct patient care, there is no option to opt out of the SIR.

Invoice Validation

If a patient has received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to theirr personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures they have received.  Information such as their name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill.  These details are held in a secure environment and kept confidential.  This information is only used to validate invoices in accordance with the current Section 251 Agreement, and will not be shared for any further commissioning purposes.

Your Right of Access to Your Records

The Data Protection Act and General Data Protection Regulations allows patients to find out what information is held about them including information held within theirr medical records, either in electronic or physical format.  This is known as the “right of subject access”.  If patients would like to have access to all or part of their records, they can make a request in writing to the organisation that they believe holds the information.  This can be a GP practice, or a provider that is or has delivered their treatment and care.  Patients should however be aware that some details within their health records may be exempt from disclosure, however this will in the interests of a patient’s wellbeing or to protect the identity of a third party.  If a patient would like access to their GP record, they are asked to please contact our reception team.


In the event that a patient feels Salford Primary Care Together has not complied with the current data protection legislation, either in responding to their request or in our general processing of their personal information, they should raise their concerns with us.  There are three ways to do this:

  1. Verbally, by speaking to ANY member of SPCT staff
  2. By letter or by completing a Service User Feedback Form (within complaints leaflet) and returning to the service or posting to:
  3. In writing to: Executive Lead for Direct Delivery/Complaints Manager, Salford Primary Care Together, 3rd Floor, 2 City Approach, Albert Street, Eccles, M30 0BL

Full details of the SPCT complaints process is available in the Complaints Procedure and this can be obtained from our reception team.

If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wimslow, Cheshire SK9 5AF – Enquiry Line: 01625 545700 or online at