Buckland Medical Practice
(Buckland Medical Centre, Tara Surgery & Peter Street Surgery)
Policy Name: Practice Privacy Notice
Version 4
Latest Version Date December 2025
Next Review Date December 2026
Policy Author Katharine Manser overseen by Dr
Preeti Kaushal
Data Controller Buckland Medical Practice
Data Controller Z8808315
Data Protection Officer Pamela Ashe, NHS Kent & Medway
ICB
Policy summary: This policy outlines the appropriate
actions for Practice Privacy Notice

PRACTICE PRIVACY NOTICE

How we use your information
This Privacy Notice explains why Buckland Medical Practice collects information
about our patients, how we use that information, how we maintain confidentiality,
and your rights.
The Practice manages patient information in accordance with UK GDPR, the
Data Protection Act 2018, and the Common Law Duty of Confidentiality. We are
committed to protecting your privacy and using information lawfully in accordance
with:

 UK General Data Protection Regulation 2018 (UK GDPR)
 Data Protection Act 2018
 Common Law Duty of Confidentiality 2003
 Human Rights Act 1998
 Health and Social Care Act 2012
 NHS Codes of Confidentiality & Information Security
As Data Controllers, GPs must ensure that personal confidential data (PCD) is
handled fairly, transparently, and in a reasonably expected manner.

What information we collect about you
Health professionals maintain records about your health and the care you
receive. These may include:
 Personal details (name, address, DOB, next of kin)
 Contact details
 Appointment history
 Notes and reports about your health
 Medication and allergies
 Investigations and test results
 Information from other health professionals
 Correspondence (letters, referrals, discharge notes)
Records may be held electronically, on paper, or both. Only authorised staff have
access.

Categories of Data We Use
Anonymised Data
Information that cannot identify an individual. Data protection law does not apply.
Pseudonymised Data
Identifiers are replaced with artificial codes. Still personal data under UK GDPR
2018
Personal Identifiable Data
Information that identifies you directly or indirectly. Protected under UK GDPR
and Common Law.
Some sensitive information (e.g., mental health, sexual health, safeguarding) is
subject to additional protection.

Why we process your information
We use your data for the following purposes:
Direct Care
Diagnosis, treatment, referrals and care delivery.

Human Resources (staff data)
(Separate privacy notice available.)
Planning and Research
Audit, service evaluation, population health management, research (only with
consent unless legally permitted).
Statutory Purposes
Reporting required by law (e.g., safeguarding, notifiable diseases).
Kent & Medway Care Record (KMCR)
A shared care record enabling authorised professionals across Kent & Medway
to access relevant information for your care.

OpenSAFELY – COVID-19 & Data Analytics Service
NHS England has been directed by the government to establish and operate the
OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service.
These services provide a secure environment that supports research, clinical
audit, service evaluation and health surveillance for COVID-19 and other
purposes.
Each GP practice remains the controller of its own GP patient data but is
required to let approved users run queries on pseudonymised patient data. This
means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able
to access information that directly or indirectly identifies individuals.
Patients who do not wish for their data to be used as part of this process can
register type 1 opt out with their GP.

Sharing your personal information
We share information only where lawful, necessary and proportionate. This may
include:
 NHS Trusts
 NHS Kent & Medway ICB
 East Kent Hospitals University NHS Foundation Trust
 Maidstone & Tunbridge Wells NHS Trust
 Dartford & Gravesham NHS Trust

 Medway NHS Foundation Trust
 Kent & Medway Partnership Trust
 North East London Foundation Trust
 Kent Community Health NHS Foundation Trust
 HCRG Care Group
 Medway Community Healthcare
 SECAmb
 IC24
 GP Federations and PCN partners
 Kent & Medway Local Authorities (adults’ & children’s services)
 Mental health, community and social care providers
 Independent & voluntary sector providers
 Schools and education services
 Police & judicial services (where legally required)

We will never share your information for marketing or insurance purposes.

Mobile Phone Numbers
If you provide your mobile number, we may use it to:
 send appointment reminders
 send health screening invitations
 send messages related to your care
You may opt out at any time.

Risk Stratification
Risk stratification identifies patients at high risk of emergency admission or
worsening health. It uses pseudonymised data analysed by NHS Digital and
returned to your GP in identifiable form so your care team can offer proactive
support.
You may opt out by contacting the Practice.

Invoice Validation

If you receive NHS treatment, information such as your NHS number, date of
treatment and local ICB details may be used to confirm which organisation pays
for your care.

This is carried out in a controlled, secure environment.

How we keep your information secure
We use appropriate technical and organisational measures to protect your
information, including:
 Role-based access
 Smartcard authentication
 Data encryption
 Secure clinical systems
 Password and access controls
 Annual Data Security & Protection Toolkit compliance
 Staff confidentiality agreements
 Annual data protection training
 Business continuity and disaster recovery procedures
 Regular audits and monitoring

All staff are bound by a legal duty of confidentiality.

How long we keep your records
We follow the NHS Records Management Code of Practice 2021, which sets
mandatory retention periods for all records.
https://transform.england.nhs.uk/media/documents/NHSX_Records_Managemen
t_CoP_V7.pdf

Your rights under UK GDPR

You have the right:
 to be informed
 of access (Subject Access Request)
 to rectification
 to erasure (in limited circumstances)
 to restrict processing
 to object
 to data portability
 rights relating to automated decision-making
(The Practice does not use automated decision-making.)

To exercise your rights, contact: edn.g82700@nhs.net

Access to your information (Subject Access Requests)
If we hold information about you, we will:
 give you a description of it
 explain why we are holding it
 tell you who it may be disclosed to
 provide a copy in an intelligible form


Please submit requests in writing to the Practice Manager by post or via email
edn.g82700@nhs.net

Change of Personal Details
Please tell us promptly if your:
 name
 address
 phone number
 email
 next of kin
has changed.

Accurate records ensure safe care.

Data Controller and DPO
Data Controller: Buckland Medical Practice
ICO Registration: Z8808315
Data Protection Officer:
Pamela Ashe
NHS Kent & Medway ICB
Email: kmicb.gpdpoteam@nhs.net

How to complain
You can raise concerns with:

Practice Manager
edn.g82700@nhs.net

DPO – NHS Kent & Medway ICB
kmicb.gpdpoteam@nhs.net

Information Commissioner’s Office (ICO)
0303 123 1113
www.ico.org.uk

Further Information
 NHS Constitution
 NHS Care Record Guarantee
 NHS Digital – Guide to Confidentiality
 Caldicott Information Governance Review
 NHS England Data Uses Guidance

Updates to this Privacy Notice
This notice is reviewed annually.
Any changes will be published on our website and displayed in the Practice.