Detailed Privacy Information

Practice: Eastfield Medical Practice
Address: Eastfield Farm Road, Penicuik, EH26 8EZ
Telephone: 01968 675 576
Website: www.eastfieldmedicalpractice.co.uk
Practice Privacy / Data Protection Lead: Practice Manager
Effective from: 2 June 2026
Last reviewed: 2 June 2026
Next review due: 2 June 2027
Version: 2.2

1. About this notice

Eastfield Medical Practice is committed to protecting your privacy and handling personal information lawfully, fairly, securely and transparently.

This notice explains:

  • what information we collect and hold;
  • why we use your information;
  • the lawful basis for using it;
  • who we may share information with;
  • how long we keep information;
  • how we protect information;
  • your rights;
  • how to raise a concern or complaint.

This notice applies mainly to patients. It may also apply to carers, guardians, representatives, complainants, visitors, staff, contractors, suppliers, survey respondents and other individuals whose information is handled by the practice.

This notice covers information held in clinical systems, administrative systems, paper records, emails, telephone records, online forms, website systems, call recordings, CCTV systems and other practice records.

2. About Eastfield Medical Practice

Eastfield Medical Practice is an independent contractor providing NHS primary medical services by way of a contract with NHS Lothian, made under the National Health Service (Scotland) Act 1978.

Eastfield Medical Practice is the data controller for personal information we hold and use for the purposes of providing NHS primary medical services and running the practice.

This means we are responsible for deciding how and why personal information is used, and for ensuring that it is handled in line with data protection law, confidentiality requirements, NHS Scotland information governance requirements and relevant professional standards.

In some circumstances, other organisations may also be data controllers for information they hold and use for their own purposes. This may include NHS Lothian, other NHS organisations, public health bodies, laboratories, hospitals, community services, social care organisations, regulators or other bodies involved in your care or in the administration of NHS services.

3. Data controller and contact details

Data Controller: Eastfield Medical Practice
Address: Eastfield Farm Road, Penicuik, EH26 8EZ
Telephone: 01968 675 576
Website: www.eastfieldmedicalpractice.co.uk

Practice Privacy / Data Protection Lead: Practice Manager

If you have any questions about this notice or how we use your information, please contact the Practice Manager using the details above.

Please note that emails sent from a private email account may not be secure. Do not use email for urgent medical problems.

4. Data Protection Officer

NHS Lothian’s Data Protection Officer can be contacted for advice or concerns about how personal information is handled.

Data Protection Officer
Information Governance
Woodlands House
74 Canaan Lane
Edinburgh
EH9 2TB

Telephone: 0131 465 5444
Email: Loth.DPO@nhs.scot

The Practice Manager is the local privacy and data protection lead for day-to-day practice enquiries. The Data Protection Officer contact above can be used if you have a data protection concern or if you remain dissatisfied after raising a concern with the practice.

5. What personal information we use

We may collect and use different types of personal information depending on the reason for contact with the practice.

5.1 Personal and identifying information

This may include:

  • name;
  • address and postcode;
  • date of birth;
  • Community Health Index number, known as CHI number, or other NHS identifiers;
  • telephone number;
  • mobile number;
  • email address;
  • next of kin or emergency contact details;
  • carer, guardian or representative details;
  • communication needs, including interpreter requirements and accessible format needs.

5.2 Health and care information

Health information is special category data under data protection law. This may include:

  • symptoms;
  • diagnoses;
  • medical history;
  • medications;
  • allergies;
  • test results;
  • vaccinations;
  • referrals;
  • clinic letters;
  • hospital correspondence;
  • care plans;
  • safeguarding information;
  • long-term condition monitoring;
  • information from other health and care providers;
  • information you provide through consultations, telephone calls, emails, letters, online forms or questionnaires.

5.3 Administrative and contact information

This may include:

  • appointment details;
  • attendance information;
  • telephone call records;
  • online form submissions;
  • email correspondence;
  • text message records;
  • prescription requests;
  • fit note requests;
  • complaints, feedback and concerns;
  • incident information;
  • records of requests for copies of medical records;
  • records of access, disclosure, correction or objection requests.

5.4 Other categories of information

In limited circumstances, we may also process information about:

  • family and social circumstances where relevant to care;
  • lifestyle information where relevant to care;
  • employment information, for example for fit note requests;
  • visual images, such as CCTV images or clinical photographs;
  • survey responses;
  • information relating to visitors, contractors or suppliers.

6. Where we get information from

Most information is provided directly by you.

We may also receive information from other individuals and organisations involved in your care or in the delivery of health and care services, including:

  • NHS hospitals and clinics;
  • NHS Lothian services;
  • NHS 24;
  • out-of-hours services;
  • community nursing services;
  • health visitors;
  • midwives;
  • pharmacies;
  • opticians;
  • dentists;
  • other GP practices;
  • screening services;
  • laboratories;
  • local authorities and social care services;
  • care homes;
  • family members, carers, guardians or representatives, where appropriate;
  • police, courts, regulators or other public bodies where there is a lawful reason.

Some information is needed so that we can identify you correctly, provide safe care, maintain accurate records and meet NHS or legal requirements. If required information is not provided, this may affect our ability to provide services safely or fully.

7. Why we use your information

We use personal information to provide NHS primary medical services and to run the practice safely, effectively and lawfully.

We use information to:

  • identify patients correctly;
  • provide direct care, including assessment, diagnosis, treatment and follow-up;
  • prescribe and manage medicines;
  • arrange referrals;
  • receive and process results and correspondence;
  • manage appointments;
  • contact patients about care or administrative matters;
  • process prescription requests;
  • process fit note requests and other administrative requests;
  • maintain accurate clinical records;
  • communicate with other health and care providers;
  • support safeguarding of children and adults at risk;
  • manage complaints, concerns and feedback;
  • investigate incidents and significant events;
  • support clinical governance, audit, quality improvement and patient safety;
  • meet legal and regulatory duties;
  • support public health work;
  • support NHS contractual, payment, planning and service management requirements;
  • manage practice records, accounts and administration;
  • keep staff, patients, visitors and premises safe;
  • support training, where appropriate and lawful;
  • respond to lawful requests from regulators, courts, police or other authorised bodies.

We only use the information that is necessary and proportionate for the relevant purpose.

8. Our lawful basis for using personal information

Eastfield Medical Practice must have a lawful basis when using personal information.

For most patient care and related administrative purposes, we process personal information under:

UK GDPR Article 6(1)(e) - Public task / official authority
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This includes providing NHS primary medical services and running the practice safely and effectively.

We may also process personal information under:

UK GDPR Article 6(1)(c) - Legal obligation
Processing is necessary because the law requires us to do something.

UK GDPR Article 6(1)(d) - Vital interests
Processing is necessary to protect someone’s life.

UK GDPR Article 6(1)(f) - Legitimate interests
This may apply in limited circumstances, for example when managing supplier, contractor, employment, business administration or legal matters, where this does not override the rights and freedoms of the individual. We do not rely on legitimate interests for routine NHS care where public task is the appropriate basis.

UK GDPR Article 6(1)(a) - Consent
This may apply in specific situations where we ask for consent for a particular purpose. Consent is not usually the lawful basis for routine NHS care or routine practice administration.

Where we rely on consent, we will explain what you are being asked to consent to, whether you can refuse, how you can withdraw consent, and what the effect of withdrawal would be.

9. Our lawful basis for using health information and other special category data

Health information is special category data and is given extra protection under data protection law.

For most patient care and related healthcare management purposes, we process health information under:

UK GDPR Article 9(2)(h) - Health or social care
Processing is necessary for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

We may also rely on other Article 9 conditions where appropriate, including where processing is necessary:

  • for reasons of public interest in the area of public health;
  • for reasons of substantial public interest, with appropriate safeguards;
  • to protect vital interests;
  • for legal claims or court orders;
  • for archiving, research or statistical purposes, with appropriate safeguards;
  • for employment, social security or social protection obligations where relevant.

Where required by the Data Protection Act 2018, the practice will apply appropriate safeguards and maintain relevant internal documentation.

We will only use special category information where there is a lawful reason and where the use is necessary and proportionate.

10. Confidentiality

In addition to data protection law, Eastfield Medical Practice is bound by a duty of confidentiality.

Where information is confidential, we will only use or share it:

  • for your direct care;
  • where you have given consent, where consent is required;
  • where there is another lawful basis and a valid reason to share;
  • where there is an overriding public interest;
  • where disclosure is required by law;
  • where it is necessary to protect someone from serious harm.

All staff are required to follow confidentiality requirements. Staff must only access information where they have a legitimate work-related reason to do so.

11. Sharing information for direct care

We may share relevant and proportionate information with other health and care organisations involved in your care.

This may include:

  • NHS hospitals and clinics;
  • NHS Lothian services;
  • NHS 24;
  • out-of-hours services;
  • community nursing services;
  • health visitors;
  • midwives;
  • physiotherapy services;
  • mental health services;
  • pharmacies;
  • laboratories;
  • screening services;
  • other GP practices;
  • local authority and social care services, where relevant to care.

Sharing information for direct care helps ensure that professionals involved in your care have the information they need to treat you safely and effectively.

12. Sharing information for NHS contractual, statutory, payment, planning, public health and service management purposes

Eastfield Medical Practice may be required to share relevant information for NHS contractual, statutory, payment, planning, audit, quality assurance, quality improvement, public health, prescribing, list management, service management and fraud prevention purposes.

This may include sharing information with:

  • NHS Lothian;
  • NHS National Services Scotland;
  • Practitioner Services;
  • Public Health Scotland, including functions formerly carried out by Information Services Division;
  • Scottish Government;
  • NHS Scotland bodies;
  • auditors and audit bodies;
  • regulators and inspection bodies;
  • organisations supporting NHS payment, list management, prescribing, planning or service monitoring functions;
  • other authorised organisations where there is a lawful basis.

Wherever possible, information used for planning, audit, statistics, quality improvement or service management will be anonymised or de-identified.

Identifiable information will only be used where this is necessary, lawful and proportionate.

Scotland no longer operates the Quality and Outcomes Framework in the same way as England. However, the practice may still be required to provide information for Scottish GP contractual, quality assurance, payment, audit, cluster, prescribing, planning or service monitoring purposes.

13. Safeguarding and protection

Eastfield Medical Practice may use or share relevant information where necessary for:

  • child protection;
  • adult support and protection;
  • safeguarding;
  • domestic abuse concerns;
  • risk of serious harm;
  • protection of vulnerable people;
  • protection of staff, patients or the public.

This may include information sharing under, or in connection with:

  • the Children (Scotland) Act 1995;
  • the Adult Support and Protection (Scotland) Act 2007;
  • National Guidance for Child Protection in Scotland;
  • local NHS Lothian and Midlothian child protection and adult support and protection procedures;
  • UK GDPR, the Data Protection Act 2018, the duty of confidentiality and human rights law.

Information may be shared with relevant organisations where this is necessary, proportionate and lawful. This may include:

  • NHS Lothian;
  • social work services;
  • local authority child protection or adult protection teams;
  • Police Scotland;
  • health visitors;
  • midwives;
  • community nursing services;
  • schools or education services where relevant;
  • care providers;
  • other health or care services involved in protection or safeguarding.

Where possible and appropriate, we will be open with patients about information sharing. However, information may be shared without consent where this is necessary to protect a child, an adult at risk, another person, staff or the public from harm, or where the law requires or permits disclosure.

Decisions to share safeguarding information will be recorded, including what was shared, with whom, why it was shared, and the reason for sharing.

The practice has named leads for Child Protection and Adult Support and Protection. Current lead details are maintained internally and are available from the practice where appropriate.

14. Sharing information for other lawful reasons

We may also share relevant and proportionate information where necessary for:

  • safeguarding children or adults at risk;
  • public health purposes;
  • reporting notifiable diseases;
  • managing serious incidents;
  • responding to complaints;
  • clinical governance and audit;
  • legal claims;
  • court orders;
  • police requests, where there is a lawful basis;
  • regulatory or inspection requirements;
  • fraud prevention and detection;
  • NHS service management and planning;
  • health and care research where lawful and with safeguards.

We will only share information where there is a lawful reason to do so, and we will apply the minimum necessary approach.

15. Online services, website forms and My Surgery Website

Eastfield Medical Practice uses a practice website and online forms to provide information and allow patients to submit requests.

Our website is provided by a third-party website provider. The website may include online forms for requests such as administrative queries, sick or fit note requests, prescription-related requests, registration-related queries, contact updates or other practice services.

When you submit an online form, the information may include personal information and health information. We use this information to:

  • identify you;
  • confirm that you are registered with the practice, where required;
  • process your request;
  • contact you if further information is needed;
  • update your medical record where appropriate;
  • maintain an audit trail of the request.

Our website provider may process information on our behalf to deliver website and online form services. Suppliers processing personal information on our behalf are required to follow confidentiality, security and data protection requirements.

Information submitted through online forms may be copied into the clinical record or relevant practice system where needed for care, administration, audit trail or record-keeping purposes. Online form submissions held within the website system are retained only for as long as needed for service delivery, audit, security or contractual purposes, and in line with supplier arrangements.

Online forms must not be used for medical emergencies. If you need urgent medical help, follow the urgent care instructions provided on our website or contact the appropriate emergency service.

16. Website cookies, analytics, translation and reCAPTCHA

Our website uses cookies and similar technologies.

Some cookies and similar technologies are necessary to make the website work and keep it secure. Other technologies, such as analytics, translation tools or spam-protection tools, will only be used where this is lawful.

Depending on the technology and configuration, this may require consent, or may be permitted under a specific exemption where information is used only for limited statistical, security or service-improvement purposes and users are given appropriate information and control.

This may include:

  • cookies that make the website function;
  • cookies that remember cookie preferences;
  • analytical cookies to help understand website use;
  • Google Translate or similar translation tools;
  • reCAPTCHA or similar tools to help protect online forms from spam or misuse.

Further information is available in our Cookie Policy or website cookie controls.

17. Telephone system and call recording

Eastfield Medical Practice uses a telephone system to manage calls to and from the practice.

Calls to and from the practice may be recorded. This applies to calls handled through the practice telephone system, unless a particular line, function or technical process is excluded.

Callers will be informed that calls may be recorded by a recorded message, website notice, telephone notice or other suitable notification.

Call recordings may be used for:

  • patient safety;
  • staff safety;
  • quality monitoring;
  • training;
  • complaint handling;
  • incident review;
  • checking or clarifying information provided during a call;
  • establishing facts about a call or request;
  • supporting regulatory, professional or practice standards;
  • preventing or detecting crime;
  • investigating inappropriate, abusive or threatening behaviour;
  • ensuring the effective operation of the telephone system.

The practice does not rely on patient consent as the usual lawful basis for recording routine practice calls. Call recording is carried out where necessary for the practice’s public task, healthcare administration, safety, quality, governance and legitimate operational purposes, and in accordance with applicable data protection, confidentiality and lawful business monitoring requirements.

Access to call recordings is restricted to authorised staff.

Call recordings are normally retained for one calendar month unless there is a specific reason to keep a recording for longer, such as:

  • a complaint;
  • an incident;
  • a safeguarding concern;
  • abusive, threatening or inappropriate behaviour;
  • a legal claim;
  • a police request;
  • a regulatory requirement;
  • another lawful investigation or patient safety reason.

Call recordings are not routinely added to the medical record. Relevant information from a call may be recorded in the clinical record where appropriate.

Patients who do not wish to use the telephone may contact the practice by another available route where appropriate. This may include writing to the practice, using approved online forms, or attending the practice in person. These alternatives may not be suitable for urgent matters.

18. Electronic clinical system

Eastfield Medical Practice uses an electronic clinical system to manage patient care and records.

This system is used for:

  • patient registration details;
  • appointments;
  • consultations;
  • diagnoses;
  • medications;
  • allergies;
  • prescribing;
  • test results;
  • referrals;
  • communications;
  • clinical coding;
  • long-term condition monitoring;
  • vaccination information;
  • care planning;
  • clinical and administrative notes.

Access to the clinical system is restricted to authorised staff. Access is controlled by user accounts, role-based permissions and audit arrangements.

19. Staff access, audit trails and monitoring

Staff must only access patient information where they have a legitimate work-related reason.

Access to electronic systems is controlled through individual user accounts, permissions and system controls. Where available, systems maintain audit trails showing access, activity or changes made to records.

The practice may review access logs or audit information where appropriate, including where there is:

  • a suspected confidentiality breach;
  • a complaint or concern;
  • an incident investigation;
  • unusual access activity;
  • a staff conduct concern;
  • a legal, regulatory or patient safety reason.

Inappropriate access to patient information is treated seriously and may result in disciplinary, professional, regulatory or legal action.

20. Document management, scanning and correspondence

Eastfield Medical Practice uses document management systems to receive, scan, process, code, workflow and file documents.

This may include:

  • hospital letters;
  • discharge summaries;
  • clinic letters;
  • test results;
  • referral information;
  • forms;
  • correspondence from patients or representatives;
  • correspondence from other health and care services;
  • paper documents scanned into the clinical record.

Relevant documents are stored within, or linked to, the patient’s medical record.

Paper documents are securely stored and disposed of in line with practice procedures and NHS records management requirements. Physical hospital letters scanned into the document management system are retained locally for three months before secure disposal, unless there is a specific reason to retain them for longer.

21. NHS email and shared mailbox

Eastfield Medical Practice uses NHS email systems and a shared practice mailbox to receive and send patient-related correspondence.

Emails may be reviewed by authorised members of the practice team and may be saved to the patient record where clinically or administratively relevant.

Patients should not use email for urgent medical problems. Emails from private email accounts may not be secure.

Where email is used to send or receive personal information, we will take reasonable steps to ensure that information is handled securely and shared only where appropriate.

22. SMS and text messaging

Eastfield Medical Practice may use SMS or text messaging to contact patients about appointments, care-related information or administrative matters.

This may include:

  • appointment information;
  • reminders;
  • requests to contact the practice;
  • links to forms or questionnaires;
  • information about services;
  • administrative updates.

Patients are responsible for ensuring that the mobile number they provide is correct and that they are comfortable receiving text messages on that device.

SMS messages may be visible to anyone with access to the patient’s phone. We will consider the sensitivity of information before sending messages by text.

23. Prescription requests and Patient Services

Patients may use approved online services to request repeat prescriptions.

Eastfield Medical Practice uses prescription request information to:

  • identify the patient;
  • process medication requests;
  • review medication information where required;
  • update the clinical record;
  • communicate with pharmacies or NHS services involved in dispensing or medicines management.

Prescription information may be shared with community pharmacies, NHS services and other health professionals involved in your care where necessary.

24. Online review systems and questionnaires

Eastfield Medical Practice may use online review systems, questionnaires or digital forms to support patient care and service administration.

This may include:

  • long-term condition reviews;
  • annual reviews;
  • medication monitoring;
  • symptom questionnaires;
  • administrative forms;
  • patient feedback.

Information submitted through these systems may include health information. It will be reviewed by the practice team and added to the medical record where appropriate.

Where a third-party supplier provides an online review or questionnaire system, the supplier must handle information in line with confidentiality, security and data protection requirements.

25. Complaints, concerns, incidents and significant event reviews

We may use relevant personal information to investigate and respond to:

  • complaints;
  • concerns;
  • feedback;
  • incidents;
  • significant events;
  • safeguarding concerns;
  • patient safety reviews;
  • legal or regulatory matters.

Information will only be used or shared where necessary and proportionate.

Where an incident is reported through NHS Lothian systems, relevant information may be shared with NHS Lothian or other authorised bodies for investigation, learning, governance or safety purposes.

Complaint correspondence and investigation records are normally held separately from the clinical record, unless information is clinically relevant and needs to be recorded for safe care.

26. Personal data breaches

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.

Eastfield Medical Practice has procedures for identifying, reporting, investigating and managing personal data breaches.

Where required, the practice will seek advice from the Data Protection Officer and will report relevant breaches to the Information Commissioner’s Office. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, affected individuals will be informed unless an exemption applies.

The practice will keep records of data breaches and actions taken.

27. CCTV

Eastfield Medical Practice uses CCTV to support:

  • staff safety;
  • patient safety;
  • visitor safety;
  • premises security;
  • crime prevention and detection.

CCTV covers reception, corridors and external areas such as car parks and the building perimeter.

There is no CCTV in consultation rooms or toilets.

At present, the CCTV system operates as live viewing only. Recording and playback are not functional, so footage is not currently stored or retrievable for later viewing.

If recording functionality is restored, the practice will update this notice before or at the time recording is enabled, unless an urgent safety or security reason requires immediate action. The updated notice will explain:

  • what is recorded;
  • how long footage is retained;
  • who can access footage;
  • when footage may be shared;
  • how individuals can request access to footage.

CCTV is maintained by an external security provider. Any supplier involved in CCTV maintenance must comply with confidentiality, security and data protection requirements.

28. Clinical photography, images, audio and video

In some circumstances, clinicians may need to take or receive photographs, images, audio or video for clinical purposes.

This may include:

  • photographs of wounds, rashes, skin lesions or injuries;
  • images submitted by patients for clinical review;
  • images used to support referrals;
  • images used to monitor progress or treatment.

Where images are used for direct care, we will explain why they are needed and record them appropriately in the medical record where relevant.

We do not use clinical images for publicity or social media.

Any use beyond direct care, such as teaching, training, publication or presentation, would normally require additional explicit consent and appropriate safeguards.

29. Social media

Eastfield Medical Practice may use social media channels, such as Facebook, for general practice announcements and service updates.

Social media must not be used to:

  • request medical advice;
  • submit personal information;
  • discuss individual care;
  • request urgent help;
  • make clinical enquiries.

Public comments on social media may be visible to others. Patients should not post personal or medical information on social media.

The practice may hide, delete or restrict comments where appropriate, including comments that contain personal information, abusive language, confidential information or inappropriate content.

30. Suppliers and service providers

Eastfield Medical Practice uses suppliers and service providers to help run the practice safely and effectively.

These may include providers of:

System or service category Purpose
Clinical systems Medical records, appointments, prescribing, consultations and clinical administration
Document management systems Scanning, workflowing, coding and storing correspondence
Website and online forms Practice website, online requests and patient-facing information
Telephone systems Practice calls, call routing and call recording
NHS email and Microsoft 365 services Email communication and shared mailbox access
SMS/text messaging Patient communications and appointment/admin messages
Prescription request systems Repeat prescription requests and related administration
IT support and NHS digital services Secure access, system support and maintenance
Security and CCTV providers Premises safety and security
Online review/questionnaire systems Patient-submitted reviews, questionnaires and monitoring information
Finance/accounting systems Practice financial administration, where relevant
Legal, professional or advisory services Legal, regulatory, employment or governance advice, where relevant

Suppliers are only permitted to process personal information where necessary to provide services to the practice. They must comply with confidentiality, security and data protection requirements.

Where suppliers process data on our behalf, they must follow our instructions unless the law requires otherwise.

The practice maintains internal records of key suppliers and systems where appropriate, including the purpose of processing, whether personal information is processed, whether special category information is processed, supplier role, contract status and relevant data protection arrangements.

31. International transfers and supplier hosting

We aim to keep patient information within the UK wherever possible and use NHS-approved or practice-approved systems for patient information.

Some suppliers or digital services may involve hosting, support, technical access or subprocessors outside the UK. Where personal information is transferred outside the UK, the practice will ensure that appropriate legal safeguards are in place.

This may include:

  • adequacy arrangements;
  • approved contractual protections;
  • supplier security requirements;
  • confidentiality obligations;
  • NHS Scotland or NHS Lothian contractual controls;
  • other safeguards required by data protection law.

Further information about specific supplier or transfer arrangements can be requested from the Practice Privacy / Data Protection Lead.

32. Planning, audit and research

Eastfield Medical Practice may participate in approved NHS Lothian, NHS Scotland, audit, planning, public health or research-related programmes where this is lawful and appropriate.

Where information is used for planning, audit, research or statistical purposes, we will use the minimum necessary information and appropriate safeguards. Wherever possible, information will be anonymised or de-identified before use.

Research is important for improving NHS care. The practice may support approved research activity where lawful. In some cases, specialist NHS staff may help identify patients who may be eligible to be invited to take part in research. No identifiable information will be given to researchers for a research study without the required lawful basis and safeguards. Where consent is required for participation, this will be sought separately.

Patients can tell the practice if they do not wish to be contacted about research invitations. This does not affect direct care.

Where Eastfield Medical Practice participates in NHS Lothian data programmes, such as DataLoch, or similar approved NHS data programmes, the practice will follow the required NHS Lothian patient information, data-sharing, opt-out and governance arrangements.

33. Children and young people

Children and young people have privacy rights.

Where a child or young person has sufficient understanding, they may be able to make decisions about how their information is used and who it is shared with.

Parents, guardians or carers may be involved where appropriate, but this will depend on the child or young person’s age, understanding, best interests and the circumstances.

We will consider confidentiality, safeguarding and the rights of the child or young person when handling information.

Information for children and young people can be provided in a more accessible format on request.

34. How long we keep information

We keep records only for as long as necessary.

Eastfield Medical Practice retains records in line with:

  • the Scottish Government Records Management Code of Practice for Health and Social Care;
  • NHS Scotland records management requirements;
  • NHS Lothian guidance where applicable;
  • legal and regulatory requirements;
  • practice records management procedures.

Different types of records are kept for different periods.

Type of information Retention approach
Active GP clinical record Retained for the lifetime of the patient while registered with a GP practice
Deceased patient GP record Normally retained for 10 years after death, or longer where required for legal, inquiry, complaint, investigation, fatal accident inquiry or other lawful reasons
Deregistered patient paper record Transferred through NHS Scotland Practitioner Services to the new GP practice where applicable
Deregistered patient digital record Copied to the new practice where applicable; the previous practice retains its digital copy for 10 years
Records not transferred to a new provider Retained for 100 years, unless guidance changes or another lawful retention rule applies
Child-specific health records held outside the main GP record, where applicable Retained in line with the Scottish Government Records Management Code of Practice for Health and Social Care. This does not mean the main GP record is destroyed when a child reaches age 25. Information held within the main GP record is retained in line with GP record retention requirements
Safeguarding information within the GP record Retained as part of the GP record unless specific guidance requires longer retention
Paper documents scanned into the clinical record Retained locally for three months before secure disposal, unless there is a specific reason to retain them for longer
Call recordings Normally retained for one calendar month unless needed for a complaint, incident, safeguarding, legal, regulatory or investigation reason
CCTV footage Currently no footage is stored or retrievable because the system is live-view only
Online form submissions Retained where needed to process the request and update the record where appropriate, and then retained or deleted in line with system, audit and records management requirements
Emails Retained where needed for clinical, administrative, legal or records management purposes
Complaints and incidents Retained in line with complaints, incident and records management requirements
Supplier, contractor and business records Retained in line with accounting, legal, contractual and records management requirements

Records are securely destroyed or deleted when no longer required, unless there is a lawful reason to keep them for longer.

35. How we protect your information

Eastfield Medical Practice takes steps to protect personal information from unauthorised access, loss, misuse or inappropriate disclosure.

Controls include:

  • staff confidentiality obligations;
  • mandatory training;
  • access controls;
  • password controls;
  • secure NHS and clinical systems;
  • role-based access;
  • audit logs where available;
  • secure storage of paper records;
  • secure disposal of confidential waste;
  • incident reporting and breach management procedures;
  • supplier confidentiality and data protection requirements;
  • use of approved systems for patient information wherever possible.

Staff must only access information where they have a legitimate reason connected to their role.

Unauthorised access to patient information is treated seriously and may result in disciplinary, professional, regulatory or legal action.

36. Automated decision-making

Eastfield Medical Practice does not make decisions about your care, treatment or legal rights based solely on automated decision-making.

Digital systems may support administration, communication, clinical coding, alerts, risk identification or workflow management, but decisions about care are made by appropriate members of the practice team or other healthcare professionals.

37. Your data protection rights

You have rights under data protection law. These rights do not apply in the same way in every situation, and some rights are limited in healthcare where information must be kept for patient safety, legal or regulatory reasons.

Your rights may include:

  • the right to be informed about how your information is used;
  • the right of access to your personal information;
  • the right to rectification of inaccurate information;
  • the right to restriction of processing in certain circumstances;
  • the right to object in certain circumstances;
  • the right to erasure in limited circumstances;
  • the right to data portability in limited circumstances;
  • rights relating to automated decision-making, where applicable.

Some rights, such as erasure and data portability, are limited in the context of NHS medical records.

We will not usually delete information from a medical record where it is needed for:

  • safe care;
  • legal obligations;
  • regulatory requirements;
  • public health;
  • safeguarding;
  • complaints;
  • legal claims;
  • maintaining an accurate clinical record;
  • NHS records management requirements.

Where information is inaccurate, patients can ask us to review and correct it. Where there is a disagreement about clinical opinion or factual accuracy, we may add a note recording the patient’s concern.

If you wish to exercise your rights, please contact the Practice Privacy / Data Protection Lead.

38. Subject Access Requests

You have the right to ask for a copy of personal information held about you. This is called a Subject Access Request.

You can make a request verbally or in writing.

To make a request, contact:

Practice Privacy / Data Protection Lead
Eastfield Medical Practice
Eastfield Farm Road
Penicuik
EH26 8EZ

Telephone: 01968 675 576
Email: clinical.s77036@nhs.scot

We may ask for proof of identity or authority to act on someone else’s behalf to protect confidentiality.

We will respond without undue delay and normally within one month of receiving your request.

Where we reasonably need proof of identity, authority to act on someone else’s behalf, clarification of the request, or a fee in the limited circumstances where a fee is permitted, the timescale may run from the point we receive the information needed to process the request.

If a request is complex, we may extend the response time by up to a further two months. If this applies, we will tell you and explain why.

Requests are usually free of charge. A reasonable fee may only be charged in limited circumstances, for example where a request is manifestly unfounded, excessive, repetitive, or where further copies are requested.

We may need to redact information before disclosure, for example where:

  • it identifies another person;
  • it contains confidential third-party information;
  • disclosure could cause serious harm to the physical or mental health of any individual;
  • disclosure would breach another person’s rights;
  • disclosure is restricted by law.

In some circumstances, information may be withheld or redacted to protect confidentiality, safety, legal rights or the rights of another person.

39. Correcting information

If you believe information we hold about you is inaccurate or incomplete, you can ask us to review it.

If we agree that information is inaccurate, we will correct it where appropriate.

If we do not agree that information is inaccurate, we may add a note to the record explaining your concern.

Medical records may include professional opinions, clinical judgments or information provided by other organisations. These will not normally be deleted simply because a patient disagrees with them, but concerns can be recorded where appropriate.

40. Objecting to processing

You have the right to object to processing in certain circumstances, including where we rely on public task or official authority.

This right is not absolute.

We may continue to process information where there are compelling legitimate grounds, for example:

  • patient safety;
  • direct care;
  • legal obligations;
  • public health requirements;
  • safeguarding;
  • legal claims;
  • regulatory requirements;
  • maintaining accurate medical records.

If you wish to object, please contact the Practice Privacy / Data Protection Lead.

41. Freedom of Information

Freedom of Information requests are different from requests for your own personal information.

If you want a copy of your own medical record or other personal information, this is a Subject Access Request.

Eastfield Medical Practice can receive requests for recorded, non-personal information relating to the NHS general medical services we provide. Requests for information held by NHS Lothian, or about services provided directly by NHS Lothian, may need to be directed to NHS Lothian.

Freedom of Information does not normally provide access to another person’s confidential medical information.

42. Concerns and complaints

If you have a concern about how Eastfield Medical Practice uses your personal information, please contact the Practice Privacy / Data Protection Lead first.

Practice Privacy / Data Protection Lead
Eastfield Medical Practice
Eastfield Farm Road
Penicuik
EH26 8EZ

Telephone: 01968 675 576
Email: clinical.s77036@nhs.scot

If you make a data protection complaint to the practice, we will acknowledge it within 30 days and investigate it without undue delay. We may contact you to clarify the complaint, confirm your preferred contact method, or ask what outcome you are seeking.

You can make a data protection complaint by email, telephone, in writing, in person, or by using any electronic complaint form made available by the practice.

We will keep a record of data protection complaints, acknowledgements, investigation steps, outcomes and any actions taken.

You can also contact the Data Protection Officer:

Data Protection Officer
Information Governance
Woodlands House
74 Canaan Lane
Edinburgh
EH9 2TB

Telephone: 0131 465 5444
Email: Loth.DPO@nhs.scot

You also have the right to complain to the Information Commissioner’s Office, the UK regulator for data protection matters.

Information Commissioner’s Office
Website: www.ico.org.uk
Telephone: 0303 123 1113

43. Translation and accessibility

If you need this notice in another language, large print, Easy Read, audio format or another accessible format, please contact the practice.

NHS Lothian interpretation and translation support may also be available where appropriate.

NHS Lothian Interpretation and Translation Service
Telephone: 0131 536 2020 option 5 option 5
Email: loth.staffbankits@nhs.scot

44. Changes to this notice

We may update this notice from time to time to reflect changes in law, NHS requirements, practice systems, suppliers or how we use information.

The latest version will be published on our website.

Page last reviewed: 02 June 2026
Page created: 02 June 2026