1) About this Privacy Notice
Eastfield Medical Practice is committed to protecting your privacy and handling your personal information lawfully, fairly and transparently.
This notice explains:
- what information we collect and hold about you
- why we use it and the lawful basis for doing so
- who we may share it with
- how long we keep it
- the rights you have and how to exercise them
This notice applies to patients and, where relevant, carers, guardians and authorised representatives. It covers information held in our clinical and administrative systems.
2) Who we are (Data Controller)
Data Controller: Eastfield Medical Practice
Address: Eastfield Farm Road, Penicuik, EH26 8EZ
Telephone: 01968 675 576
Website: www.eastfieldmedicalpractice.co.uk
Practice Privacy / Data Protection Lead: Practice Manager
If you have any questions about this notice or how we use your information, please contact the Practice Privacy / Data Protection Lead using the details above.
3) What information we collect
We may collect and use the following types of information:
A) Personal information
- Name, date of birth, address and postcode
- CHI number and/or other NHS identifiers
- Telephone numbers and email address
- Next of kin / emergency contact details
- Communication needs, such as interpreter requirements or accessible formats
B) Health and care information (special category data)
- Symptoms, diagnoses, medications and allergies
- Test results, referrals, clinic letters and care plans
- Vaccinations and long-term condition monitoring information
- Information from other health and care providers involved in your care
C) Administrative information
- Appointment details and attendance
- Records of contact with the practice, such as telephone calls, messages and online forms
- Complaints, incidents and feedback, where relevant
Where we get information from
Most information is collected from you directly. We may also receive information from other services involved in your care, such as NHS hospitals, community services, NHS 24, out-of-hours services and other GP practices. We may share information back with them where necessary to support safe and effective care.
Some information is needed so that we can identify you correctly, provide safe care, maintain accurate records and meet NHS and legal requirements. If you do not provide information that is required, this may affect our ability to provide services safely or fully.
4) Why we use your information
We use your information to:
- provide direct care, including assessment, diagnosis, treatment, referrals and prescribing
- maintain accurate clinical records to support safe ongoing care
- manage and plan services, including appointment systems and communications
- safeguard patients, including protecting children and adults at risk
- meet legal and regulatory obligations, including responding to lawful requests and audits or inspections
- improve quality and safety through reviews, learning events and clinical audit, using the minimum necessary information
5) Our lawful basis for using your information
A) UK GDPR Article 6 (lawful basis)
We usually process your personal information because it is necessary for:
-
Public task / official authority (Article 6(1)(e)) – delivering NHS primary medical services and operating the practice safely and effectively
We may also process information where necessary for:
-
Legal obligation (Article 6(1)(c)) – where the law requires it
B) UK GDPR Article 9 (health information – special category)
Health information is special category data. We process it because it is necessary for:
-
Health or social care (Article 9(2)(h)) – the provision and management of health care and health systems and services
We may also rely on other Article 9 conditions where appropriate, for example public health or safeguarding, always applying the minimum necessary approach.
C) Duty of confidentiality
In addition to data protection law, we are bound by a duty of confidentiality. Where information is confidential, we will only use or share it:
- for your direct care
- where you have given consent, where applicable
- where there is another legal basis or overriding public interest
- where disclosure is required by law
6) Who we share your information with (and why)
We share information only when necessary, and only the minimum required.
For your direct care
We may share relevant information with:
- NHS hospitals and clinics
- community services, such as district nursing and health visiting
- other GP practices, for example if you move practice
- NHS 24 and out-of-hours services
- pharmacies and other contractors providing NHS services for your care
For health system management, safety and legal reasons
We may share information with:
- NHS Lothian and other NHS bodies, where appropriate
- public health organisations, where required for public health purposes
- regulatory and oversight bodies, where legally required
- police, courts or other agencies where required by law, or where there is a serious risk of harm and sharing is necessary and proportionate
If you would like more detail about specific sharing arrangements, please contact the Practice Privacy / Data Protection Lead.
7) Processors and third-party suppliers
We use trusted suppliers and service providers to help run the practice safely and effectively, for example providers of clinical systems, document management, telephony and website hosting.
These organisations process personal data on our instructions and must follow strict confidentiality, security and data protection requirements.
8) International transfers
We aim to keep patient information within the UK.
If any supplier transfers personal data outside the UK, we will ensure appropriate legal safeguards are in place, such as approved contractual protections and security requirements. Further information can be provided on request.
9) How long we keep your information (retention)
We keep records no longer than necessary and in line with NHS Scotland records management guidance and retention schedules.
Clinical records are retained in accordance with national retention requirements for GP records. If you would like more information about retention periods for specific types of record, please contact us.
10) Your rights
You have rights under UK GDPR. These include:
- the right of access – to request a copy of your information
- the right to rectification – to have inaccurate information corrected
- the right to restriction – in certain circumstances
- the right to object – in certain circumstances
- the right to data portability – in limited circumstances
- the right to erasure – in limited circumstances; in health care this right is restricted because we often need to keep records for legal, regulatory and patient safety reasons
Subject Access Requests (SARs)
You can ask for a copy of your information verbally or in writing.
We will respond within one month of verifying your identity and having enough information to process the request. This can be extended by up to a further two months for complex requests, and we will tell you if that applies.
Requests are usually free of charge. A reasonable fee may only apply in limited circumstances, for example if a request is manifestly unfounded or excessive.
To make a request, contact the Practice Privacy / Data Protection Lead at:
Eastfield Medical Practice
Eastfield Farm Road
Penicuik
EH26 8EZ
We may ask for identification to protect your confidentiality.
Right to object
You have the right to object to how we process your personal information in certain circumstances. This right is not absolute and will depend on the reason we are using your information.
11) How we keep your information safe
We use a combination of organisational and technical measures to protect information, including:
- staff confidentiality obligations and training
- role-based access controls
- secure clinical systems
- secure storage and disposal arrangements
- incident management processes for suspected breaches
We do not make decisions about your care or your rights based solely on automated decision-making.
Some telephone calls to and from the practice may be recorded for service quality, staff safety, complaint handling and training purposes. Access to recordings is restricted to authorised staff and recordings are retained only for a limited period in line with our local arrangements.
12) CCTV
We use CCTV to support staff safety, patient safety, premises security and crime prevention. Cameras cover reception, corridors and external areas such as the car park and building perimeter. There is no CCTV in consultation rooms or toilets.
At present, our CCTV system operates as live viewing only. Recording and playback are not functional, so footage is not stored or retrievable for later viewing.
13) Clinical photography and video
In some situations, clinicians may need to take a photograph or video for direct clinical care, for example to document a condition or support a referral. We will explain why it is needed and will record your consent in your medical record where appropriate.
We do not use clinical images for publicity or social media. Any use beyond direct care, such as teaching or training, would require explicit consent and appropriate safeguards.
14) Complaints and concerns
If you have questions or concerns about how we use your information, please contact the Practice Privacy / Data Protection Lead first.
If you remain unhappy, you can contact:
NHS Lothian Data Protection Officer
Email: loth.dpo@nhs.scot
Telephone: 0131 465 5444
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection matters.
15) Changes to this notice
We may update this notice from time to time. The latest version will always be published on our website.