Privacy Policy

1) About this Privacy Notice

Eastfield Medical Practice is committed to protecting your privacy and handling your personal information lawfully, fairly and transparently. This notice explains:

  • what information we collect and hold about you
  • why we use it and the lawful basis for doing so
  • who we may share it with
  • how long we keep it
  • the rights you have and how to exercise them

This notice applies to patients and, where relevant, carers, guardians, and authorised representatives, and covers information held in clinical and administrative systems.

2) Who we are (Data Controller)

Data Controller: Eastfield Medical Practice
Address: Eastfield Farm Road, Penicuik
Telephone: 01968 675 576
Website: www.eastfieldmedicalpractice.co.uk

Practice Privacy / Data Protection Lead: Practice Manager
If you have any questions about this notice or how we use your information, please contact the Practice Privacy / Data Protection Lead using the details above.

3) What information we collect

We may collect and use the following types of information:

A) Personal information

  • Name, date of birth, address, postcode
  • CHI number (and/or NHS identifiers)
  • Phone numbers and email address
  • Next of kin / emergency contacts
  • Communication needs (e.g., interpreter, accessible formats)

B) Health and care information (special category data)

  • Symptoms, diagnoses, medications, allergies
  • Test results, referrals, clinic letters, care plans
  • Vaccinations and long-term condition monitoring
  • Information from other health and care providers involved in your care

C) Administrative information

  • Appointment details and attendance
  • Records of contact with the practice (e.g., phone calls, messages, online forms)
  • Complaints, incidents, and feedback (where relevant)

Where we get information from

Most information is collected from you directly. We may also receive information from other services involved in your care, such as NHS hospitals, community services, NHS 24, out-of-hours services and other GP practices, and we may share information back with them as needed to support safe and effective care.

4) Why we use your information

We use your information to:

  • provide direct care (assessment, diagnosis, treatment, referrals, prescribing)
  • maintain accurate clinical records to support safe ongoing care
  • manage and plan services, including appointment systems and communications
  • safeguard patients, including protecting children and adults at risk
  • meet legal and regulatory obligations (e.g., responding to lawful requests, audits/inspections)
  • improve quality and safety through reviews, learning events, and clinical audit (using the minimum necessary information)

5) Our lawful basis for using your information

A) UK GDPR Article 6 (lawful basis)

We usually process your personal information because it is necessary for:

  • Public task / official authority (Article 6(1)(e)) – delivering NHS primary medical services, and operating the practice safely and effectively.

We may also process information where necessary for:

  • Legal obligation (Article 6(1)(c)) – where the law requires it.

B) UK GDPR Article 9 (health information – special category)

Health information is “special category data”. We process it because it is necessary for:

  • Health or social care (Article 9(2)(h)) – provision and management of health care and health systems/services.

We may also rely on other Article 9 conditions where appropriate (e.g., public health or safeguarding), always applying the minimum necessary approach.

C) Duty of confidentiality

In addition to data protection law, we are bound by a duty of confidentiality. Where information is confidential, we will only use or share it:

  • for your direct care
  • where you have given consent (where applicable)
  • where there is another legal basis or overriding public interest, or
  • where disclosure is required by law

6) Who we share your information with (and why)

We share information only when necessary, and only the minimum required.

For your direct care

We may share relevant information with:

  • NHS hospitals and clinics
  • community services (e.g., district nursing, health visiting)
  • other GP practices (e.g., if you move practice)
  • NHS 24 and out-of-hours services
  • pharmacies and other contractors providing NHS services for your care

For health system management, safety, and legal reasons

We may share information with:

  • NHS Lothian and other NHS bodies (where appropriate)
  • public health organisations (where required for public health purposes)
  • regulatory and oversight bodies (where legally required)
  • police/courts or other agencies where required by law, or where there is a serious risk of harm and sharing is necessary and proportionate

If you would like more detail about specific sharing arrangements, contact the Practice Privacy / Data Protection Lead.

7) Processors and third-party suppliers

We use trusted suppliers (“processors”) to help run the practice safely and effectively—for example, clinical systems, document management, telephony, and website hosting. These suppliers may process data on our instructions and must follow strict confidentiality and security requirements.

8) International transfers

We aim to keep patient information within the UK. If any supplier transfers personal data outside the UK, we will ensure appropriate legal safeguards are in place (for example, contractual protections and security requirements) and we can provide further information on request.

9) How long we keep your information (retention)

We keep records no longer than necessary, in line with NHS Scotland records management guidance and retention schedules.

Clinical records are retained in accordance with national retention requirements for GP records. If you want more detail on retention periods for specific record types, contact us.

10) Your rights

You have rights under UK GDPR. These include:

  • Right of access (Subject Access Request): request a copy of your information
  • Right to rectification: correct inaccurate information
  • Right to restriction (in some circumstances)
  • Right to object (in some circumstances)
  • Right to data portability (limited circumstances)
  • Right to erasure (“right to be forgotten”): limited in health care because we often must keep records for legal and patient safety reasons

Subject Access Requests (SARs)

We will respond within one month of verifying your identity and having enough information to process the request. This can be extended by up to two further months for complex requests (we will tell you if that applies).

Requests are usually free of charge. A reasonable fee may only apply in limited circumstances (for example, if a request is manifestly unfounded or excessive).

To make a request:
Contact the Practice Privacy / Data Protection Lead at: Eastfield Medical Practice, Eastfield Farm Road, Penicuik, EH26 8EZ
(We may ask for identification to protect your confidentiality.)

11) How we keep your information safe

We use a combination of organisational and technical measures to protect information, including:

  • staff confidentiality obligations and training
  • role-based access controls
  • secure clinical systems
  • secure storage and disposal arrangements
  • incident management processes for suspected breaches

12) CCTV

We use CCTV to support staff safety, patient safety, premises security, and crime prevention. Cameras cover reception, corridors and external areas such as the car park and building perimeter. There is no CCTV in consultation rooms or toilets.

Important: At present, our CCTV system operates as live viewing only. Recording and playback are not functional, so footage is not stored or retrievable for later viewing.

13) Clinical photography and video

In some situations, clinicians may need to take a photograph or video for direct clinical care (for example, to document a condition or support a referral). We will explain why it is needed and we will record your consent in your medical record.

We do not use clinical images for publicity or social media. Any use beyond direct care (e.g., teaching/training) would require explicit consent and appropriate safeguards.

14) Complaints and concerns

If you have questions or concerns, please contact the Practice Privacy / Data Protection Lead first.

If you remain unhappy, you can contact:

  • NHS Lothian Data Protection Officer: loth.dpo@nhs.scot and/or 0131 465 5444
  • Information Commissioner’s Office (ICO) (UK data protection regulator)

15) Changes to this notice

We will update this notice from time to time. The latest version will always be published on our website.

Page last reviewed: 09 February 2026
Page created: 20 November 2023