We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Privacy Notice
A hard copy of the Privacy Notice and Appendix A can be obtained from Reception at Steyning Medical Practice.
Introduction
This Privacy Notice explains how we, as your GP Practice, use your personal information. It sets out what information we collect about you, why we collect it, how we use it, how we keep it safe, who we share it with, and your rights.
Why we collect and use your information
We collect information about you to provide safe, effective, high-quality healthcare. Your record ensures clinicians have accurate information, your care is coordinated, and legal obligations are met.
Our Commitment to Data Privacy and Confidentiality Issues
As a GP practice, all GPs, staff and associated practitioners are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the UK-General Data Protection Regulation (UK-GDPR) the Data Protection Act (DPA) 2018 and any applicable national Laws implementing them as amended from time to time. The legislation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications Regulations.
What information we hold about you
- Personal data (name, DOB, address, contact details, NHS number)
- Special category data (health, ethnicity, religion, sexual orientation where relevant)
- Confidential patient information
- Pseudonymised, anonymised, or aggregated data
How we use your information for your care
We use your data to provide direct care, make referrals, issue prescriptions, request tests, support care planning, and safeguard vulnerable individuals.
How we use your information for wider NHS purposes
Your data may also support service planning, clinical audit, population health management, research (mostly anonymised), public health, and regulatory compliance.
Sharing your information
We may share data with:
- Hospitals, community services, mental health teams
- Our Primary Care Network (PCN)
- NHS England, NHS Digital, Integrated Care Boards
- Social care, pharmacies, diagnostic services
- Out-of-hours providers
- Safeguarding authorities
- Law enforcement / regulatory bodies
Only the minimum necessary information is shared, and always lawfully.
Lawful basis for processing
Direct care and treatment
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Provision of health or social care
Referrals, prescriptions, investigations, test results
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Provision of health or social care
Multidisciplinary team working / PCN services
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Health or social care
Safeguarding children and vulnerable adults
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(d) – Vital interests, 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(g) – Substantial public interest, 9(2)(h) – Health or social care
Emergency or life-threatening situations
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(d) – Vital interests
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(c) – Vital interests
Service planning, commissioning, performance monitoring
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Health or social care, 9(2)(i) – Public health
Population Health Management / risk stratification
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Health or social care
Research (usually anonymised or pseudonymised)
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task, 6(1)(a) – Consent (only when required)
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(j) – Research (subject to safeguards), 9(2)(a) – Consent (if required)
Public health purposes
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(i) – Public health
Regulatory compliance (CQC, GMC, HMRC, DVLA, FOI, audits)
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(c) – Legal obligation
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(g) – Substantial public interest
Responding to complaints or legal claims
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task, 6(1)(c) – Legal obligation
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(f) – Legal claims
Communications: SMS, email, NHS App messaging
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task, 6(1)(a) – Consent (where purely optional)
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(h) – Health or social care
National screening programmes
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(i) – Public health
NHS Admin & mandatory reporting
- Lawful Basis – Article 6 UK GDPR (Personal Data): 6(1)(c) – Legal obligation, 6(1)(e) – Public task
- Lawful Basis – Article 9 UK GDPR (Special Category Data): 9(2)(g) – Substantial public interest
Safeguarding of children & vulnerable adults
We may share relevant information with safeguarding authorities if someone is at risk of harm.
Statutory and legal disclosures
We may be legally required to share data with organisations such as CQC, HMRC, DVLA, GMC, police, or counter-fraud bodies.
Your rights under the UK GDPR
You have rights to be informed, access your data, rectification, erasure (in limited cases), restrict processing, data portability, object, and understand automated decision-making.
Accessing your record
You may request copies of your record verbally or in writing. Identity verification may be required. Some information may be redacted if it could cause harm or identifies another person.
Your data sharing choices (Opt-Outs)
- Type 1 Opt-Out: Prevents data leaving the practice for non-care purposes.
- National Data Opt-Out: Controls use of your data for research and planning. National data opt out programme
- Choose if data from your health records is shared for research and planning
Communication by text, email, NHS App
We may contact you via SMS, email, and NHS App messaging. You can opt out at any time.
Website and cookies
International transfers
We do not routinely transfer your data outside the UK. If required, safeguards will be applied.
How long we keep your information
We follow NHS Records Management Code of Practice retention periods. Records are securely destroyed when no longer required.
Keeping your information safe
We use secure systems, role-based access, encryption, staff training, and secure destruction.
Data Protection Officer
Complaints
Raise concerns with the Practice Manager or complain directly to the ICO.
Please let us know if you change your address, mobile number or Email address immediately.
Updates
This Privacy Notice is reviewed regularly, and the latest version is published on our website.