Privacy Notice

Florence House Medical Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice.

What Information Do We Collect About You?

We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

  • Personal data: any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS number
  • Special category/sensitive data: this could be medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation

Your healthcare records contain information about your health and any treatment or care you have received previously. This information will be collected either electronically using secure NHS Mail or a secure electronic transfer over an NHS encrypted network connection. Physical information will also be sent to the practice. This information will be retained within our electronic patient record or within a patient paper records.

We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

How We Will Use Your Information

Your data is collected for the purpose of providing direct patient care. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information is also used with the practice for clinical audit to monitor the quality of the service provided. Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

We can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases

Processing your information in this way and obtaining your consent ensures that we comply with GDPR articles:

  • 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
  • 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’, and
  • 9(2)(h) “…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Who Will We Share Your Information With

In order to deliver and coordinate your health and social care, we may share or receive information from the following organisations:

  • Other GP practices
  • NHS trusts/foundation trusts
  • NHS commissioning support units
  • Independent contractors such as dentists, opticians, pharmacists
  • Public Health England
  • Private sector providers
  • Voluntary sector providers
  • Community care services
  • Ambulance trusts
  • Clinical commissioning group
  • Social care services
  • NHS Digital
  • Local authorities
  • Educations services
  • Fire and rescue services
  • Police and judicial services
  • Other “data processors” which you will be informed of
  • Third party processors:

When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

  • Companies that provide IT services and support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Further details regarding specific third party processors can be supplied on request.

You will be informed who your data will be shared with and in some cases, asked for explicit consent for this to happen when this is required.

Your data will not be transferred outside the European Union.


This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

  • NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
  • Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
  • Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
  • For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

GM Care Record

Keeping your personal data safe is central to the GM Care Record

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.

How is your personal information kept safe and secure in the GM Care Record?

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.

Appropriate technical and security measures in place to protect the GM Care Record include:

  • complying with Data Protection Legislation;
  • encrypting Personal Data transmitted between partners;
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • a requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the GM Care Record are auditable against an individual accessing the GM Care Record
  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

Whilst you are automatically enrolled into the GM Care Record as a GM citizen, you have the option to object to your information being shared for individual care and to opt out of your data being used for research and planning. More information about this is available here:

How the NHS and care services use your information

Florence House Medical Practice is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided.
  • Research into the development of new treatments.
  • Preventing illness and diseases.
  • Monitoring safety.
  • Planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information.
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
  • Find out more about the benefits of sharing data.
  • Understand more about who uses the data.
  • Find out how your data is protected.
  • Be able to access the system to view, set or change your opt-out setting.
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Maintaining Confidentiality

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO).

Every member of staff who works for the practice or another NHS organization has a legal obligation to keep information about you confidential.

We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Recording Telephone Calls

Telephone calls to and from the surgery are recorded and processed in accordance with the UK General Data Protection Regulations and the Data Protection Act 2018, calls are recorded for monitoring, training and dispute resolution purposes.

The purpose of call recording is for training and monitoring purposes.  This includes the provision of a record of incoming and outgoing calls which can:

  • Identify practice staff training needs
  • Protect practice staff from nuisance or abusive calls
  • Establish facts relating to incoming/outgoing calls made (e.g. complaints)
  • identify any issues in practice processes with a view to improving them (e.g. to aid workforce planning)
  • Establish the facts and assist in the resolution of any medico-legal claims made against the practice or its clinicians.

The practice’s welcome telephone message advises callers that their call are recorded and for what purpose the recording is used. This is via a pre-recorded message within the telephone system and via signage at the practice.

General call recordings will be retained for up to 3 years from the date of creation.

The above retention periods are in line with the Records Management Code of Practice for Health and Social Care 2021.

If you do not wish for your calls to be recorded, you will need to specify this at the beginning of the call to the person you are talking to. However, you should be aware that this will have an impact on identifying training needs and/or investigating accurately and efficiently complaints.

Risk Stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Florence House Medical Practice; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

Invoice Validation

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.


The law sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. However consent is only one potential lawful basis for processing information. Therefore the practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.

Florence House Medical Practice will contact you if we are required to share your information for any other purpose which is not mentioned within this notice.

You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice first

You have the right to object to information being shared for any purpose other than your medical care, such as for research or planning purposes. In this instance, please visit www.nhs/uk/your-nhs-data-matters. You will be able to opt out securely online. Alternatively call 0300 303 5678.

You have the right to write to withdraw your consent at any time for any particular instance of processing, provided consent is the legal basis for the processing.  Please contact the practice manager for further information and to raise your objection.

Access To Your Records

You have a right to access the information we hold about you. This is called a Subject Access Request (SAR). Please ask at reception for a SAR form. You can also make the request via email. You should be aware that some details within your health records may be exempt from disclosure. This will be in the interests of your wellbeing or to protect the identity of a third party. The practice will process your request within one calendar month.

Furthermore, should you identify any inaccuracies you have a right to have the inaccurate data corrected. Please speak with the practice manager should this be the case.

Please complete the attached SAR form (PDF) if you would like to make a subject access request.

Data Controller and Data Protection Officer

As your registered GP practice, we are the data controller for any personal data that we hold about you.

The Data Protection Officer (DPO) for Florence House Medical Practice is Ms Shavarnah Purves – Email: [email protected] or [email protected] – telephone: 0161 213 1792 0161 213 1790.

In the unlikely event that you are unhappy with any element of our data-processing methods, you should raise your concerns in the first instance in writing with the Practice Manager.


If you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at:

Wycliffe House
Water Lane

Telephone: 01625 545 700


Page updated: 17/11/2023