Privacy policy

What is a Privacy Notice?

A privacy notice outlines the personal information (or personal data) we collect from our patients and service users and how it is utilised. Being transparent and providing clear information about how we use your personal data is a key requirement under the UK GDPR. 

Under the UK GDPR, we are obligated to handle personal information fairly and lawfully. This applies to all aspects of how we process a patient’s personal data. Specifically, this means The Jubilee Street Practice Ltd must: 

• Ensure there are lawful and appropriate reasons for collecting or using personal information.
• Avoid using the information in ways that could harm individuals (e.g., sharing data inappropriately with third parties). 
• Be clear and transparent about how the information will be used and provide relevant privacy notices when collecting personal data.
• Handle personal information in accordance with data protection laws and guidance. 
• Refrain from using the collected data in an improper or unlawful manner.

Access to this privacy notice, and where English is not your first language

If English is not your first language you can request a translation of this Privacy Notice. Please visit our practice to request this.

Changes to this privacy notice

We regularly review and update our Privacy Notice.

Personal information we collect from you

The information we collect from you will include:

• Your contact details, such as your name, email address, workplace, and work contact information.
• The details and contact information of your next of kin or emergency contacts.
• Your date of birth, gender, and ethnicity.
• Information related to your medical history.
• The reason for your visit to the GP practice.
• Medical notes, including diagnoses and details of consultations with our GPs and other healthcare professionals within the GP practice or Primary Care Network involved in your direct care.

Personal information we collect from third parties

When you register with our GP practices, we will obtain your GP medical records if you were previously registered with another practice. 

During your registration with us, we also collect personal and healthcare information about you that is sent to us by hospitals, consultants, or any other healthcare professionals, as well as anyone else involved in your care. 

Additionally, we may receive personal information from other organisation, including:

• Law enforcement agencies, such as the police.
• Courts, such as through a court order
• Border control and immigration authorities
• Social services
• Insurance companies

Special category information we collect about you

Your health information is considered a special category of data because it is highly sensitive. 

When we receive your personal and healthcare information, either from you or a third party, it may include other types of sensitive data, in addition to your health details. 

Special category data includes personal information revealing your:

• Race or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade Union membership
• Genetic Data
• Biometric Data (when used for identification)
• Health information
• Sex life
• Sexual orientation

How we use your personal information and special category information

We use your personal and healthcare information in the following ways:

• To provide you with direct healthcare.
• To communicate with other doctors, consultants, nurses, or healthcare professionals and organisations involved in your diagnosis, treatment, or ongoing care.
• To address any complaints or legal claims you may have made.
• When required by law to share your information with other organisations, such as those within the North East London Integrated Care System, the police, under a court order, with solicitors, or immigration enforcement.
• To respond to data sharing requests from other organisations for purposes related to your direct healthcare or for research and planning.

We will never share your information with anyone who doesn’t need it or doesn’t have the right to access it, unless you provide us with explicit consent to do so.

The legal justification for using your personal information and special category information

Click here to view PDF file.

Use of the Population Health Management Data Platform (Optum Pathfinder)

To help improve local health and care services, we share anonymised patient information with NHS and local partners through the Population Health Management programme called Optum Pathfinder. This means your name and other details that identify you are removed before sharing, and you can opt out at any time if you prefer. Click on the attachment below for more details:

Click here to view PDF file.

Common Law Duty of Confidentiality

When we use your healthcare information, we must not only comply with data protection laws but also adhere to the common law duty of confidentiality. This means that any health and care information you share with us in confidence cannot be disclosed without legal authority or valid justification. We meet this obligation by obtaining your consent to provide care, and we will ask for your explicit consent if your information is to be used for any other purposes.

Data security and retention

How long we keep your personal information 

As an NHS provider, we manage your personal and healthcare information in accordance with NHS England’s Records Management Code of Practice Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk) 

We are the data controller for your GP medical records while you are registered with our GP practices. If you move to a different GP practice, your medical records will be transferred, and the new GP practice will become the data controller responsible for maintaining your records and providing access if you submit a Subject Access Request (SAR). 

Security and storage of your personal information 

We take the security of your personal and healthcare information very seriously and make every effort to protect it. We regularly update our systems and processes, ensuring that our staff receive appropriate training. Additionally, we conduct assessments and audits on the information we hold, and whenever we provide other services, we carry out risk assessments and security reviews. 

All our staff, contractors, and locums undergo regular training to ensure they understand their responsibilities regarding confidentiality. They are legally and contractually obligated to uphold confidentiality, with breaches enforceable through disciplinary action. Access to personal information is strictly limited to authorized staff members whose roles require it, and it is granted on a need-to-know basis. 

We also have contractual agreements with all our data processors, ensuring they comply with data protection requirements when working with us. 

Your GP medical records are stored in an electronic system called EMIS Web, provided by Optum. Optum stores this information in cloud storage hosted by Amazon Web Services (AWS). The data is stored securely in the UK and is fully encrypted both in transit and at rest. AWS is a global leader in cloud services, already supporting many public sector clients, including the NHS, and provides the highest levels of security and support. They do not have access to your personal information. 

To read Optum’s privacy notice, please click on the link: EMIS Group Privacy Notice | EMIS (emishealth.com).

CCTV at our GP practice locations

We use surveillance cameras (CCTV) both inside and around our Practice locations for the following purposes: 

• To protect staff, patients, visitors, and property, and to help prevent crime
• To identify and prosecute offenders, and provide evidence for criminal or civil legal actions 
• To act as a deterrent and reduce unlawful behaviour
• To create a safer environment for our staff
• To assist in traffic management and car parking
• To monitor operational and safety-related incidents
• To help verify claims

You have the right to request a copy of any CCTV footage that includes you by submitting a Subject Access Request. Please direct your request to the Practice Management Team. 

To assist us in locating the footage, you will need to provide sufficient details to help us identify the images. 

We reserve the right to withhold information where allowed by relevant laws. CCTV footage is retained only for a reasonable period or as required by law. In certain cases, we may need to disclose CCTV footage for legal purposes.

Data Sharing

Whenever you use a health or care service, such as visiting Accident & Emergency or accessing Community Care Services, important information about you is collected to ensure you receive the best possible healthcare and treatment. 

This information may be shared with other authorised organisations, where there is a legal basis, to support the planning of health and care services, improve care quality, conduct research for new treatments, and help prevent illness. All of this contributes to better care for you, your family, and future generations. 

As outlined in this privacy notice, your confidential health and care information is only used when permitted by law, and it will never be used for any other purpose without your explicit consent.

Data sharing with healthcare organisations and people for your direct healthcare

We may share your personal information with the following individuals or organisations, as they may need access to your information to support the delivery of your direct healthcare. It is important for them to have access to this information to ensure they can provide their services to you effectively:

• Hospital staff (such as doctors, consultants, nurses, etc.)
• Other GPs/Doctors
• Pharmacists
• Nurses and other healthcare professionals
• Dentists
• Any other individuals or organisations involved in your general healthcare, including mental health professionals, private sector providers (such as pharmaceutical companies), and those supplying medical equipment, dressings, hosiery, etc.

Third parties mentioned in your GP medical records

At times, we may record information about third parties that you mention during a consultation. We are required to protect the rights of these third parties as individuals and ensure that any references to them, which could violate their confidentiality, are removed before sharing information with any other party, including yourself.

Third parties can include, but are not limited to, spouses, partners, and family members.

Your summary care record (SCR)

The Summary Care Record (SCR) is a national electronic database that stores important patient information, such as current medications, allergies, and any history of adverse reactions to medicines, all derived from GP medical records. Authorized staff in other areas of the NHS health and care system can access and use this information to support your direct care. 

To learn more about the SCR, you can visit the NHS England website at Summary Care Record - NHS England Digital. 

As a registered patient, you will already have an SCR, unless you previously opted out. This record contains essential information about the medications you're taking, any allergies you have, and any past adverse reactions to medicines. You can also choose to share additional medical details, including significant health conditions, past surgeries and vaccinations, preferences for treatment (such as where you'd like to receive care), any support you might need, and emergency contact details for someone who can provide further information about you. 

Healthcare information is not always routinely shared across different healthcare organisations, which means you might need treatment from professionals who are unaware of your full medical history. Important details about your health can be hard to recall, especially when you're unwell or have complex care needs. 

Having an SCR helps by giving healthcare providers access to critical information from your health record, enabling them to make better, safer decisions about your care. 

As a patient, you have the right to opt out of sharing your SCR with other healthcare organisations. If you'd like to opt out of this please fill out the opt out form by clicking the following link https://digital.nhs.uk/services/summary-care-records-scr/scr-patient-consent-preference-form. Once completed please email the form back to us at nelondonicb.jubileestreetpractice@nhs.net. You can opt back in at any time.

GP Connect

We use an NHS IT service called GP Connect to enhance your direct healthcare. GP Connect allows patient information to be accessed by relevant clinicians when needed, ensuring timely and coordinated care, which improves both treatment and outcomes. GP Connect is solely used for direct patient care and not for any other purpose.  

Authorised clinicians, such as GPs, NHS 111 staff, care home nurses (if you are in a care home), secondary care providers, and social care professionals, can access the GP records of the patients they are treating through GP Connect. 

The NHS 111 service, along with other local services (such as other GP practices within a Primary Care Network), can also use GP Connect to book appointments for patients at GP practices and other local healthcare providers. 

To learn more about GP Connect, you can visit the NHS England website GP Connect Transparency Notice - NHS England Digital. 

As a patient, you have the right to opt out of having your healthcare information shared through GP Connect. If you would like more information about your rights regarding the sharing of your information via GP Connect, please contact the GP practice. You can opt back in at any time. 

Primary Care Network

The goal of Primary Care Networks (PCNs) is to bring together groups of GP practices to create more collaborative teams that help alleviate pressure on GPs, allowing them to focus more on patient care. Every area in England is covered by a PCN. 

PCNs are a fundamental part of the NHS long-term plan. The policy of bringing GP practices together to work on a larger scale has been a priority for several years, with the aim of improving practice staff recruitment and retention, managing financial and estate challenges, offering a broader range of services to patients, and facilitating better integration with the wider health and care system. 

GP practices have formed geographical networks, each covering populations of about 30,000 to 50,000 patients, to access additional funding through the GP contract. This size aligns with the primary care homes in many areas of the country, although they are smaller than most GP federations. 

As a result, this organisation may share your information with other practices within the PCN to ensure you receive the care and treatment you need.

NHS health checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at this organisation will see confidential information about you during the invitation process.

Data sharing for non-healthcare purposes

Your personal information may be shared with other organisations for purposes unrelated to direct healthcare. These organisations include:

• NHS Commissioning Support Units
• NHS England
• NHS Integrated Care Boards
• Multi-agency Safeguarding Hub
• Local authorities
• Social care services
• Education services 

Invoice validation

Your personal information may be shared to identify which Integrated Care Board (ICB) is responsible for funding your treatment. 

This information could include your name, address, and the date of treatment. All data is stored securely and kept confidential; it will not be used for any other purpose or shared with third parties.

Pseudo-anonymised data extraction by North East London Integrated Care Board (NHS NEL ICB)

NHS NEL ICB (North East London Integrated Care Board) is responsible for planning and purchasing healthcare services across north east London to meet the needs of the population, ensuring that all parts of the local health system work together efficiently. 

NHS NEL ICB may access medical information about you as a patient, but any data shared with them through our systems is anonymized in a way that prevents them from identifying you. This information is encoded in a way that only your practice can recognise (pseudo-anonymised). This ensures that anyone at NHS NEL ICB who accesses the information cannot identify you. We will never provide NHS NEL ICB with details that would allow them to identify you. 

There are several reasons why NHS NEL ICB may need this information, including:

• To analyse current healthcare services and assess proposals for future service development.
• To create risk stratification models that assist GPs in identifying and supporting patients with long-term conditions, helping to prevent unplanned hospital admissions and reduce the risk of certain diseases, such as diabetes.
• To use risk stratification to better understand the health needs of the local population, enabling NHS NEL ICB to plan and commission appropriate services. Examples include:
  •Flu vaccination coverage
  •Enhanced access
  •Commissioned services
  •Medicines management (reviewing prescribed medications)
  •Childhood immunisations
  •Risk stratification (e.g., preventing hospital admissions)

To learn more about NHS NEL ICB, please visit the organisation’s website: Home - NHS North East London (icb.nhs.uk) 

NHS NEL ICB Privacy Notice: Legal Information - NHS North East London

NHS NEL ICB Risk Stratification Privacy Notice:  Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer (icb.nhs.uk) 

Data sharing with NHS England

We are required by law to share structured and coded data from your GP medical records with NHS England. 

Before sending any data to NHS England, information that directly identifies you, such as your NHS number, General Practice Local Patient Number, postcode, date of birth, and, if applicable, date of death, is replaced with unique codes using de-identification software. This ensures that your identity cannot be directly linked to the data. 

NHS England will collect the following information:

• Data related to your sex, ethnicity, and sexual orientation
• Clinical codes and details about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls, and appointments, including information about your physical, mental, and sexual health
• Information about the healthcare staff who have treated you.

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS England will not collect the following information: 

• Your name and address (except for your postcode, which will be in a unique coded form)
• Written notes (free text), such as details of conversations with doctors and nurses
• Images, letters, and other documents
• Coded data that is no longer required due to its age, such as medication, referral, and appointment information older than 10 years
• Coded data that GPs are legally prohibited from sharing, such as certain information about IVF treatment and gender reassignment.

Anonymised data

Occasionally, we may share information with other organisations in an anonymised format. When we do, the data we provide will not identify you as an individual and cannot be traced back to you.

Your data subject rights

Under the UK GDPR, individuals have certain rights regarding their personal information held by an organisation. These rights include:

• The right to be informed about how your data is processed
• The right to access the data held about you (via a Subject Access Request)
• The right to request corrections if your information is inaccurate
• The right to request the deletion of your information
• The right to restrict the processing of your data
• The right to have your data transferred to another organisation (data portability)
• The right to object to the processing of your data
• Rights related to automated decision-making and profiling

At present, we do not use automated decision-making, meaning no decisions are made solely by automated processes without human involvement.

How to make a subject access request, or exercise your other data subject rights

Under the UK GDPR, you have the right to access and receive a copy of the personal information we hold about you, which is known as a Subject Access Request (SAR). You can also request that we correct any inaccuracies in your information.

To submit a SAR, please contact the Practice using the contact details provided. 

There is no charge for obtaining a copy of your personal information. However, in exceptional cases, if the request is excessive, complex, or repetitive, we may need to apply an administrative charge for additional copies. 

We are required to provide you with your personal information within one month. Therefore, we ask that requests be made in writing, specifying the information you need. 

Please ensure you provide enough details (such as your full name, address, date of birth, NHS number, and a description of your request) to help us verify your identity and locate your records.

For information held by a hospital or other NHS Trust, you should contact the relevant organisation directly.

Your data opt-out rights (for research and planning purposes)

Type 1 opt-out 

If you wish to prevent your registered GP practice from sharing your personal information for research and planning purposes, you will need to complete an opt-out form and submit it to your GP practice. The form can be downloaded from the NHS England website Opt out of sharing your health records - NHS (www.nhs.uk). 

Please be aware that if you choose the Type 1 Opt-out, your GP practice will not share your personal information for research and planning purposes. However, NHS England will still be able to collect and share your personal data from other healthcare providers, such as hospitals.

National data opt-out

The national data opt-out (NDOO) service allows patients to opt out of having their confidential patient information used for research and planning purposes. This opt-out choice is managed and recorded by NHS England, not your registered GP practice. 

 There may still be instances where your confidential patient information is used, such as during an epidemic that poses a risk to public health. You can also still choose to participate in specific research projects if you wish. 

 Your confidential information will continue to be used for your individual care. Opting out will not affect your care or treatment, and you will still be invited for screening services, such as bowel cancer screenings. 

If you are satisfied with how your confidential patient information is used, you don’t need to take any action. 

 If you prefer not to have your information used for research and planning purposes, you can opt out through one of the following methods:

• Online service – Requires your NHS number or postcode as registered with your GP practice.
• Telephone service – Call 0300 303 5678, available Monday to Friday, 9:00 AM to 5:00 PM.
• NHS App – Available for patients aged 13 and over (95% of GP surgeries are connected to the NHS App). The app can be downloaded from the App Store or Google Play.
• Printed form – Download the form from Manage_your_choice_1.1.pdf You will need to send copies of proof of identity (e.g., passport or UK driving licence) and address (e.g., utility bill or payslip). Once received, it can take up to 14 days to process the form, which should be sent to NHS, PO Box 884, Leeds, LS1 9TZ.

Your right to complain

If you have any concerns regarding the use of your personal information, you can file a complaint using the contact details provided at the top of this privacy notice. 

If you are still dissatisfied with how we have handled your data after making a complaint, you also have the option to escalate the matter to the Information Commissioner's Office (ICO). 

The ICO’s contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113

Website: www.ico.org.uk/make-a-complaint

Text messaging and contacting you

We may use SMS text messaging to contact you on your mobile phone regarding appointments and other services related to your direct care. To ensure we can reach you and not someone else, it is important that you keep your contact details up to date.

As we are required to protect your confidential information, it is essential that you notify us immediately if any of your contact details change.

The SMS service operates on an ‘opt-in’ basis. By providing your mobile number as part of your contact information, we will assume you have consented to receiving SMS messages. If you prefer not to receive these texts, please inform your GP practice so we can opt you out. We may also contact you via the email address you have provided.

Telephone call recordings

All calls made to our GP practice are recorded.

We record calls to help clarify any disputes with patients or service users, and also for staff training purposes. Access to call recordings is restricted to senior staff only.

At The Jubilee Street Practice Ltd, call recordings are kept for up to 3 years.

If you would like to access your call recordings, you will need to submit a Subject Access Request to the Practice.

Data Controller details

The Jubilee Street Practice Ltd is the data controller of your personal information. This means we are responsible for collecting, storing and managing your personal and healthcare data when you register with us as a patient or service user. The ways in which we use your information are outlined in this privacy notice.

We are registered with the Information Commissioner’s Office, and our registration number is ZB533515.

We operate on the site 368-374 Commercial Road, London, E1 0LS. If you have any questions about your personal data, please contact nelondonicb.jubileestreetpractice@nhs.net

Data Protection Officer contact details

Our Data Protection Officer is the NHS NEL GP DPO and is responsible for monitoring our compliance with data protection requirements.

You can contact our DPO with queries or concerns relating to the use of your personal information.

NHS NEL GP DPO
NHS North East London Integrated Care Board
Unex Tower
4th Floor
5 Station Street
London
E15 1DA

Email: itservicedesk.nelicb@nhs.net
Telephone: 0300 303 6778

Subject Access Requests (SARs) should be made in writing to your registered GP practice and will be handled by the GP practice SAR administrator. 

Keeping your records up to date

Under the UK GDPR, we are legally required to protect any personal and healthcare information we hold about you, and we take this responsibility very seriously. It is crucial that you inform us as soon as possible if any of your contact details change. 

Auditing of clinical notes

We routinely audit clinical notes as part of our commitment to ensuring effective healthcare management. Auditing clinical care is similar to a multi-disciplinary team meeting where treatment plans are reviewed and agreed upon. Throughout this process, we uphold strict confidentiality.

Our website and cookies

When you visit our website, cookies are placed on your computer to enhance your browsing experience. A cookie is a small file of letters and numbers that is downloaded to your device when you access a website. You can choose to decline the use of cookies during your first visit to the site, or revoke this at any time via your web browser settings.

We only use necessary cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category at the bottom left of the website.
The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.
These cookies will only be stored in your browser with your prior consent. None of the site cookies tracks a user once they have left the website.
You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.

Cookies that we use include:
• Google Analytics for performance monitoring (no tracking)
• Consent - Monitors user consent on cookies usage