Privacy – Leatside Surgery

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Leatside Surgery Privacy Notice

This privacy notice describes the data, the practice holds about you, why we hold it, where and how we store it, how long for and how we protect it. It also tells you about your rights under the Data Protection Legislation and how the law protects you.

Who we are and what do we do?

Leatside Surgery, Babbage Road, Totnes, TQ9 5JA.

Contact number 01803 862671

Website - https://leatside.co.uk/

Leatside Surgery is a Data Controller for the data we hold about you. We hold your data to provide you with health and social care.

What is personal data and what data do we use?

Your personal data is any information that can be connected to you personally. If you can be identified from the data, it is personal data. The types of personal data we use and hold about you are:

Details about you: your name, address, contact number, email address, date of birth, gender and NHS number. We may also hold information about your emergency contact, next of kin and carer.
Details about your medical care: medical diagnosis, record of treatment received, referrals, history of prescribed medication, results of investigations such as X-rays, research participation etc.
Information provided by you: this includes correspondence relating to feedback, concerns and complaints about the service you have received.
Relevant information from other healthcare professionals, relatives or those who care for you.

We may also hold the following information about you:

Religion or other beliefs of a similar nature.
Family, lifestyle and/or social circumstances.
Employment details.
Financial details.

When we collect your mobile number and or email address, we use it to text and or email you to remind you of appointments via an NHS approved provider accurx.

We may also text and or email you about the following:

Administrative information e.g. your prescription being ready to collect.
Care plan sent in a consultation e.g. dosing of new medication.
Recall e.g. advising the patient to book an appointment,
Advice and safety netting sent in a consultation e.g. link to NHS information or MSK exercise videos
Signposting to third-party services in a consultation e.g. exercise classes.
Normal test results e.g. chest x-ray normal
Some abnormal results e.g. Low Vitamin D, with advice for sun exposure or OTC supplements 01/03/2025
Telephone information
Reminder e.g. for cervical screening or overdue blood tests
Follow-ups
Relevant immunisation campaigns

If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

When we collect your email address, we use it to email you information regarding Practice News, this is usually contained within our Leatside Patient Group newsletter and any immunisation campaigns. We may also email you in response to a complaint or feedback if this was sent in via email and this is your preferred method of contact. If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

The Practice may use your mobile number or details, such as name, Date of Birth (DOB) & NHS number, to send out invites for patients to book into vaccination clinics or services via a system called Accubook which is provided by accurx or via our clinical system, SystmOne. Those patients without a mobile number will be manually booked by this system. Patients who dissent from the use of their mobile number will be identified by the reporting process and their data not used in this way.

Why do we process your data and what legal basis do we have to process your data?

In order to process your personal data or share your personal data outside of the practice, we need a legal basis to do so. If we process or share special category data, such as health data, we will need an additional legal basis to do so.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(h) (health and social care) for most of our processing and sharing, in particular to:

Provide you with health and social care.
Share data from, or allow access to, your GP record, for healthcare professionals involved in providing you with health and social care.
Receive data from or access your data on other NHS organisation clinician systems.
Work effectively with other organisations and healthcare professionals who are involved in your care.
Ensure that your treatment and advice, and the treatment of others is safe and effective.
Participate in National Screening Programmes.
Use a computer program to identify patients who might be at risk from certain diseases or unplanned admissions to Hospitals.
Help NHS Digital and the practice to conduct clinical audits to ensure you are being provided with safe, high-quality care.
Support medical research when the law allows us to do so.
Supply data to help plan and manage services and prevent infectious diseases from spreading.

We rely upon Article 6(1)(d) (vital interest) and Article 9(2)(c) (vital interests) to share information about you with another healthcare professional in a medical emergency.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(g) (substantial public interest) to support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse.

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(h) to share your information for mandatory disclosures of information (such as NHS Digital, CQC and Public Health England).

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims) to help us investigate legal claims and if a court of law orders us to do so.

We rely upon Article 6(1)(a) (consent) and Article 9(2)(a) (explicit consent), in order to:

Help the practice investigate any feedback, including patient surveys, complaints or concerns you may have about contact with the practice.
Help manage how we provide you with services from the practice, for example, when you nominate individuals to contact the practice on your behalf.
Share your information with third parties, for example, insurance companies and medical research organisations.
Help GP trainees to improve consultation techniques, via audio and/or visual recordings.

We also use anonymised data to plan and improve health care services. Specifically, we use it to:

Review the care being provided to make sure it is of the highest standard.
Check the quality and efficiency of the services we provide.
Prepare performance reports on the services we provide.

Healthcare staff will respect and comply with their obligations under the common law duty of confidence.

Common law duty of confidentiality

Healthcare staff will respect and comply with their obligations under the common law duty of confidence.

We meet the duty of confidentiality under one of the following:

You have provided us with your explicit consent,
For direct care, we rely on implied consent,
We have approval from the Confidentiality Advisory Group (CAG),
We have a legal requirement to collect, share and use the data,
On a case-by-case basis, we will share information in the public interest.

How do we collect your data?

The practice collects data that you provide when you:

Receive treatment or care from the practice,
Contact the practice by telephone (telephone calls received and made by the practice are recorded), online or in person,
Complete a form electronically or in paper,
Visit the practice’s website (If cookies are enabled).

We receive information about you from other providers to ensure that we provide you with effective and comprehensive treatment.

These providers may include:

The GP Practices within the South Dartmoor and Totnes Primary Care Network (PCN)
Other GP Practices
NHS Trusts/Foundation Trusts
NHS Commissioning Support Units (CSUs)
Community Services (District Nurses, Rehabilitation Services and out of hours services)
Ambulance or emergency services
Independent contractors such as Pharmacies, Dentists and Opticians
Devon Clinical Commission Group (CCG)
NHS Digital
NHS England
Local authorities
Health and Social Care Information Centre (HSCIC)
Police and Judicial Services
Educational Services
NHS 111
Public Health England and Screening
Non-NHS health care providers
Research providers
DPT
Community Mental Health Multi-Agency Teams
External providers we are working with on projects

Accurx

We also use a patient triage tool (provided by accurx). Accurx is a web based Online Consultation tool that allows patients to submit a short medical or admin query directly to the Practice.

Accurx is provided by a third-party organisation and by using accurx, you are submitting information to them. This information is stored on secure servers located in the UK and European Economic Area (EEA).

This information is then provided to the practice to be reviewed.

Further information on accurx Patient Triage can be found: https://www.accurx.com/terms-and-conditions

Heidi

When undertaking consultations and with your consent we may use a transcription tool, called Heidi AI, this assists in documenting clinical consultations and improving the accuracy of our records. This tool will supersede the need for any dictation software used for referral letters. Heidi AI processes audio recordings of consultations and summarises the consultation, which is then reviewed and stored securely in your medical records. This tool operates in compliance with GDPR and other applicable data protection
laws. For further details on how Heidi AI handles data, please refer to their Privacy Policy (https://www.heidihealth.com/uk/legal/privacy-policy) .

If you have any concerns about the use of this tool during your consultation, please speak to a member of our team.

Purpose of Processing with Heidi AI

Leatside Surgery now uses Heidi, an AI-powered scribe technology, to assist clinicians in accurately and efficiently documenting patient consultations. You will be asked to confirm you are happy with this before any transcribing is undertaken. This section outlines how we collect, use, and protect personal data processed by Heidi to ensure we meet high standards of privacy and confidentiality.

Types of Personal Data Processed

Heidi processes two main types of personal data during consultations:

Patient Information: This includes the patient’s name, contact details, medical history, diagnosis, treatment information, and any other information shared during consultations.
Clinician Information: This includes audio recordings capturing the clinician’s voice and any professional identifiers, such as names and titles.

Purpose and Legal Basis for Processing with Heidi AI

The processing of data with Heidi AI is done to support clinicians in maintaining accurate and timely medical records. This processing is carried out with explicit patient consent under:

GDPR Article 6(1)(a): Consent of the data subject.
GDPR Article 9(2)(h): Necessary for the provision of health or social care.

Data Retention and Security with Heidi AI

Data Retention: Audio data captured during consultations is temporarily stored for transcription and is deleted once the clinician verifies and finalises the documentation in the Electronic Health Record (EHR).

Data Security: Data is encrypted during processing and stored on NHS-compliant secure servers located within the UK. Only authorised staff and clinicians have access to this data.

Sharing and Access Controls

Heidi operates as a data processor under a contractual agreement with Leatside Surgery. Heidi is fully compliant with NHS data security standards, and access to AI-transcribed data is restricted to healthcare providers directly involved in your care.

Your Rights

Patients have the right to:

Access: Request details of how their data is processed by Heidi.
Withdraw Consent: Opt-out of Heidi’s use during consultations.
Rectification: Request correction of any inaccuracies in their health records.

Practice unbound – Workflow go

Our team use the Workflow go software to enable the surgery to safely and systematically process all correspondence into our patient records. You can see details of their privacy notice through this link; https://www.practiceunbound.org.uk/privacy-policy

Lexacom

Lexacom is the current dictation software used for generating letters and referrals. You can review the privacy policy via this link; https://www.lexacom.co.uk/policies/privacy-policy/

Who do we share your data with?

In order to deliver and coordinate your health and social care, we may sometimes share information with other organisations. We will only ever share information about you if other agencies involved in your care have a genuine need for it. Anyone who receives information from the practice is under a legal duty to keep it confidential and secure.

Please be aware that there may be certain circumstances, such as assisting the police with the investigation of a serious crime, where it may be necessary for the practice to share your personal information with external agencies without your knowledge or consent.

We may share information with the following organisations:

The GP Practices within the South Dartmoor and Totnes PCN (Ashburton Surgery, Buckfastleigh Medical Centre, Catherine House Surgery and South Brent Health Centre).
Other GP Practices
NHS Trusts/Foundation Trusts
Devon Integrated Care Board (ICB)
NHS Commissioning Support Units
Community Services (District Nurses, Rehabilitation Services and out of hours services)
Ambulance or emergency services
Independent contractors such as Pharmacies, Dentists and Opticians
Local authorities
Multi-Agency Safeguarding Hub (MASH)
Health and Social Care Information Centre (HSCIC)
Police and Judicial Services
Educational Services
Fire and Rescue Services
NHS 111
The Care Quality Commission, ICO and other regulated auditors
UK for Health Security Agency
Office for Health Improvement and Disparities
Public Health England and Screening
NHS England
NHS Digital - https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patientdatasafe/gdpr/gdpr-register
NHS Digital covid specific sharing Coronavirus (COVID-19) response transparency notice - NHS Digital
Non-NHS health care providers
Research providers
Rowcroft Hospice
Community Mental Health Multi-Agency Teams
Joy Social prescribing software
Devon Partnership Trust (DPT)
Primary Mental Health Multi Agency Teams
Red Carrier
NHS South, Central and West Child Health Information Services (SCW CHIS)
Organisations who are delivering services on behalf of the practice (for example completing

Subject Access Requests and Medical Reports with your consent (currently iGPR).

In addition to sharing data with the above services, the practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third-party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

Organisations that provide IT services & support, including our core clinical systems (currently South Devon Health Informatics Service SDHIS); systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.
Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system).
Delivery services (for example if we were to arrange for delivery of any medicines to you).
Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Mailing services (currently Red Carrier) to enable practice communications to be mailed to patients. https://www.webpostred.com/build/downloads/WebpostPrivacyNotice.30b5f555.pdf
Our social prescribing team also use The Joy App. The Joy App is an online system that supports all daily SPLW client-related activities, from case notes to referrals, whilst capturing valuable efficacy data. The Joy App is provided by a third-party organisation. The Joy app privacy notice is available at Privacy policy - Joy Social Prescribing Software (thejoyapp.com)
With patient consent we use a third-party NHS accredited company called IGPR to process Subject Access Requests and Medical Reports. IGPR process medical reports and send the completed request to the patient via a secure download link. If you wish to contact IGPR directly, please email managedservice@igpr.co.uk
Our phone provider (currently Babblevoice). Babblevoice integrates with our clinical system which improves efficiency when calls are received into the practice. This system will support the practice in providing efficient communication tools to the patient population. All calls may be recorded for training and quality purposes and stored for up to 14 weeks. Further
information can be found at the following website: https://www.babblevoice.com/
For some of our Care Home Residents we share your records using Interoperability/the Enhanced Data Sharing Module with Immedicare so that they are able to provide a virtual clinical support service 24/7 for when you may need to be cared for. The information being shared can be personal contact details, diagnosis, medications, allergies, and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service. Further information regarding Immedicare can be found here: https://immedicare.co.uk/privacy-notice/
Oviva (UK) Ltd - The NHS Type 2 Diabetes Path to Remission is a service for people with type 2 diabetes. It is a one-year programme to support healthier lifestyle, weight loss and remission of Type 2 diabetes. The programme consists of nutritionally complete total diet replacement products, for 12 weeks, followed by a period of food reintroduction and
subsequent weight maintenance support, with a total duration of 12 months. The programme is delivered by Oviva, for any eligible patients referred by GPs in the eligible areas. The contract for the provision of the programme is held between NHSE and Oviva, with data flowing between Oviva and GP surgeries directly and between Oviva and the commissioners
for reporting. Data is also provided to C&P ICB (only in aggregate form) to enable monitoring of referrals and ensure the overall success of the programme.
This Practice shares your lung health related data with the NHS Targeted Lung Health Check (TLHC) service operated by InHealth Group Ltd and partners. This supports your invitation to a lung health check appointment (if eligible) and possible CT scan by the lung health check team. This data may be shared with your local Hospital Trust to support further
treatment and with other healthcare professionals involved in your care. https://www.england.nhs.uk/contact-us/privacy-notice/how-we-use-yourinformation/ourservices/evaluation-of-the-targeted-lung-health-check-programme/

On some occasions individuals will work with the practice under an honorary contract to fulfil work on behalf of the practice. For example, we may work with organisations such as DPT to fulfil a research or quality improvement project. If you wish to opt out of this then please advise the Practice Operations Manager.

One Devon Dataset

As well as using your data to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout Devon using Population Health Management methods.

We will use a pseudonymised extract (i.e. not identifiable information) which will be sent securely to NHS Devon ICB (Integrated Care Board) and in partnership with the Local Authorities. Data will be used to support the Devon Integrated Care System to improve short-term and medium-term health outcomes for local populations. If you would benefit from some additional care or support, your information will be shared back to the practice, or another local provider involved in your care, so that they can offer you direct care.

If you have previously asked the practice to apply a Type 1 opt-out to your medical records, this will be applied by NHS Devon ICB

Further information about Population Health Management can be found here: https://www.england.nhs.uk/integratedcare/what-is-integrated-care/phm/

Further information about the One Devon Dataset can be found here:

Privacy notice for One Devon Dataset - Devon County Council

We will rely on public interest task as the legal basis for processing your data for this purpose. You have a right to object to your information being used in this way. If you wish to discuss this further, please contact our Operations Manager.

Devon and Cornwall Care Record

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.

This shared system is called the Devon and Cornwall Care Record. It’s important that anyone treating you has access to your shared record, so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email. Only authorised staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.

For more information about the Devon and Cornwall Care Record, please go to
https://www.devonandcornwallcarerecord.nhs.uk/

Where do we store your data?

We use several IT systems and tools to store and process your data, on behalf of the practice. Examples of tools we use include our Core Clinical System SystmOne (S1), NHS mail, Microsoft 365, accurx messaging, Joy Social prescribing software.
For further information on this, please contact the surgery.

Video consults

If required the practice may consult patients via video consultation, this will be done after a telephone discussion and with consent from the patient. The Practice may consult you via video for the following:

Routine chronic disease check-ups, especially if the patient is stable and has monitoring devices at home
Administrative reasons e.g. re-issuing sick notes, repeat medication
Counselling and similar services
Duty doctor/nurse triage when a telephone call is insufficient
Any condition in which the trade-off between attending in person and staying at home favours the latter (e.g. in some frail older patients with multi-morbidity or in terminally ill patients, the advantages of video may outweigh its limitations)

To consult safely via video, consult the Practice will use accurx which is the agreed platform for Leatside Surgery Medical Centres and has been endorsed by NHS Devon ICB.

GPConnect/Enhanced Data Sharing Module

We share your record using GP Connect/Enhanced Data Sharing Module to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to the practices in South Dartmoor and Totnes PCN and other local providers Brunel Medical Practice, Chelston Hall Surgery, Corner Place Surgery, Croft Hall Medical Practice, Dartmouth
Medical Practice, Compass House Medical Centres, Mayfield Medical Centre, Old Farm Surgery, Parkhill Medical Practice, Pembroke House Surgery and Southover Medical Practice who are involved in your care. This includes the sharing of personal contact details, diagnosis, medications, allergies and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service.

You can find more information about GP Connect at: https://digital.nhs.uk/services/gp-connect/gpconnectin-your-organisation/transparency-notice

You can also search for organisations who use GP Connect here:
https://transparency.ndsp.gpconnect.nhs.uk/Name

Please note that if you have previously dissented (opted out) to sharing your records, this decision will be upheld, and your record will only be accessed by the practice. The national data opt-out does not apply.

Should you wish to opt-out, please speak to a member of reception who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.

General Practice Data for Planning and Research Data Collection (GPDfPR)

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st of September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.

NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.

At the time of publication (May 2021), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose.

Further information about GPDfPR can be found here: https://digital.nhs.uk/data-andinformation/data-collections-and-data-sets/data-collections/general-practice-data-for-planningandresearch/transparency-notice

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

Summary Care Record (SCR)

NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system.

Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be able to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS-on-NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.

As well as this basic record, additional information can be added to include further information. However, any additional data will only be uploaded of you specifically request it and with your consent. You can find out more about the SCR here: https://digital.nhs.uk/services/summary-carerecords-scr

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at early stages. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. More information on the national screening programmes can be found at: https://www.gov.uk/topic/population-screening-programmes

Risk Stratification

Your medical records will be searched by a computer program so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.

This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice. More information can be found at https://www.england.nhs.uk/ig/risk-stratification/ or speak to the practice.

Population Health Analytics

Population Health Management methods. We will only use a pseudonymised extract (ie. not identifiable information) which will be sent securely to NHS Devon CCG and in partnership with Optum. Optum have been appointed to provide technical assistance to NHS Devon CCG and use the data to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations. Please note that at no time will patient identifiable data be used in the delivery of this programme.

Patients who have a Type 1 opt-out will be excluded from this programme and will not have their data extracted for this purpose.

Further information about Population Health Management can be found here: https://www.england.nhs.uk/integratedcare/building-blocks/phm/ We will rely on Public interest task as the legal basis for processing your data for this purpose.

Research

We're excited to share news of our partnership with seasoned National Institute for Health Research Regional Delivery Network (NIHR RRDN) experts, seamlessly integrated into our practice team. In the pursuit of advancing medical research, these professionals, alongside our practice team, may access your patient record for pre-consented activities. This involves identifying potential eligibility for research opportunities and supporting recruitment and follow-up for clinical trials. This process operates under the lawful bases of Article 6 (public task) and Article 9 (substantial public interest) of the GDPR. Be assured, that your privacy and data security are rigorously safeguarded. This collaboration also supports NIHR and NHS's pursuit in improving equality to access research. Any eligible individuals will be contacted by the practice, and their consent will be requested before any further processing takes place.

Safeguarding

Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare.

We do not need your consent or agreement to do this.

How long do we hold your data?

We only hold your data for as long as necessary and are required to hold your data in line with the NHS Records Management Code of Practice for Health and Social Care 2021 Retention Schedule. Further information can be found online at: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk)

The following fall outside of the NHS Records Management Code of Practice for Health and Social Care but are kept for the following, call recordings for 14 weeks and insurance reports 7 years.

What rights do you have?

You have various rights under the UK GDPR and Data Protection Act 2018:

Right of access:

You have the right to request access to view or request copies of the personal data, we hold about you; this is known as a Subject Access Request (SAR). In order to request access, you should:

Submit a subject access request form, along with your ID to the Practice, we will then begin the process of putting together your SAR.

Please note that you are entitled to a copy of your data that we hold free of charge; however, we are entitled to charge in certain circumstances where the law permits us to do so. We are also entitled to refuse a request, where the law permits us to do so. If we require a fee or are unable to comply with your request, we will notify you within 1 calendar month of your request.

Right to restrict or object the use of your information:

There are certain circumstances in which you can object from your data being shared. Information regarding your rights to opt-out is detailed below:

Consent:

If the practice is relying on the consent as the basis for processing your data, you have the right to withdraw your consent at any time. Once you have withdrawn your consent, we will stop processing your data for this purpose.

However, this will only apply in circumstances on which we rely on your consent to use your personal data. Please be aware that if you do withdraw your consent, we may not be able to provide certain services to you. If this is the case, we will let you know.

Summary Care Record:

The SCR improves care; however, if you do not want one, you have the right to object to sharing your data or to restrict access to specific elements of your records. This will mean that the information recorded by the practice will not be visible at any other care setting.

If you wish to discuss your options regarding the SCR, please speak to a member of staff at the practice.

You can also reinstate your consent at any time by giving your permission to override your previous dissent.

National Screening Programmes:

If you do not wish to receive an invitation to the screening programmes, you can opt out at https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screeningprogrammes or speak to the practice.

Type 1 Opt-out:

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please contact the Operations Manager.

National Data Opt-out:

You have the right to object to your data being shared under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of sharing data that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

To opt-out of your identifiable data being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website: https://digital.nhs.uk/services/national-data-opt-out-programme Our
organisation is compliant with the national data opt-out policy.

Cancer Registry:

The National Cancer Registration and Analysis Service is run by Public Health England and is responsible for cancer registration in England, to support cancer epidemiology, public health, service monitoring and research.

Further information regarding the registry and your right to opt-out can be found at: https://www.gov.uk/guidance/national-cancer-registration-and-analysis-service-ncras

Right to rectification:

You have the right to have any errors or mistakes corrected within your medical records. This applies to matters of fact, not opinion. If the information is of clinical nature, this will need to be reviewed and investigated by the practice. If you wish to have your records amended, please contact the Operations Manager.

If your personal information changes, such as your contact address or number, you should notify the practice immediately so that we can update the information on our system. We will also ask you from time to time to confirm the information we hold for you, is correct.

Right to erasure:

The practice is not aware of any circumstances in which you will have the right to delete correct data from your medical record, which the practice is legally bound to retain. Although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the data and contact the practice if you hold a different view.

Right to complain:

Please let us know if you wish to discuss how we have used your personal data, raise a concern, make a complaint or compliment.

You can contact us via our website; Feedback and complaints – Leatside Surgery, in person at the surgery or via telephone.

You also have the right to complain to the Information Commissioner’s Office. If you wish to complain follow
this link: https://ico.org.uk/global/contact-us/ or call the helpline on 0303 123 1113.

Data outside EEA

We do not send your personal data outside of the EEA. However, if this is required, the practice would only do so, with your explicit consent.

Data Protection Officer

The Data Protection Officer for the practice is Natalie Thompson-Clarke and she can be contacted via email on dccg.deltdpo@nhs.net or by post: Delt Shared Services Limited, BUILDING 2 – Delt, Derriford Business Park, Plymouth, PL6 5QZ.

Changes to privacy notice

The practice reviews this privacy notice regularly and may amend the notice from time to time. If you wish to discuss any elements of this privacy notice, please contact the Operations Manager.