Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Caldbeck Surgery Fair Processing Notice

Who we are

We are a GP practice who provide a range of primary health services including GP and nurse appointments, prescription dispensing and delivery, minor surgery, specialist clinics for diabetes, COPD and other long-term conditions.

What is a privacy notice?

A Privacy Notice is a statement by the Practice to patients, visitors, carers, the public and staff that describes how we collect, use, retain and disclose personal information which we hold. It is sometimes also referred to as a Privacy Statement or Privacy Policy. This Fair Processing notice is part of our commitment to ensure that we process your personal information fairly and lawfully.

Why issue a fair processing notice?

We recognise the importance of protecting personal and confidential information in all that we do and we take care to meet our legal and regulatory duties. This notice is one of the ways in which we can demonstrate our commitment to the safety and security of your personal information.

This notice also explains what rights you have to control how we use your information.

Our legal basis for holding and processing information is:

GDPR Article 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and;

GDPR Article 9 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Why and how we collect information

We may ask for or hold personal confidential information about you which will be used to support delivery of appropriate care and treatment. This is to support the provision of high quality care.

This information may include:

  • Basic details, such as name, address, date of birth, next of kin
  • Contact we have had, such as appointments and home visits
  • Details and records of treatment and care, including notes and reports about your health
  • Results of x-rays, blood tests, etc
  • Information from people who care for you and know you well, such as health professionals and relatives

It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.

Information is collected in a number of ways, via your healthcare professional, clinic details from a hospital, out-of-hours service or ambulance service, or directly given by you.

How we use information

  • To help inform decisions that we make about your care.
  • To ensure that your treatment is safe and effective.
  • To work effectively with other organisations who may be involved in your care.
  • To support the health of the general public.
  • To ensure our services can meet future needs.
  • To review care provided to ensure it is of the highest standard possible.
  • To train healthcare professionals.
  • For research and audit.
  • To prepare statistics on NHS performance.
  • To monitor how we spend public money.

When using information to inform future services and provision, non-identifiable information will be used.

How information is retained and kept safe

There are a number of ways in which your privacy is shielded; by removing your

identifying information wherever possible, by only accessing your data on a need-to-know basis, by having systems access controlled by NHS smartcards, by access audits, and by ensuring data sharing and processing agreements are in place.

The Data Protection Act 1998 and successor legislation regulates the processing of personal information. Strict principles govern our use of information and our duty to ensure it is kept safe and secure.

Caldbeck Surgery is registered with the Information Commissioners Office (ICO). Details of our registration can be found on

Technology allows us to protect information in a number of ways, in the main by restricting access.

How do we keep information confidential?

Everyone working for the Practice is subject to the Common Law Duty of Confidentiality and the Data Protection Act 1998.

Under the NHS Confidentiality Code of Conduct, all staff are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records.

All practice staff undertake annual training in data protection, confidentiality and IT security, with additional training for specialists such as those dealing with healthcare records, data protection officers and IT staff.

There are only three situations in which we will disclose any of your personal information to those who are not directly caring for you:

  1. When you give your explicit consent;
  2. Where you or another person may otherwise come to harm, or to help investigate violent crime, or;
  3. When ordered to by a court.

There are no other circumstances in which we will disclose your personal information to anyone.

Clinical placements

Clinical placements for students commonly take place within our practice. Students such as student nurses or medical students could be receiving training with us.

We will always ask for your permission before a clinical student participates in providing your care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care.

Who can the information be shared with?

To provide best care possible, sometimes we will need to share information about you with others. We may share your information with other NHS or statutory County Council social care organisations and regulatory bodies. Examples of this are sharing your medical details with the North West Ambulance Service, with the Cumberland Infirmary or other NHS hospital, with other service providers for the purposes of referral to those services.

Sharing with non-NHS organisations

For your benefit, we may also need to share information from your records with non-NHS organisations, from whom you are also receiving care, such as social services or private healthcare organisations. We cannot disclose any health information to non-NHS organisations without your explicit consent, unless there are exceptional circumstances, such as when your health is at risk and you are unable to provide consent. In this situation we are bound to act in your best interest.

You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care.

Contacting us about your information

Each organisation has a senior person responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian. Our Caldicott Guardian is Martin Woodham, who you can contact via reception.

If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss further, please contact Martin.

Can I access my information?

Under the GDPR you have the right of access to your medical record, and you may request erasure or redaction in certain circumstances. For more information on how to exercise these rights please ask at reception.

Further information


What are we governed by?

The key pieces of legislation/guidance we are governed by are:

  • Data Protection Act 1998 and successor legislation
  • Human Rights Act 1998 (Article 8)
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • The Re-Use of Public Sector Information Regulations 2015
  • The Environmental Information Regulations 2004
  • Computer Misuse Act 1990
  • The Common Law Duty of Confidentiality
  • The Care Record Guarantee for England
  • The Social Care Record Guarantee for England
  • International Organisation for Standardisation (ISO) – Information Security Management Standards (ISMS)
  • Information Security Management – NHS Code of Practice
  • Records Management – Code of Practice for Health and Social Care 2016
  • Accessible Information Standards (AIS)
  • General Data Protection Regulations (GDPR) – post 25th May 2018

Who are we governed by?

Department of Health –

Information Commissioner’s Office –

Care Quality Commission –

NHS England –

Our doctors, nurses, healthcare professionals and registered support staff are also regulated and governed by professional bodies including Royal colleges.

Clinical Governance

Everyone at the Practice is committed to providing the best possible care we can for our patients. This involves the whole team: doctors, nurses, receptionist dispensers and, behind the scenes, administrative staff and practice manager.

As part of the NHS we work within a system called Clinical Governance to help us keep improving our services to patients. The system is based on five principles, and this is how we apply them in our surgery:

  1. Patients and Carers – We like to work in partnership with our patients and carers to provide the most appropriate care and treatment for each individual in our care. This means listening to your concerns, answering your questions and providing information on illnesses and treatments so that you can be fully involved in decisions about your care and treatment.Our patient PPG group helps us to improve and develop our services in ways which are best for our patients. We also have an annual patient survey to find out how well you think we are doing.
  2. Clinical Effectiveness – We carry out audits of our clinical work to make sure we are following up-to-date guidelines and best practice from elsewhere in the NHS.The National Institute for Clinical Excellence (NICE) regularly brings out guidance and National Service Frameworks and we review our practice in light of these.
  3. Risk Management – Having good systems for routine procedures helps us to avoid mistakes. For example every prescription is checked by two staff members when it is dispensed.We have procedures for reporting mistakes and ‘near misses’ so that we can learn from these and prevent them happening again. These are discussed with staff at training sessions so that everyone is aware of risks and how to avoid them.
  4. Use of Information – We use a clinical information system to help us maintain accurate records for all our patients. With hand held computers this means that a doctor on a home visit has up-to-date information on test results, reports from the hospital and medication literally at their fingertips.Doctors and practice nurses use the Internet to check the latest information about conditions and treatments.
  5. Education and Training – The practice is committed to ensuring that all staff have the right training for their job.Doctors and nurses have Continuing Professional Development to maintain and develop their clinical and other skills.Every month the practice closes for an afternoon to run a training programme for staff on site. Staff members also attend courses run by the NHS.

Date published: 20th September, 2023
Date last updated: 16th November, 2023