Privacy Notice

Last updated: October 2022




We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after as required by Law.

Please read this Privacy Notice carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and protect about you.

The Law states we must inform you about:

  • Why we collect your personal and healthcare information.
  • How we use any of your personal and healthcare information.
  • What we do with your personal information.
  • Who and why we share it with or pass it on to.
  • How long we can keep your information.

image depicting privacy notice


About Us

Data Protection Legislation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. We our registered with the Information Commissioner’s Office (ICO) as a data controller under the Data Protection Act 2018. Our registration number is ZB147910 and can be viewed online in the ICO public register.

  • The Data Controller is: Sheth and Partners
  • The Data Protection Officer is: Facilitated by the Medvivo Data Protection Officer Service
  • Data Protection Officer Telephone Number: 01722 322726


Any changes to this notice will be published on our website or available as a paper copy at reception.

Please contact the practice or our DPO if you have any questions about:

  • How your information is being held, used and protected.
  • Access to your information including any recordings held on our CCTV system.
  • If you are unclear or have any queries relating to this Policy and your rights as a patient.
  • Opting In or Out of Risk Stratification
  • Opting In or Out of sharing anonymised or pseudoanonymised data
  • Sharing your Summary Care Record (SCR)
  • Translation of this Privacy Notice if English is not your first language.
  • Procuring a hard copy of this Privacy Policy.
  • If you wish to make a complaint about anything to do with your personal and healthcare information.

All data protection queries will be initially dealt with by the practice data protection team and escalated to the Medvivo Data Protection Officer service if required.


Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing


What types of personal information do we collect about you?

We may collect the following types of personal information:

  • Your name, address, email address, telephone number, place of work and work contact details, and other contact information
  • Proof of identity
  • Age, Gender, NHS Number and date of birth and sexual orientation
  • Details of family members, legal representatives, and next of kin details
  • Health (Medical) information, including information relating to your sex life
  • Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls.
  • Results of investigations such as laboratory tests or x-rays
  • Genetic information
  • CCTV footage

Information we collect from others

We also collect personal information about you when it is sent to us to facilitate provision of healthcare services from the following:

  • A hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare and welfare or those you may be caring for.
  • Notes and details of investigations, diagnosis, treatment, management planning and consultations about your health.
  • Relevant information from other health professionals, relatives or those who care for you.
  • Social Care Services.
  • Police, Court Orders and Fire and Rescue.

How will we use the personal information we collect about you?

We may use your personal information in the following ways:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations
  • To help us monitor and manage our services
  • When we are required by Law to hand over your information to any other organisation

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

Legal justification for collecting and using your information

We have been commissioned by the Bath and North East Summerset, Swindon and Wiltshire Clinical Commissioning Group to provide a GP surgery service and it is necessary for the performance of this task in the public interest for us to process your personal data.

We will use your special categories of personal data, such as that relating to your race, ethnic origin, and health for the purposes of providing you with health or social care or the management

of health or social care systems and services. Such processing will only be carried out by a health or social work professional or by another person who owes a duty of confidentiality under legislation or a rule of law.

In some circumstances, we may process your personal information on the basis that:

  • it is necessary to protect your vital interests;
  • we are required to do so in order to comply with legal obligations to which we are subject;
  • we are required to do so for the establishment, exercise or defence of a legal claim; or
  • you have given us your explicit consent to do so.

CCTV footage

We use CCTV at Sarum Health Group covering the internal entrance, waiting room, corridors and reception at Millstream Medical Centre and the dispensary and office at Larkhill Medical Centre. It is used solely to keep people and property safe. We do not use CCTV to collect evidence to inform other decisions. The Practice follows the ICO code of Practice which can be read here:


Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.

If you need to update your mobile number please inform reception as soon as possible or complete the form on the website below:


Email messages

If you have provided your Email, we may use this to send requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these messages, please let the reception team know.

If you need to update your email address please inform reception as soon as possible or complete the form on the website below:


Data processors

We may use the services of a data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply.



We use a communication system called Mjog to provide your appointment reminders and healthcare campaign messages and to obtain and process your feedback. Mjog requires your Name, Date or Birth, NHS Number, telephone number(s) and date and time of your appointment to operate. Data is stored on Mjog for up to seven days, for the purpose of sending appointment reminders, all other data will be deleted once it has been added to your clinical record. We do not ask for any personal identifiable information in user surveys. Mjog Ltd’s privacy policy can be viewed online here:



The Practice also shares personal information with a printing and mailing services provider called CFH Docmail Ltd to print and dispatch letters to patients on our behalf. The system requires a secure user name and password for our Practice to log on and upload letters and address lists to create the printed output for dispatch to Royal Mail. Docmail’s privacy policy can be viewed online here:



We use SystmOnline to enable patients to use our online facilities. This facility is provided by The Phoenix Partnership (TPP) 2019. Their privacy policy can be found here:



We provide video (digital) consultations using AccuRx. The video and audio communication is only visible to participants on the call and transmitted over an encrypted connection. It is not recorded or stored on any server. The video consultation connection prioritises ‘peer-to-peer’ connections between the clinician’s and patient’s phone and follows NHS best practice guidelines on health and social care cloud security.



We Cinapsis to access advice and guidance from specialist working at local hospitals. This guidance can be provided to us as either a telephone call or Email messaging. Full details of any advice and guidance received will be stored in your medical record.  More information ab out Cinapsis and their privacy policy can be found on their website.


How will we share your personal information?

We may share your personal information with other health and social care professionals and members of their care teams to support your ongoing health and or social care and achieve the best possible outcome for you. This may include:


Primary Care Network

Sarum Health Group  is a member of the Salisbury Plain Primary Care Network (PCN) so you may be contacted by or treated by one of the other practices within the PCN. In order to support and provide healthcare services to you, they will require access to your patient record.


Patient Referrals

With your agreement, we may refer you to other services and healthcare providers for services not provided by Sarum Health Group.


Other Providers of Healthcare

We will share your information with other providers of healthcare services to enable them to support us in providing you with direct healthcare. This may include NHS organisations or private companies providing healthcare services for the NHS, such as Doctors, Consultants, Nurses, Pharmacists, Opticians and Dentists, etc.


Care Homes or Social Care Services

Sometimes the clinicians caring for you may need to share some of your information with others who are also supporting you outside of the practice.


Local Authority

The local authority (council) provides health or social care services or assists us in providing direct healthcare services to you. We will share your personal information with them to enable this to take place.



We will share your personal information with the safeguarding teams of other health and social care providers where there is a need to assess and evaluate any safeguarding concerns. Your personal information will only be shared for this reason when it is required for the safety of the individuals concerned.


Integrated Care Records (ICR)

Bath and North East Somerset, Swindon and Wiltshire Integrated Care Record (BSW ICR) is a digital care record system for sharing information in Bath and North East Somerset, Swindon and Wiltshire. It allows instant, secure access to your health and social care records for the professionals involved in your care.

Relevant information from your digital records is shared with people who look after you. This gives them up-to-date information making your care safer and more efficient.
Sarum Health Group uses the system in the following way:

  • We can access your data stored within the system and provide relevant information about you and your health

Further details about the ICR can be found here.


Risk Stratification

Risk Stratification, also known as ‘Health Risk Screening’, is a process that helps your GP determine whether you are at risk of any unplanned admission or sudden deterioration in health. By using information such as age, gender, diagnosis, and consideration of existing long-term conditions, medication history, patterns of attendance at hospital, admissions and periods of access to community care, your GP supported by the local Integrated Care Board (ICB) will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

As part of the automated Risk Stratification process your pseudonymised personal data (anything that can identify an individual is replaced with code) will be shared with the Bath, Northeast Somerset, Swindon and Wiltshire ICB.

You have the right to object to your information being used in this way. However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Further details about Risk Stratification can be found here: 


Summary Care Record (SCR)

Your SCR is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. In its basic form, referred to as the Core SCR, only medications, allergies and adverse reactions are included.

This record may be accessed by healthcare professionals working in staff in other areas of the health and care system involved in your direct care. Additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You can enrich your SCR by giving consent to the Practice to include the following additional information:

  • Significant past and present medical history.
  • Reason for medication.
  • Anticipatory care information (such as information about the management of long – term conditions).
  • End of life care.
  • Immunisations

Giving consent to the Practice to create a SCR with additional information means that more relevant information is available wherever you are receiving treatment in the NHS. This will:

  • Improve the flow of information across the health and care system.
  • Increase safety and efficiency.
  • Improve care.

It is particularly useful if you have complex or long-term conditions or are reaching end of life.

You can choose to opt out of the Core SCR. However, if you are happy with this use of information you do not need to do anything. You can change your choice at any time.

Read more details on SCR and to opt out of SCR:


GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services) will be able to book appointments for patients at GP practices and other local services. Further details about GP Connect are available here: 

GP Connect privacy notice - NHS Digital


NHS Digital

In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data, which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth and information about your health, which is recorded in coded form. For example, the clinical code for diabetes or high blood pressure.


National Services

There are some national services like the national Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cancer screening.


Care Quality Commission (CQC)

The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.


Public Health England

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here:


Other NHS Organisations

Sometimes the practice will share information with other NHS organisations that do not directly care for you, such as the Clinical Commissioning Group. However, this information will be anonymous and does not include anything written as notes by the GP and cannot be linked to you.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.


Anonymisation and Pseudonymisation

Sometimes we provide information about you in an anonymised or pseudoanonymised form. All personal information we use and transmit is fully compliant with the ICO Anonymisation Code of Practice which can be read here:


Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are redacted before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.


Special categories data

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

  • Where we may need to handle your personal information when it is considered in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
  • When you have given us consent.
  • If you are incapable of giving consent, and we must use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment).
  • If we need your information to defend a legal claim against us by you, or by another party.
  • Where we need your information to provide you with medical and healthcare services.

How long we keep your personal information

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death. At that point, all personal data we hold on you will be securely deleted.

We keep CCTV footage for 4 weeks.


Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out your confidential patient information will still be used to support your individual care.

We do not share your confidential patient information for purposes beyond your individual care without your permission. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.


Type 1 Opt Out

Type 1 opt outs are recorded locally by your GP practice and your practice will be able to remove your information from being shared with other organisations if it is not for your direct care. If you wish to have a Type 1 opt out applied, please fill in the Type 1 opt out form on our website or contact reception.


NHS National data opt-out

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes.

Sarum Health Group are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit NHS: Your Data Matters

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

To you can change your national data opt-out choice at any time by calling NHS Digital contact centre on 0300 3035678, via the NHS App or visiting the NHS website:


Your rights as a patient

In addition to the questions and requests outlined in Para 2 the Law also gives you certain rights to your personal and healthcare information that we hold, as set out below:

  • To see what information we hold about you and to request a copy of this information by raising a Subject Access Request (SAR).
  • Request online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity. Please note that when we give you online access the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.
  • To correct any information you think is inaccurate.
  • To ask for your information to be removed, however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
  • You have the right to request that your personal and healthcare information is not shared by the Practice for a purpose that is not directly related to your health, e.g. medical research, etc.
  • The right to request that your personal and/or healthcare information is transferred in an electronic form (or other form) to another organisation we will require your clear consent to be able to do this.

Subject Access Request (SAR)

If you wish to see what information we hold about you, please submit a Subject Access Request (SAR) to the to the practice.

The ICO has excellent advice on the submission of a SAR which we recommend reading before any submission to us. Details here:

Please contact the surgery using any of the following methods:

  • Fill out the Subject Access Request Form 
  • By letter addressed to: Sarum Health Group, Millstream Medical Centre, Avon Approach, Salisbury, Wiltshire, SP1 3SL.
  • By telephoning reception on 01722 322726 giving clear details of your requirement.
  • By verbally giving the Practice receptionist details of your requirement.

By Law we will provide any SAR information requests free of charge however, we are allowed in some limited and exceptional circumstances to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.


Complaints on our handling of a SAR

We have one month to reply to any SAR received. If you wish to challenge our reply you can complain and if necessary, request a deadlock letter from us if you remain dissatisfied. This ICO information may help you to raise a complaint to us.

As a last resort, which we hope will never be necessary, you have the right to contact the ICO to make a complaint about us. More details are here:


Under 16?

Please read our privacy notice for children aged 15 and under.


Our website

Our website privacy statement can be viewed online.

If you use any of the courtesy hyperlinks provided on our website including this Privacy Notice, you will need to read the individual website privacy policies. We take no responsibility for the content or security of other websites.



We use cookies to:

  • Make our website work, for example by keeping it secure
  • Remember which pop-ups you’ve seen
  • Measure how you use our website, such as which links you click on (analytics cookies)
  • Help show you relevant health campaigns on social media

For more information on which cookies we use, and to opt out of the use cookie visit our Cookie Policy on our website.


Where to find our privacy notice

A copy of this Privacy Notice is held at each of our receptions, on our website or a copy will be provided on request. You can also download from our website.