Privacy Notice




We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and protect about you.

The Law states we must inform you about:

  • Why we collect your personal and healthcare information.
  • How we use any of your personal and healthcare information.
  • What we do with your personal information.
  • Who and why we share it with or pass it on to.
  • How long we can keep your information.

image depicting privacy notice


About Us

Data Protection Legislation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. We our registered with the Information Commissioner’s Office (ICO) as a data controller under the Data Protection Act 2018. Our registration number is ZB147910 and can be viewed online in the ICO public register.

  • The Data Controller is: Sheth and Partners
  • The Data Protection Officer is: Jason Roberts of Medvivo Group Limited
  • Data Protection Officer Telephone Number: 0300 111 6432
  • Data Protection Officer Email:

Any changes to this notice will be published on our website or available as a paper copy at reception.

Please contact the practice or our DPO if you have any questions about:

  • How your information is being held, used and protected.
  • Access to your information including any recordings held on our CCTV system.
  • If you are unclear or have any queries relating to this Policy and your rights as a patient.
  • Opting In or Out of Risk Stratification
  • Opting In or Out of sharing anonymised or pseudoanonymised data
  • Sharing your Summary Care Record (SCR)
  • Translation of this Privacy Notice if English is not your first language.
  • Procuring a hard copy of this Privacy Policy.
  • If you wish to make a complaint about anything to do with your personal and healthcare information.

Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form. The records will include both personal and special categories of data about your health and wellbeing


What types of personal information do we collect about you?

We may collect the following types of personal information:

  • Your name, address, email address, telephone number, place of work and work contact details, and other contact information
  • Proof of identity
  • Age, Gender, NHS Number and date of birth and sexual orientation
  • Details of family members, legal representatives, and next of kin details
  • Health (Medical) information, including information relating to your sex life
  • Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls.
  • Results of investigations such as laboratory tests or x-rays
  • Genetic information
  • CCTV footage

Information we collect from others

We also collect personal information about you when it is sent to us to facilitate provision of healthcare services from the following:

  • A hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare and welfare or those you may be caring for.
  • Notes and details of investigations, diagnosis, treatment, management planning and consultations about your health.
  • Relevant information from other health professionals, relatives or those who care for you.
  • Social Care Services.
  • Police, Court Orders and Fire and Rescue.

How will we use the personal information we collect about you?

We may use your personal information in the following ways:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations
  • To help us monitor and manage our services
  • When we are required by Law to hand over your information to any other organisation

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

Legal justification for collecting and using your information

We have been commissioned by the Bath and North East Summerset, Swindon and Wiltshire Clinical Commissioning Group to provide a GP surgery service and it is necessary for the performance of this task in the public interest for us to process your personal data.

We will use your special categories of personal data, such as that relating to your race, ethnic origin, and health for the purposes of providing you with health or social care or the management

of health or social care systems and services. Such processing will only be carried out by a health or social work professional or by another person who owes a duty of confidentiality under legislation or a rule of law.

In some circumstances, we may process your personal information on the basis that:

  • it is necessary to protect your vital interests;
  • we are required to do so in order to comply with legal obligations to which we are subject;
  • we are required to do so for the establishment, exercise or defence of a legal claim; or
  • you have given us your explicit consent to do so.

CCTV footage

We use CCTV at Sarum Health Group covering the internal entrance, waiting room, corridors and reception at Millstream Medical Centre and the dispensary and office at Larkhill Medical Centre. It is used solely to keep people and property safe. We do not use CCTV to collect evidence to inform other decisions. The Practice follows the ICO code of Practice which can be read here:


Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.

If you need to update your mobile number please inform reception as soon as possible or complete the form on the website below:


Email messages

If you have provided your Email, we may use this to send requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these messages, please let the reception team know.

If you need to update your email address please inform reception as soon as possible or complete the form on the website below:


Summary Care Record (SCR)

Your SCR is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. In its basic form, referred to as the Core SCR, only medications, allergies and adverse reactions are included.

This record may be accessed by healthcare professionals working in staff in other areas of the health and care system involved in your direct care. Additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You can enrich your SCR by giving consent to the Practice to include the following additional information:

  • Significant past and present medical history.
  • Reason for medication.
  • Anticipatory care information (such as information about the management of long – term conditions).
  • End of life care.

Giving consent to the Practice to create a SCR with additional information means that more relevant information is available wherever you are receiving treatment in the NHS. This will:

  • Improve the flow of information across the health and care system.
  • Increase safety and efficiency.
  • Improve care.

It is particularly useful if you have complex or long-term conditions or are reaching end of life.

You can choose to opt out of the Core SCR. However, if you are happy with this use of information you do not need to do anything. You can change your choice at any time.

For more details on SCR and to opt out of SCR, visit our website here:


Data processors

We may use the services of a data processor to assist us with some of our data processing, but this is done under a contract with direct instruction from us that controls how they will handle patient information and ensures they treat any information in line with the General Data Protection Regulation, confidentiality, privacy law, and any other laws that apply.



We use a communication system called Mjog to provide your appointment reminders and healthcare campaign messages and to obtain and process your feedback. Mjog requires your Name, Date or Birth, NHS Number, telephone number(s) and date and time of your appointment to operate. Data is stored on Mjog for up to seven days, for the purpose of sending appointment reminders, all other data will be deleted once it has been added to your clinical record. We do not ask for any personal identifiable information in user surveys. Mjog Ltd’s privacy policy can be viewed online here:



The Practice also shares personal information with a printing and mailing services provider called CFH Docmail Ltd to print and dispatch letters to patients on our behalf. The system requires a secure user name and password for our Practice to log on and upload letters and address lists to create the printed output for dispatch to Royal Mail. Docmail’s privacy policy can be viewed online here:



We use SystmOnline to enable patients to use our online facilities. This facility is provided by The Phoenix Partnership (TPP) 2019. Their privacy policy can be found here:



We provide video (digital) consultations using AccuRx. The video and audio communication is only visible to participants on the call and transmitted over an encrypted connection. It is not recorded or stored on any server. The video consultation connection prioritises ‘peer-to-peer’ connections between the clinician’s and patient’s phone and follows NHS best practice guidelines on health and social care cloud security.



We Cinapsis to access advice and guidance from specialist working at local hospitals. This guidance can be provided to us as either a telephone call or Email messaging. Full details of any advice and guidance received will be stored in your medical record.  More information ab out Cinapsis and their privacy policy can be found on their website.


How will we share your personal information?

We may share your personal information with other health and social care professionals and members of their care teams to support your ongoing health and or social care and achieve the best possible outcome for you. This may include:


Primary Care Network

Sarum Health Group  is a member of the Salisbury Plain Primary Care Network (PCN) so you may be contacted by or treated by one of the other practices within the PCN. In order to support and provide healthcare services to you, they will require access to your patient record.


Patient Referrals

With your agreement, we may refer you to other services and healthcare providers for services not provided by Sarum Health Group.


Other Providers of Healthcare

We will share your information with other providers of healthcare services to enable them to support us in providing you with direct healthcare. This may include NHS organisations or private companies providing healthcare services for the NHS, such as Doctors, Consultants, Nurses, Pharmacists, Opticians and Dentists, etc.


Care Homes or Social Care Services

Sometimes the clinicians caring for you may need to share some of your information with others who are also supporting you outside of the practice.


Local Authority

The local authority (council) provides health or social care services or assists us in providing direct healthcare services to you. We will share your personal information with them to enable this to take place.



We will share your personal information with the safeguarding teams of other health and social care providers where there is a need to assess and evaluate any safeguarding concerns. Your personal information will only be shared for this reason when it is required for the safety of the individuals concerned.


Integrated Care Records (ICR)

An Integrated Care Record allows other health and care providers who are directly involved with your care to access appropriate, timely and relevant information about you to enable them to support your heath and care. Further details about the ICR can be found here:


GP Connect

GP Connect is a system that allows other health and care providers access to your GP medical records to enable them to support your heath and care when you are seen outside your normal GP surgery.


NHS Digital

In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data, which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth and information about your health, which is recorded in coded form. For example, the clinical code for diabetes or high blood pressure.


National Services

There are some national services like the national Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cancer screening.


Care Quality Commission (CQC)

The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. Further information about the CQC can be found here:


Public Health England

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here:


Other NHS Organisations

Sometimes the practice will share information with other NHS organisations that do not directly care for you, such as the Clinical Commissioning Group. However, this information will be anonymous and does not include anything written as notes by the GP and cannot be linked to you.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.

As a practice we use the following IT systems to aid the management of the practice, our staff and ensure we are following clinical best practice. Patient data is not shared with the system suppliers or stored on these systems.

  • Intradoc – Used for practice management and HR
  • TeamNet – Used for practice management and HR
  • Ardens SystmOne Toolkit – Used by our clinicians to ensure we are providing the best practice up to date care to our patients
  • Huddle – Used for document storage

Anonymisation and Pseudonymisation

Sometimes we provide information about you in an anonymised or pseudoanonymised form. All personal information we use and transmit is fully compliant with the ICO Anonymisation Code of Practice which can be read here:


Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are redacted before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.


Special categories data

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

  • Where we may need to handle your personal information when it is considered in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
  • When you have given us consent.
  • If you are incapable of giving consent, and we must use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment).
  • If we need your information to defend a legal claim against us by you, or by another party.
  • Where we need your information to provide you with medical and healthcare services.

How long we keep your personal information

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death. At that point, all personal data we hold on you will be securely deleted.

We keep CCTV footage for 4 weeks.


Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service. Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you choose to opt out your confidential patient information will still be used to support your individual care.

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.


Type 1 Opt Out

Type 1 opt outs are recorded locally by your GP practice and your practice will be able to remove your information from being shared with other organisations if it is not for your direct care. If you wish to have a Type 1 opt out applied, please fill in the Type 1 opt out form on our website or contact reception


NHS National data opt-out

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes.

Sarum Health Group are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit NHS: Your Data Matters

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

To you can change your national data opt-out choice at any time by calling NHS Digital contact centre on 0300 3035678, via the NHS App or visiting the NHS website:


Your rights as a patient

In addition to the questions and requests outlined in Para 2 the Law also gives you certain rights to your personal and healthcare information that we hold, as set out below:

  • To see what information we hold about you and to request a copy of this information by raising a Subject Access Request (SAR).
  • Request online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity. Please note that when we give you online access the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.
  • To correct any information you think is inaccurate.
  • To ask for your information to be removed, however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
  • You have the right to request that your personal and healthcare information is not shared by the Practice for a purpose that is not directly related to your health, e.g. medical research, etc.
  • The right to request that your personal and/or healthcare information is transferred in an electronic form (or other form) to another organisation we will require your clear consent to be able to do this.

Subject Access Request (SAR)

If you wish to see what information we hold about you, please submit a Subject Access Request (SAR) to the to the practice.

The ICO has excellent advice on the submission of a SAR which we recommend reading before any submission to us. Details here:

Please contact the surgery using any of the following methods:

  • By email to: Please use “SAR Request” as the subject header.
  • By letter addressed to: Sarum Health Group, Millstream Medical Centre, Avon Approach, Salisbury, Wiltshire, SP1 3SL.
  • By telephoning reception on 01722 322726 giving clear details of your requirement.
  • By verbally giving the Practice receptionist details of your requirement.

By Law we will provide any SAR information requests free of charge however, we are allowed in some limited and exceptional circumstances to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.


Complaints on our handling of a SAR

We have one month to reply to any SAR received. If you wish to challenge our reply you can complain and if necessary, request a deadlock letter from us if you remain dissatisfied. This ICO information may help you to raise a complaint to us.

As a last resort, which we hope will never be necessary, you have the right to contact the ICO to make a complaint about us. More details are here:


Under 16?

Please read our privacy notice for children aged 15 and under here:


Our website

Our website privacy statement can be viewed online at:

If you use any of the courtesy hyperlinks provided on our website including this Privacy Notice, you will need to read the individual website privacy policies. We take no responsibility for the content or security of other websites.



We use cookies to:

  • Make our website work, for example by keeping it secure
  • Remember which pop-ups you’ve seen
  • Measure how you use our website, such as which links you click on (analytics cookies)
  • Help show you relevant health campaigns on social media

For more information on which cookies we use, and to opt out of the use cookie visit our Cookie Policy on our website:


Where to find our privacy notice

A copy of this Privacy Notice is held at each of our receptions, on our website or a copy will be provided on request. You can also download from our website.


COVID-19 Privacy Notice Appendix

This appendix has been added to include any additional data processing completed by us during the Coronavirus (COIVD-19) outbreak.


Summary Care Record with Additional Information

In light of the current emergency, the Department of Health and Social Care has removed the requirement for your explicit consent prior to sharing additional information as part of the summary care record.


GP Connect in support of the National COVID-19 Response

To help the NHS during the COVID-19 outbreak, NHS Digital are improving the access that doctors, nurses and healthcare professionals have to medical records and information, so that they can more safely treat and advise patients who are not in their usual GP practice, who call 111 or are seen in hospitals and other healthcare settings.


GPES Data for Pandemic Planning and Research (COVID-19)

We are supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.


Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.


The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).


National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.


Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see: