Privacy Notice

Your Information, Your Rights

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice explains:

• Who we are and how we use your information
• Information about our Data Protection Officer
• What kinds of personal information we collect and how we process it
• The legal grounds for processing your personal information
• How we use your information and who we share it with
• EMIS Health clinical system usage
• How we use AI technologies in your care
• Remote consultations and telehealth
• How we maintain your privacy and confidentiality
• Your rights
• How we use information about children
• How long we retain your information
• Our website

Who We Are and How We Use Your Information

Springfield Surgery is a UK General Practice that provides primary healthcare services. We aim to maintain the highest standards of patient care while ensuring all personal information is kept secure and confidential.

Data Controller: Springfield Surgery
Address: Springfield Way, Brackley, Northamptonshire, NN13 6JJ

We collect and hold data for the purpose of providing healthcare services to our patients. The information is collected and used to help ensure that you receive the best possible care.

Information About our Data Protection Officer

The Data Protection Officer for Springfield Surgery is Midlands and Lancashire CSU. Any queries regarding Data Protection issues should be addressed to:

Email: mlcsu.dpo@nhs.net

What Information We Collect and How We Process It

We collect and process the following types of personal information:

• Identifying Data: Your name, date of birth, NHS Number, address, telephone number, email address, next of kin and emergency contact details.
• Health Data: Medical diagnoses, conditions, prescriptions, care plans, test results, allergies, vaccination records, medical history, and other health-related information.
• Appointment Data: Dates, times, and purposes of past and future appointments.
• Correspondence: Letters, emails, and notes regarding your healthcare, including referrals to specialists and other healthcare providers.
• Recording: Telephone calls to the practice may be recorded for training and quality purposes.

The Legal Basis for Processing Your Information

The UK GDPR requires us to identify a legal basis for processing personal data. The primary legal bases we use are:

• Article 6(1)(e) - Public Task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 9(2)(h) - Healthcare: The processing is necessary for medical diagnosis, the provision of healthcare or treatment, or the management of healthcare systems.
• Article 6(1)(c) - Legal Obligation: The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Article 6(1)(d) - Vital Interests: The processing is necessary to protect someone's life.
• Article 6(1)(a) and 9(2)(a) - Consent: You have given clear consent for us to process your personal data for a specific purpose. We will always seek your explicit consent for any processing that is not related to your direct healthcare or not required by law.

How We Use Your Information and Who We Share It With

1. Direct Care Purposes

Your information is used to provide you with healthcare services. This includes:

• Managing your appointments
• Maintaining your medical records
• Diagnosing and treating conditions
• Prescribing medications
• Referring you to other healthcare providers

2. Information Sharing for Your Care

We may share your information with:

• Other NHS Organizations: Hospitals, specialist services, NHS 111, out of hours services.
• Social Services: When involved in your care.
• Community Services: District nurses, midwives, health visitors.
• Other GP Practices: When you register with a new practice.
• Clinical Commissioning Groups (CCGs): For planning and commissioning healthcare services.

All organizations that receive information from us are also legally obliged to keep your information confidential and secure.

3. Other Uses of Information

We may also use your information for:

• Quality Improvement: Auditing and improving our services.
• Research: We will always ask for your explicit consent before using your data for research that is not anonymized.
• Training: Healthcare professionals may need to access records for training while maintaining confidentiality.
• Risk Stratification: Identifying patients who may need additional support.
• Invoice Validation: Confirming that the correct provider is paid for your treatment.
• Safeguarding: Protecting vulnerable children and adults.
• Statutory Disclosures: When required by law, court order, or to prevent serious harm.

Our Partner Organisations

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

• NHS Trusts/Foundation Trusts
• GP's
• Primary Care Networks
• Integrated Care Systems
• NHS Commissioning Support Units
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Integrated Care Boards
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi Agency Safeguarding Hub (MASH)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Other 'data processors' which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

EMIS Health Clinical System

Springfield Surgery uses EMIS Health as its clinical system to store and process patient records electronically. EMIS Health acts as a data processor on behalf of the practice.

Key information about EMIS:

• Security: EMIS maintains high-level security standards including encryption, secure data centers, and regular security testing.
• Access Controls: Our staff can only access patient records through secure, role-based access controls with unique login credentials.
• Audit Trail: All access to records is logged and can be audited to ensure appropriate use.
• NHS Data Security and Protection Toolkit: EMIS complies with NHS data security standards and is regularly audited.
• Data Processing Agreement: We have a formal agreement with EMIS that governs how they process data on our behalf.
• Summary Care Record: With your consent, a summary of your key health information is available to authorized healthcare staff in an emergency.
• Electronic Prescription Service: Allows us to send prescriptions electronically to your chosen pharmacy.
• GP2GP: Enables the secure transfer of your electronic health record if you register with a new practice.
• Patient Access: EMIS provides the technical foundation for patients to access their records online through the NHS App and other approved applications.

How We Use AI Technologies in Your Care

Springfield Surgery utilizes or plans to utilize several AI systems to support healthcare delivery. We have conducted Data Protection Impact Assessments (DPIAs) for all AI systems we use or plan to implement.

1. Heidi AI

Purpose: Heidi AI is used to transcribe speech into text during healthcare encounters. This allows clinicians to focus more on patient care rather than paperwork.

Data Processing:

• Transcribes conversations between clinicians and patients
• Processes clinician dictations of clinical findings, impressions, and management plans
• All data that identifies you stays within the practice and its servers, which are UK-based
• No identifiable data is used by the Heidi tool for machine learning

Security Measures:

• End-to-end encryption for all data
• UK-based data storage
• Role-based access controls
• Regular security assessments

Consent Process:

• Your consent will be sought for consultations that are transcribed using the Heidi AI tool
• You can withdraw consent at any time

2. AccuRx Scribe

Purpose: AccuRx Scribe is an AI-powered tool that helps clinicians create accurate consultation notes more quickly, enhancing the efficiency of documentation while maintaining high standards of clinical record-keeping.

Data Processing:

• Converts clinical dictations into structured notes
• Processes relevant information from the clinical consultation
• Creates automated drafts of clinical notes for clinician review and approval
• All processing occurs within NHS-approved secure environments

Security Measures:

• NHS-approved information governance standards
• DCB0129 clinical safety certification
• Regular independent security audits
• Data encrypted both in transit and at rest
• DSPT (Data Security and Protection Toolkit) compliant

Consent Process:

• Explicit consent is obtained before using AccuRx Scribe in any consultation
• Patients can opt out of having their consultation processed by AccuRx Scribe
• All AI-generated notes are reviewed by your clinician before being added to your record

3. Claude AI

Purpose: Claude AI is used to assist clinicians with administrative tasks, synthesizing medical information, and generating patient-friendly explanations of complex medical concepts. It helps improve communication and education while reducing administrative burden.

Data Processing:

• Processes anonymized clinical queries to provide clinical decision support
• Assists in drafting patient information materials and educational content
• Helps summarize complex medical information into accessible formats
• No patient-identifiable data is shared with Claude AI

Security Measures:

• Strict data minimization principles applied
• All interactions are reviewed by healthcare professionals
• Regular AI system audits and evaluations
• No storage of patient-identifiable information
• Secure, encrypted communication channels

Consent Process:

• General consent is obtained for the use of AI tools in administrative processes
• No patient-identifiable information is processed without explicit consent
• You may opt out of having Claude AI used in relation to your care

Remote Consultations and Telehealth

Springfield Surgery offers remote consultations via telephone and video. When you engage in a remote consultation:

Data Collected: In addition to clinical information, we collect data necessary for the remote consultation technology to function, such as your IP address, device information, and connection details.

Video Consultations: We use secure video consultation technology that is:

• Encrypted end-to-end
• Compliant with NHS digital standards
• Not recorded unless you provide explicit consent

Legal Basis: Remote consultations are processed under the same legal basis as in-person care (Article 6(1)(e) and Article 9(2)(h) of the UK GDPR).

Third-Party Providers: Our remote consultation services may be provided by third parties who act as data processors. They can only use your data according to our instructions and cannot use it for their own purposes.

Security: We implement appropriate security measures for remote consultations, including:

• Secure, authenticated access for staff
• Encrypted connections
• Consultation in private environments
• Verification of patient identity

How We Maintain Your Privacy and Confidentiality

We are committed to protecting your privacy and maintaining confidentiality of your health information:

Technical Security: We use technical measures including:

• Encryption
• Firewalls
• Secure NHS networks
• Regular security updates
• Anti-virus software

Organizational Security:

• Regular staff training on confidentiality and data protection
• Confidentiality clauses in staff contracts
• Access controls based on role
• Regular audits of access to records
• Clear desk policies and secure storage

Data Protection Impact Assessments: We conduct DPIAs for new technologies or significant changes to how we process data.

Data Processors: Any organization processing data on our behalf must sign a data processing agreement and comply with data protection law.

Reporting Breaches: We have procedures to detect, report and investigate personal data breaches.

Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right to be Informed: This privacy notice fulfils this right.
• Right of Access: You have the right to see the information we hold about you. You can make a Subject Access Request verbally or in writing. We will provide the information within one month.
• Right to Rectification: If you believe information we hold about you is inaccurate or incomplete, you can ask us to correct it.
• Right to Erasure: In certain circumstances, you can ask for your personal information to be deleted. This right does not apply to healthcare data where there is a legal obligation to retain it.
• Right to Restrict Processing: In certain circumstances, you can ask us to limit how we use your personal information.
• Right to Data Portability: You can request a copy of your electronic health record in a format that allows you to transfer it to another healthcare provider.
• Right to Object: You have the right to object to processing based on legitimate interests or the performance of a task in the public interest.
• Rights Related to Automated Decision Making: You have rights regarding automated decision making and profiling.

To exercise any of these rights, please contact our Data Protection Officer. You can also contact the Information Commissioner's Office (ICO) if you have concerns about how we process your data.

Information Commissioner's Office
Visit their website to find the appriate contact method

Type 1 Opt-Outs

If you do not want your identifiable patient data to be shared outside of the GP practice for purposes except your own care, you can register an opt-out with the GP practice. This is known as a Type 1 Opt-out.

Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens, patients who have registered a Type 1 Opt-out will be informed.

NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. If this changes, patients who have registered a Type 1 Opt-out will be informed.

You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.

If you have already registered a Type 1 Opt-out with us, your data will not be shared with NHS Digital. If you wish to register a Type 1 Opt-out with us, please contact the practice.

If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with them before you registered the Type 1 Opt-out.

National Data Opt-Out

If you don't want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care — either GP data, or other data it holds, such as hospital data — you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital will not share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

The National Data Opt-out applies to any confidential patient information shared by the GP practice with other organisations for purposes except your individual care. It will not apply to this data being shared by GP practices with NHS Digital, as it is a legal requirement for us to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out or change your choice on NHS: Your Data Matters or by calling 0300 3035678.

How We Use Information About Children

We understand that children's data requires special protection:

Parental Responsibility: Until a child is able to understand and consent to the processing of their data (generally considered to be age 13), a person with parental responsibility may manage the child's data rights.

Competence Assessment: As children develop, we assess their ability to understand decisions about their data.

Safeguards: We apply enhanced safeguards to children's data, including:

• Stricter access controls
• Additional consideration before sharing
• Age-appropriate communication about data processing

Children's Rights: As they mature, children gain the right to access their own records and control their own data, at which point parental access may be limited.

Safeguarding: We may share information about children without consent where there is a safeguarding concern.

How Long We Retain Your Information

We retain health records in accordance with the NHS Records Management Code of Practice:

Records Management Code of Practice - NHS Transformation Directorate

Our Website

Our practice website uses cookies to optimize your experience. Please refer to our separate Cookie Policy on the website for more information.

Useful Links

Please find below some links to external webpages which you may wish to access to find out additional information:

• Information Commissioners Office
• Information Governance Alliance
• NHS Constitution
• NHS Digital Guide to Confidentiality in Health and Social Care
• Health Research Authority
• Health Research Authority Confidentiality Advisory Group (CAG)
• National Data Opt-Out

Changes to This Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated on 6th June 2025.

Accessibility

This privacy notice is available in alternative formats upon request, including large print, audio, and other languages.

Contact Us

If you have any questions about this privacy notice or how we handle your information, please contact our Data Protection Officer.

Springfield Surgery
Address: Springfield Way, Brackley, Northamptonshire, NN13 6JJ

Data Protection Officer: Midlands and Lancashire CSU
DPO Email: mlcsu.dpo@nhs.net