Privacy
Privacy Notice for Patients and Service Users – City Health Practice Ltd
This privacy notice explains how City Health Practice Ltd collects, uses, stores and shares your personal information when you register with us, contact us, or use our services. City Health Practice Ltd is the data controller for your personal information. This means we decide how and why your personal information is used.
Data Protection Officer contact details
Our Data Protection Officer is Claire Attwood. The Data Protection Officer monitors our compliance with data protection law and can be contacted with any queries or concerns about how we use your personal information at CHCP.customercare@nhs.net.
How do we get information and why do we have it?
We collect personal information directly from you when you register with the practice, contact us, attend appointments, use our services, complete forms, make a complaint, or otherwise provide information to us for the following reasons:
- You have provided information so that we can provide you with care and treatment, manage the services we provide, carry out clinical audit, investigate concerns or complaints, and meet our legal and regulatory responsibilities.
- You have asked us to support an application for NHS continuing healthcare or another funded care arrangement.
- You have signed up to our newsletter/patient participation group.
- You have made a complaint, raised a concern, or provided feedback.
- We also receive personal information about you from other people and organisations involved in your care or support, for example:
- Other NHS organisations, GP practices, hospitals, community services, pharmacists, mental health services and other health or care providers involved in your care.
- Family members, carers or representatives where appropriate to support your care
Your information will also be used to help us manage and protect the health of the public by being used to:
- Review the care we provide to ensure it is of the highest standard and quality.
- Health and care professionals may look at confidential patient information about the care they gave you to understand and learn from their work. This is called ‘reflective practice’ and is done to help staff to provide better and safer care. Only regulated health or social care professionals who cared for you are allowed to access your information for this reason.
- Protect the health of the general public.
- Manage the health service.
- Ensure our services can meet patient needs in the future.
- Investigate patient queries, complaints and legal claims.
- Ensure CHPL receives payment for the care you receive.
- Prepare statistics on CHPL’s performance.
- Audit CHPL’s accounts and services.
- Helping to train and educate healthcare professionals. For these purposes we use anonymous data wherever possible.
What information do we collect?
Personal information
The doctors, nurses and other healthcare professionals involved in your care keep records about your health and any treatment or care you receive. Personal information means any information that can identify you, such as your name, address, date of birth, contact details or NHS number. We currently collect and use the following personal information:
- Personal identifiers and contacts (for example, name and contact details)
- Medical information, test results and diagnoses.
- Notes and reports about your health, treatment and care
- Relevant information from people who care for you and know you well such as health professionals and relatives.
- Photographs, scans and/or x-rays
- CCTV footage It is important that the personal information we hold about you is accurate and up to date. Please tell us as soon as possible if any of your details change. We may contact you using SMS texting to your mobile phone if we need to notify you about appointments and other services that we provide to you involving your direct care. As this is operated on an ‘opt out’ basis we will assume that you give us permission to contact you via SMS if you have provided us with your mobile telephone number. Please let us know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.
More sensitive information (special category information)
The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. Data that relates to criminal offences is also considered particularly sensitive. We may process the following categories of special category and sensitive information where relevant to your care or our legal obligations: data concerning physical or mental health (for example, details about your appointments or diagnosis)
- Information about your physical or mental health
- Racial or ethnic origin
- Religious or philosophical beliefs where relevant to your care
- Information about sex life or sexual orientation where relevant to your care
- Genetic or biometric information where relevant and lawfully used
- Information relating to criminal allegations or offences where this is necessary and lawful, for example in safeguarding or legal matters.
Who do we share information with?
Primary Care Network (PCN)
City Health Practice Ltd is part of the VENN Primary Care Network (PCN), a group of practices working together to improve services for patients. This means we may share your information with other practices or staff working within the PCN where this is necessary for your care and treatment or for the lawful management of services. Other members of the network are:
- Bridge Group Practice
- Sutton Manor Practice
- CHCP
- The Quays
- Riverside
- East Park The PCN may also carry out service evaluation and patient engagement activities, such as surveys or interviews, to help improve the quality and accessibility of primary care services. Where consent is required for this, we will ask for it.
Medicines Management
We may share relevant information with the Medicines Management Team at the Integrated Care Board (ICB) where this is necessary to review prescribed medicines and support safe, appropriate and cost-effective prescribing.
Other partner organisations
We may share information, where lawful and necessary, with organisations involved in your care, treatment, safeguarding, service management, or where we are required to do so by law, these include:
- NHS hospitals and trusts, including Hull University Teaching Hospitals NHS Trust
- community health services
- mental health services
- pharmacies and pharmacists
- ambulance services
- urgent treatment centres and out of hours services
- local authorities and social care services
- care homes
- NHS England
- Integrated Care Board (ICB)
- organisations that provide IT, document management, messaging or other support services on our behalf under contract. We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor an appropriate contract (UKGDPR Article 24-28) will be established for the processing of your information.
If you receive support from other organisations, such as social care, education or voluntary sector services, we may share relevant information with them where this is necessary for your care, safeguarding, or where the law allows or requires us to do so:
- Social care services
- Education services
- Local authorities
- Voluntary and private sector providers working with the NHS.
-
In some circumstances we are legally obliged to share information. This includes:
- when required by NHS England to develop national IT and data services
- when reporting some infectious diseases
- when a court orders us to do so
- where a public inquiry requires the information
We may also share information without your consent where this is justified in the public interest, for example:
- to help prevent or detect serious crime
- where there is a serious risk to you, other people, staff or the public
- to protect children or adults at risk.
We may also use information in a de-identified or anonymised form for purposes beyond your individual care, such as service planning, audit, public health and legal reporting, where this is lawful.
What is our lawful basis for using information?
Under UK GDPR, the lawful bases we rely on for processing personal information include:
- Article 6(1)(b) We have a contractual obligation
- Article 6(1)(e) – public task, where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- Article 6(1)(c) – legal obligation, where processing is necessary for compliance with the law
- Article 6 (f) We have a legitimate interest
Where we process special category information, including health information, we rely on:
- Article 9(2)(h) – provision of health or social care or treatment, or management of health or social care systems and services
- Article 9(2)(i) – public health, where applicable
- Article 9(2)(f) – legal claims, where applicable
- Article 9(2)(g) – substantial public interest, where applicable and supported by law
Common law duty of confidentiality
In addition to UK GDPR and the Data Protection Act 2018, we also owe patients a common law duty of confidentiality. We meet this duty because:
- you have given consent, either implied for your direct care or explicit for another purpose
- we have legal authority to use or share the information
- we have approval under section 251 support, where applicable
- in exceptional circumstances, the public interest in disclosure outweighs the duty of confidentiality.
How do we store your personal information?
Your information is stored securely in electronic and paper records. We use appropriate technical and organisational measures, including access controls and confidentiality requirements, to protect your personal information:
- Your information is securely stored for the time periods specified in the Records Management Code of Practice.
- We securely dispose of records when they no longer need to be kept, for example by shredding confidential paper records and securely deleting or overwriting electronic records in accordance with NHS standards
What are your data protection rights?
Under data protection law, you have rights including: Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request). Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances. Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances. Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. In some cases, we may need to ask for proof of identity before responding to your request. Some rights are not absolute and may be limited where health records are concerned or where an exemption applies. If you wish to make a right of access request email CHPL.secretaries@nhs.net
National data opt-out
We apply the National Data Opt-out where we use confidential patient information for planning or research purposes, where the opt-out applies. The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear lawful basis to use this information and wherever possible, information used for research and planning is anonymised so that you cannot be identified. Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.
You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Summary Care Record
Summary Care Record (SCR) information may be made available to authorised health and care professionals involved in your direct care. This helps to support safer care, particularly in urgent or emergency situations. These changes to the SCR will remain in place unless you decide otherwise.
Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.
You can exercise these choices by doing the following:
- Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
- Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
- Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.
To make these changes, you should inform your GP practice
How do I complain?
If you have concerns about how we use your personal information, please contact the Practice Admin Manager or call us on 01482 236098. Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.
The ICO’s address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: www.ico.org.uk
Freedom Of Information (FOI)
The Freedom of Information Act 2000 applies to City Health Practice Ltd. If you would like to make a Freedom of Information request, please contact us at CHPL.secretaries@nhs.net or call 01482 236098. You may wish to direct your FOI to one of our commissioners who may be able to support your request for information.
Humber and North Yorkshire Integrated Care Board Email: hnyicb.foi@nhs.net Address: Freedom of Information, Humber and North Yorkshire ICB Team, Health House Grange Park Lane, Willerby, HU10 6DT
NHS England Email: england.contactus@nhs.net Address: NHS England, PO Box 16738, Redditch, B97 9PT
OpenSAFELY
NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym. Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Patients who do not wish for their data to be used as part of this process can register type 1 opt out with their GP.
Find additional information about OpenSAFELY.
Rapid Health
NHS login
If you access Rapid Health using your NHS login details, the identity verification services are managed by NHS England.
NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “data processor” only and we must act under the instructions provided by NHS England (as the “data controller”) when verifying your identity.
For more information on NHS login, see the NHS login privacy notice and NHS login terms and conditions.
NHS App
You can access Rapid Health on the NHS App using your NHS login details. If you sign in using NHS login, we will ask your permission to share your NHS login information with our service.
This allows us to fill in some personal details for you, such as your name, date of birth and contact details.
We will not use your NHS login information for any other purposes. You can only share your NHS login information if you have proved your identity to NHS login.
You can choose not to share your NHS login information with Rapid Health but you will need to enter your information yourself whilst using the service.
For more information, see the NHS login privacy notice and NHS login terms and conditions Information you provide to Rapid Health.
GP practices are the data controller and Rapid Health is a data processor for information sent by patients to the practice using Rapid Health.
There is a How your information is used box on the Rapid Health page where you give your name for a request, and further detail below.
If you don’t have an email address on your record
We allow patients without an email address on their record to send requests using Rapid Health but for your safety and security, these requests can’t be offered appointment self-booking, as we need to check the patient identity first.
We always email you to say we got your request. Something is wrong if you don’t get a reply, so check your spam/junk folder if you don’t see one. Send another request or call the practice if you don’t get a reply within 15 minutes of sending your request. We need to reply to you when we get a request. This reply says we got your request, what to expect and what to do if you are not well.
If you have an email address on your record, we can offer you self-booking, using the email address you put on your request (if a self-booking appointment is available).
Using a different email address
If you use a different email address for a request from the one on your patient record at your GP practice, we’ll send replies to the email address you used for the request, but will also send a security email to the email address on your record.
Security emails say only that we got a request for you (or that an appointment was booked/changed/cancelled for you) and if this wasn’t you, to contact the practice.
If a different email address is used for a request for a child from what is on their record, a security email is sent to the email address on their record.
Date of last review May 2026 Next Review Date May 2027
