Cranwich Road Surgery Privacy Policy

Effective Date: October 2025
Reviewed by: Practice Manager - G. Rajah
Next Review Due: October 2026

Introduction

At Cranwich Road Surgery, we are committed to protecting your privacy and the confidentiality of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect your personal data, in compliance with the Data Protection Act 2018, which incorporates the UK General Data Protection Regulation (UK GDPR).

Our primary purpose is to provide safe, high-quality care. To do this, we must collect, store, and, when necessary, share information about our patients.

Who We Are

• Data Controller: Cranwich Road Surgery

• Data Protection Officer (DPO): NHS North East London ICB

  • Address: 4th Floor, Unex Tower, 5 Station Rd, London, E15 1DA

  • Email: itservicedesk.nelicb@nhs.net

  • Phone: 0800 917 8607

Information We Collect

We may collect and process the following types of data:

• Personal identification: name, address, date of birth, NHS number

• Contact details: telephone number, mobile number, email

• Demographic information: gender, ethnicity, occupation, family members, carers

• Medical data: appointments, test results, diagnoses, treatment plans, referrals, prescriptions, allergies, and medical history

• Correspondence: with you and other care providers

• Lifestyle information where relevant: smoking, alcohol intake, social circumstances

• Safeguarding information (children and vulnerable adults)

All medical records are treated as special category (sensitive) data, and handled with heightened care.

Why We Process Your Data

We process your data to provide direct care. This includes:

• Diagnosing and treating health conditions

• Referring you to other services (e.g. hospitals, community care)

• Managing prescriptions

• Delivering preventative care

• Responding to emergencies

We also process anonymised or pseudonymised data to:

• Audit services and improve quality of care

• Conduct research and development

• Plan future NHS services

• Monitor safety and outcomes

Legal Basis for Processing

The legal bases under GDPR for processing your data include:

• Article 6(1)(c) – Legal obligation

• Article 6(1)(e) – Public task

• Article 9(2)(h) – Provision of health or social care

• Common Law Duty of Confidentiality – Implied consent for direct care

Who We Share Information With

Your data may be shared with:

• GPs, nurses, and admin staff at the surgery

• Hospitals and specialists

• Community services (e.g. district nurses, health visitors)

• Pharmacists

• Mental health services

• Local authorities and social care providers

• NHS England, ICBs, NHS Digital

• Emergency services

• Coroner’s services (in specific circumstances)

• Voluntary sector (e.g. social prescribing)

We use EMIS Health systems and approved NHS data tools like EMIS Enterprise, Apollo, and INR Star to securely store and process your data.

We do not sell or share data for marketing purposes. We only share information with insurers with your explicit consent.

Communication with You

We may use text messages, phone calls, or emails to:

• Remind you of appointments

• Share test results

• Invite you for vaccinations or reviews

Please ensure your contact details are up-to-date. You can opt out of these communication methods at any time.

We may also use YouTube or online media for public health messaging; patients can opt out of this communication.

Summary Care Record (SCR) & Local Shared Records

All patients have an SCR unless they opt out. The SCR helps clinicians outside the surgery access essential information during emergencies or urgent care.

Locally, we share summary data via One London, a secure shared patient record initiative.

Covid-19 Pandemic and COPI Notices

During the Covid-19 pandemic, under COPI (Control of Patient Information) Notices, data was shared more extensively for:

• Managing outbreaks

• Identifying vulnerable patients

• National vaccination rollouts

These provisions end once COPI notices are withdrawn.

Automated Data Use

We may use automated tools and algorithms (e.g., risk stratification software) to identify high-risk patients, such as those likely to fall or need shielding.

Patients can opt out of automated processing after the COPI notice is withdrawn.

Research & Planning

We contribute anonymised/pseudonymised data to support NHS research and planning. Identifiable data is only used for research with your consent.

More information is available from NHS Digital:
GP Data for Planning and Research Privacy Notice

Your Rights

You have the right to:

• Access your information

• Correct inaccurate data

• Object to specific uses of your data (Article 21)

• Opt out of data being used for planning/research (via Your NHS Data Matters)

You cannot opt out of your data being used for direct care.

How Long We Keep Your Data

We retain records in line with the NHS Records Management Code of Practice. Medical records are retained for your lifetime and transferred when you move practice.

More information:
Records Management Code of Practice

How We Store Your Data

We store your data on secure systems managed by:

• EMIS Health (Cloud-based records)

• INR Star (For patients on warfarin – managed by LumiraDX)

All data is stored in UK Government-approved data centres.

Safeguarding and Caldicott Guardian

The practice has a duty to safeguard vulnerable adults and children. Where necessary, information may be shared with appropriate agencies in the patient’s best interests.

Our Caldicott Guardian (a senior GP) ensures any data sharing is proportionate and lawful. Their decisions are final.

Data Processors

We may use approved third-party processors to deliver services, including:

• EMIS Health

• LumiraDX (INR Star)

• Other NHS-contracted IT and clinical service providers

All data processors are under strict confidentiality and security obligations.

Complaints and Queries

If you have a question or concern about how your data is handled:

• Contact the Practice Manager

• Or, email our Data Protection Officer at:
  itservicedesk.nelicb@nhs.net

If you are not satisfied, you can escalate the issue to the:

Information Commissioner's Office (ICO)

Website: www.ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Ln, Wilmslow SK9 5AF

National Data Opt-Out

To manage your NHS data preferences for planning and research:

Visit: www.nhs.uk/your-nhs-data-matters

Changes to This Policy

We review this policy annually or when there are significant changes in law or practice.

• Cranwich Road Surgery
  62 Cranwich Road, N16 5JF
• 020 8802 2002
  
  

This document reflects our commitment to transparency, patient privacy, and high-quality care. If you have any concerns, please contact the surgery and speak to the Practice Manager

 

 

Springfield Park Primary Care Network (PCN), which includes Spring Hill Practice, Stamford Hill Group Practice, and The Surgery (Cranwich Road), delivers the COVID-19 vaccination service collaboratively on behalf of all practices within the network.

 

To enable safe and effective delivery of the vaccination programme, limited and necessary patient information is shared between the practices within the PCN. This includes information required to identify eligible patients, record vaccinations, and support follow-up care.

Processing of patient information for this purpose is carried out under:

All processing is conducted in accordance with the UK GDPR, the Data Protection Act 2018, and NHS information governance requirements.

 

Only staff directly involved in delivering the vaccination programme will have access to relevant information.

Data is shared securely using NHS-approved systems (e.g., EMIS, Pinnacle, or NIMS) and is retained in line with national NHS record-keeping standards.

No data is shared with external organisations for non-care purposes without a lawful basis and appropriate data sharing agreements.

 

Patients have the right to: