Privacy Notice

This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this, please view the GP Practice Privacy Notice for General Practice Data for Planning and Research.

This practice keeps data on you relating to the following:

  • who you are
  • where you live
  • what you do
  • your family or named contact/carers
  • your employers
  • your habits
  • your problems and diagnoses
  • the reasons you seek help
  • your appointments
  • where you are seen and when you are seen who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS.

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case. Highlands, Jubilee and Whiteley practices are now working together under as a Primary Care Network called Sovereign Health Network. For the purposes of direct care, the organisation referred to in this privacy notice is Sovereign Health Network.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.

Staff who have access to your information will only normally have access to that which they need to fulfill their roles,

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

COVID-19 Pandemic wording for practice privacy notices as at 25th March 2020:

Coronavirus (COVID-19) pandemic and your information

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 31st March 2021 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

Please note any digital image submitted as part of an online consultation will be stored within your clinical notes.

If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.

1) Data Controller contact details

Katie Dixon
On behalf of the Partners
The Highlands Practice
102 Highlands Road
PO15 6JF
Tel: 01329 845777
Working as Sovereign Health Network

2) Data Protection Officer contact details

Caroline Sims
DPO (Hampshire)

3) Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Organisations and their employees will also respect and comply with their obligations under the common law duty of confidence.

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.

  • Care Homes/Nursing Homes
  • Child and Adolescent Mental Health Service (CAMHS)
  • Child Health
  • Community Professionals (Social Workers/District Nurse/Health Visitors)
  • Continence and Stoma Service
  • Coroner
  • Care Quality Commission
  • Third Party mailing company (name and address only) – (Docmail) for vaccination campaigns
  • GP Practices in the Primary Care Network – Sovereign Health Network (working as Sovereign Health Partnership)
  • Care and Health Information Exchange (Formerly known as Hampshire Health Record)
  • Individual Funding Requests
  • MJOG – Text messaging system for vaccination campaigns and appointment reminders ( Mobile Telephone number only)
  • AccuRX – individual text messaging – system verified consent to use
  • E-Consult (patient explicit consent taken on website)
  • Multi Disciplinary Teams
  • Out of Hours Services
  • Primary Care Services England
  • Referrals to Private Healthcare
  • Safeguarding
  • Secondary Care (Hospitals)
  • Summary Care Record
  • Independent Contractors such as dentists, Opticians, pharmacists
  • Fire and Rescue Services
  • Police and Judicial Services
  • Wolfram Research Europe Limited – anonymised data for the development of population health strategies

Data Extraction by the Clinical Commissioning Group

The clinical commissioning group at times extracts information about your care, but the information they extract via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudonymised). We will never give the CCG access to any system or information that would enable them to identify you.

The Clinical Commissioning Group requires this pseudonymised information for the following purposes:

  • For management and monitoring of the GP Practice core contract
  • For management and monitoring of the GP Practice enhanced services
  • For assurance of compliance with these contracts
  • For assurance of the effective spending of public funding
  • To conform with delegated responsibilities from NHS England
  • To fulfil the CCGs role in ensuring services commissioned meet patient population need and are being delivered in accordance with commissioning intentions Other “data processors” which you will be informed of

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. Please contact the practice.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to Complain

You have the right to complain to the Information Commissioner’s Office, you can use this link or call their helpline Tel: 0303 123 1113 (local rate) or 0162 554 5745 (national rate).

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website) or speak to the practice.

This document is available in large print on request or in other languages on our Website.

ACR project for patients with diabetes

A programme sponsored by NHS Digital to monitor urine albumin:creatinine ratio (ACR) annually for patients with diabetes. This enables patients with diabetes to test their kidney function from home. We will share your contact details with to enable them to contact you and confirm that you wish them to send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. If you do not wish to be contacted by, you have the opportunity to say so by replying to the initial text message sent from the practice or when contact you. If you do not wish to receive any further information from then they will delete any data that they hold about you and we will continue to manage your care within the Practice. Further information about this is available at:



Prescriptions containing personal identifiable and health data will be shared with chemists/pharmacies, in order to provide patients with essential medication or treatment as their health needs dictate. This process is achieved either by face to face contact with the patient or electronically. Where patients have specified a nominated pharmacy they may wish their repeat or acute prescriptions to be ordered and sent directly to the pharmacy making a more efficient process. Arrangements can also be made with the pharmacy to deliver medication.

Legal Basis

Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below Patients will be required to nominate a preferred pharmacy.


Pharmacy of choice