Privacy Notice




Data protection and confidentiality

Our identity – who we are, what we do.

Our identity – who we are, what we do.

The practice is part of the Hurley Group. The group is a traditional GP Partnership but we are rather unique in that we run several GP practices walk in centres, urgent care centres and a health services for unwell doctors (Practitioner Health Services)


The reasons why we collect and use patient data

We collect data on patients, so we can delivery direct patient care and this means we can process patient data lawfully under the General Data Protection Regulations 2018 (GDPR). We are therefore known as a Data Controller.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this service hold about you may include the following information and they are retained until a person dies;

  • Details about you, such as your address, email address, telephone number, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our services for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose – further detail below


How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2018
  • Data Protection Act 1998
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All our staff undergo yearly training on data protection.

We will only ever use or pass on health information about you if others involved in your care have a genuine need for it. We will not disclose your health information to any 3rd party without your permission unless

  • there are exceptional circumstances (i.e. life or death situations),
  • where the law requires information to be passed on (e.g. in event of a serious crime)
  • in accordance with the new information sharing principle following Dame Fiona’s Caldicott information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.


Hurley Group Oversight

We have assigned a Data Protection Officer who has oversight of the handling of information within the Hurley Group. They oversee and makes decisions on information sharing and are accountable for information risk. If you wish to contact the Data Protection Officer please contact or contact the service directly.


Other Data Sharing / Access Projects and special cases

Direct Patient Care

Often we have to share information for your medical care, such as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see your record that we hold and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail.


Special cases and the Law

The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.


NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found on their website
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on the Home Office website



General Practice Data for Planning and Research

  • This new service replaces existing GP data extraction services on 1st September 2021
  • It shares pseudonymised data i.e. it will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, full postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
  • The service will collect:


Care Quality Commission (CQC)


Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England.

For more information about Public Health England and disease reporting visit their website


National screening programmes

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at on the government website


Medical Research

Hurley Group shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations with your explicit consent or when the law allows.

The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits)

Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

Article 9(2)(a) – ‘the data subject has given explicit consent…’


Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

To check the quality of care (clinical audit):

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object



Some of our practices have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice

Information is only shared in the exceptional circumstances set out above


Recorded Telephone calls

All our Patients should be aware that this Practice records telephone calls to and from the practice.

The primary purpose of call recording at our Practice sites is for training and monitoring purposes. This includes the provision of a record of incoming and outgoing calls which can:

  • Identify practice staff training needs
  • Protect practice staff from nuisance or abusive calls
  • Establish facts relating to incoming/outgoing calls made (e.g. complaints)
  • identify any issues in practice processes with a view to improving them (e.g. to aid workforce planning)

Our Practices will make every reasonable effort to advise callers that their call may be recorded and for what purpose the recording may be used. This will normally be via a pre-recorded message within the telephone system and via signage at the practice.

We lawfully do not require your consent under articles 6(1)(e) and 9(2)(b)(c)(h) of the Data Protection Act 2018; however you do have the right to terminate the call if you do not wish for the call to be recorded

The recording will be securely stored within the telephone recording system software to which strict rules of confidentiality will apply. The recording data will be retained for 36 months on the Telephony System before deletion.

The telephone service supplier operates under an approved code of practice for the storage of recorded calls. Calls are stored for a limited period of time.

The practice sites’ data protection registration also covers voice files similarly to other data.

If you need to request a copy of a recording, please do the following:

Make a request, in writing to the Practice Manager. The request the written request must state the following:

  1. The reason for the request
  2. Date and time of the call if known
  3. Telephone extension used to make/receive the call
  4. External number involved
  5. Where possible, the names of all parties to the telephone call
  6. Any other information on the nature of the call


Video Consultations

If either you or one of our clinicians have requested a video consultation using the Hurley Group’s Video Consultation solution, it will be treated as any other consultation you have with your GP. However, you will need to be aware of the following:

The Hurley Group takes your privacy and the security of your personal information very seriously will ensure that it is kept secure and protected. To ensure the safety of your personal information all communication between the GP and patient devices is encrypted to NHS standards. However, you

should be aware that no communication over the internet is 100% secure. If you have any concerns about this, you may request a face to face or telephone appointment. Video consultations are entirely voluntary and are offered to extend the access and provide the patient choice.

The Video Consultation application itself cannot protect users from spyware so you should always ensure that you have adequate ant-virus/malware protection on any device you use for the video consultation. If you choose to use the Video Consultation solution on your mobile device you should make adequate provision to ensure the security of the device you choose to use.

We will always conduct a video consultation in a quiet, private space, free of interruptions where others cannot overhear. You are responsible for ensuring that you are in an appropriate environment and recommend that you find a quiet, private place to speak to us.

You will be provided with instructions for joining the video consultation as per the process set out for the video solution in use. You will be required to provide your consent to the terms and conditions of the service and the invitation in order for you to proceed with the scheduled consultation. If you share an account with other people, such as your family members, they may have access to some information about the consultation. If you are using a public or shared device then you should be aware that some of your personal information may be stored locally on the computer you are using.

Should we seek to record the video consultation we will obtain and document your consent to do so. We will also explain why a recording will help in providing clinical care, who can access the recording, where and how it will be stored securely, how long it will be stored for and how it will be used (i.e. that the recording will not be used for any other purpose except for direct care without the patient’s express permission).


Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.


Online Consultations (eConsults)

Hurley Group utilises online consultations. Information entered in an online consultation is stored in your clinical record just as it would be if you had seen the Doctor face-to-face. It is subject to the same information rules as anything else in your clinical record.


Hurley eHub

As part of our commitment to improving quality of care, many of our online consultations are now done remotely, on behalf of all of the surgeries in the Hurley Group (the ‘eHub’). Our Doctors who

work in the eHub work for a range of surgeries across the Hurley Group. This means that you may be contacted by a doctor who works at a different surgery to the one you go to. However, they are fully employed by the Hurley Group and subject to the same confidentiality and information governance rules as described in this Notice.


North Lambeth eHub

The North Lambeth eHub processes online consultations for multiple practices in the North Lambeth Primary Care Network, similar to the Hurley eHub. In some instances, the practice may pass a consultation to our local “eHub” who are local clinicians and staff from local GP practices in North Lambeth who work collectively to deliver additional healthcare for our community. These clinicians have full access to your records to enable safe and effective care. All clinicians and administrators in this role are honorary employees of the Hurley Group and follow the same strict information governance guidance they would adhere to in their own practice. The practices involved are:

  • Hurley Clinic and Riverside Practices
  • Waterloo Health Centre
  • Lambeth Walk Group Practice

If you require further information, please contact the Data Protection Officer

The Discovery Project

This is a new project looking to create a new data service where the local providers of your care (like your GP Surgery and hospitals) will link up their data more seamlessly in order to provide you with better quality care. Your local health and social care providers all have their own IT systems which hold your information in different places and this service aims to pull that data together to create a better picture of you and your care needs.

Only the Hurley Group has access to this data via strict access controls


Business Intelligence/AI

We use Business Intelligence tools to help us understand and develop the effectiveness of our services. This work is supported by our partner ‘Practice Unbound’, who develop the Business Intelligence systems that we use. Information is only accessible by The Hurley Group (and Practice Unbound’s nominated technical lead as part of their work for us). Information is not shared with anyone else.

The Hurley Group AI project processes copied data to understand and sort online consultations and documents related to our patients. This is done under Lawful basis under Article 6 - 6 (e) of the Data Protection Act 2018. This data is already held by us as Data Controller and is kept onsite on an isolated server. No data is transferred out of this server. Only 6 individuals have access which include our Data Processors (Deloitte) users. There are no solely automated decisions made by this AI. Data use for AI training will be removed at the completion of the project (Likely to be October 2020).

Profiling is used for online consultation assessment but does not finally determine any healthcare decision but is used to:

  • initially categorise a patient’s self-described symptoms
  • match the patient based on that categorisation to the first available clinician with health speciality knowledge relating to that categorisation
  • enhance the clinician’s care decision process


The consequence of this profilig is to assign to an GP practice employee. They can subsequently manually pass to another more appropriate user if required. No clinical decisions are made by the AI and there is no solely automated decision making, a human is always involved.



Our Practitioner Health Services use a survey tool called SmartSurvey to process registrations forms and user feedback. We do not store data on SmartSurvey and any personal data collected via the SmartSurvey tool is deleted once it has been added to your clinical record. We do not ask for any personal identifiable information in user surveys and these are usually anonymised returns.

Security - SmartSurvey


IGPR Technologies 

We use a processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for. iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws. The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.


Access to personal information

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the service - for information from the hospital you should write direct to them
  • There is no charge for this
  • We are required to respond to you within one calendar month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located


Objections / Complaints

Should you have any concerns about how your information is managed, please contact the service Manager or the Data Protection Officer

. If you are still unhappy following a review by the service, you can then complain to the Information Commissioners Office (ICO) via their website


Opting out of Data Sharing

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.

If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible.

We will then enter clinical codes into your records that will prevent data leaving the practice and / or leaving the central information system at NHS Digital. From the 25th of May you will be able to do this online. For more details visit their website 


Other Useful Sources of Information

  • Understanding Patient Data - A highly recommended source of information for patients that helps explain how your data is used in the health service