Privacy notice

When you use a health service important information about you is collected in a patient record. This helps to ensure you get the best possible care. Confidential patient information about you is only used like this where allowed by law. To find out more or to register to opt out, visit the Your data Matters page on the NHS website.

You can find out more at: Patient information and health and care research page (NHS Health Authority website) and the Introducing patient data page – Understanding Patient data website (why patient information is used, the safeguards and how decisions are made). If you are happy with the way we use your data – you don’t need to do anything. Our organisation is currently compliant with the national data opt-out policy and have processes in place to apply your choice – You can change your mind about your choice.

This privacy notice lets you know what happens to your personal data – it applies to personal information processed by or on behalf of the surgery. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 became law on 25.05.18. The surgery responsible for your personal data is The Collegiate Medical Centre.

Keeping your personal data safe is central to the GM Care Record

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.

How is your personal information kept safe and secure in the GM Care Record?

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.

Appropriate technical and security measures in place to protect the GM Care Record include:

  • complying with Data Protection Legislation;
  • encrypting Personal Data transmitted between partners;
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • a requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the GM Care Record are auditable against an individual accessing the GM Care Record;
  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

How we use your information

The Collegiate Medical Centre will be what’s known as the ‘Controller’ of your personal data. We collect basic personal data about you and location-based information. This includes name, address & contact details. We collect sensitive confidential data known as “special category personal data”, including religion, ethnicity and sex life information, we may also receive this from other health providers.

NHS records are electronic, paper-based or both. Our surgeries and technology keep data confidential and secure. They include your name, address, notes and reports about your health, details about treatment, and results of investigations. Also, information from other health professionals, relatives or carers and contact details. This facilitates your care and contacting you. Limited information may be used within the surgery for clinical audit to monitor the quality of the service we provided.

How do we lawfully use your data?

We need your personal data to provide you with healthcare as a General Practice, under the General Data Protection Regulation (in accordance with: – Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;” AND Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems)

We use your information when speaking to other healthcare professionals during the course of your care and when we are required by law to hand over your information to other organisations, such as the police, or immigration enforcement. We will not pass your data personal data to anyone who does not need it, or has no right to it, unless you give us consent to do so.

Legal justification for collecting and using your information

The law says we need a legal basis to handle your personal and healthcare information. We have a contract with NHS England to deliver healthcare services to you, as you have registered at our surgery. You have the right to withdraw consent at any time if you no longer wish to receive services from us.

Special categories

The law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use your information may be as follows:

Public interest:

When your data is considered to be in the public interest, (ie an outbreak of a disease).


When you have given us consent.

Vital interest:

If you are incapable of giving consent, and we use it to protect your vital interests.

Defending a claim:

If we need your information to defend a legal claim against us by you, or by another party.

Providing you with medical care:

To provide you with medical and healthcare services

Risk stratification

data tools are used in the NHS to help determine a person’s risk of a condition, preventing an admission or a need for preventive intervention. The identifying parts of your data are removed. This enables your GP to focus on preventing ill health and not just the treatment of sickness. You can opt out of your data being used in this way.

Medicines management

we review medications to ensure patients receive appropriate, up to date and cost-effective treatments.

Anonymised information

information is used analyse population- level heath issues to plan better services. None of the information will identify you as an individual and cannot be traced back to you.

NHS 111

authorised staff at NHS 111 can access our clinical system and book directly on behalf of a patient. They will not even have access to your record.

Patient communication

let us know ASAP if you change your contact details by contacting the surgery – we need to be able to contact you regarding your healthcare. We assume you give permission to contact you via SMS if you have provided mobile telephone. Please let us know if you wish to opt out of this SMS service.


The surgery is dedicated to ensuring the principles of safeguarding adults and children. We may share information to ensure duty of care with other partners such as local authorities, and the police.

Third party processors

to deliver the best service, the surgery may share data with other NHS bodies and selected third party service providers, to process data on our behalf. We will have an appropriate agreement in place to ensure that they keep the data secure. Third parties include IT services, systems which manage patient services – such as our website – and pharmacies to facilitate electronic prescription services.

How do we maintain the confidentiality of your records?

staff have an obligation to keep your information confidential. Employees and sub-contractors engaged sign a confidentiality agreement.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing. However in some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

National opt-out facility

You can choose whether your confidential patient information is used for research and planning by the NHS, local authorities, university/hospital researchers, and pharmaceutical companies researching new treatments.

Making your data opt-out choice

You can choose to opt out of sharing your information. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. This will not affect your care and treatment.

What should you do Next?

You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your information to be used for research and planning, you can choose to opt out securely online or through a telephone service. To find out more or to make your choice visit or call 0300 303 5678.

NHS digital data collection from the surgery

The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. GP surgeries already share patient data for these purposes, but this new data collection will be more efficient and effective. NHS Digital will collect, analyse, publish and share this patient data to improve health and care services for everyone. This includes:

  • informing and developing health and social care policy
  • planning and commissioning health and care services
  • taking steps to protect public health (including managing and monitoring the coronavirus pandemic)
  • enabling healthcare and scientific research

Any data that NHS Digital collects will only be used for health and care purposes. It is never shared with marketing or insurance companies.

Patient data NHS digital will collect

This collection starts from 01.09.21: from patients registered with a GP in England when the collection started – includes children and adults and patients who died after 01.09.21, who were registered with a GP in England when the data collection started. NHS digital will collect data on sex, ethnicity and sexual orientation. Clinical codes about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and appointments, including information about your physical, mental and sexual health, plus data about staff who have treated you.

Patient data NHS digital will not collect

We will not collect your name or where you live, or any other data that could identify you. For example, NHS No, full postcode, and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital. Written notes such as the details of conversations with clinicians, images, letters, and documents will not be collected. Coded data that is not needed due to its age – for example medication, that is over 10 years old and data that GPs are not permitted to share by law – for example about IVF treatment, and gender re-assignment – will also not be collected.

Opting out of NHS digital collecting your data (type 1 opt-out)

If you do not want your identifiable patient data to be shared outside of your GP surgery for purposes except for your own care, you can register an opt-out with your GP surgery. This is known as a Type 1 Opt-out.

Type 1 Opt-outs were introduced in 2013 for data sharing from GP surgeries, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens people who have registered a Type 1 Opt-out will be informed.

NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-out in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.

You can register a Type 1 Opt-out at any time. You can also change your mind and withdraw a Type 1 Opt-out.

If you wish to register a Type 1 Opt-out with your GP surgery before data sharing starts with NHS Digital, this should be done by completing our online Type 1 Opt-out form to your GP surgery by 23rd August 2021 to allow time for processing it.

If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your GP surgery or call 0300 3035678 for a form to be sent out to you.

If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP surgeries for health and social care purposes including policy, planning, commissioning, public health and research purposes.
NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

All GP surgeries in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP surgeries.

Who NHS digital share patient data with

All data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service, to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

There are a number of organisations who are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

  • the Department of Health and Social Care and its executive agencies, including Public Health England and other government departments
  • NHS England and NHS Improvement
  • primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
  • local authorities
  • research organisations, including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

Where NHS digital stores patient data

NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow you to be directly or indirectly identified), may be stored and processed outside of the UK. If they do, we will always ensure that the transfer outside of the UK complies with data protection laws.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Our partner organisations include:

NHS Trusts / Foundation Trusts, GP’s, Primary Care Network, contractors such as dentists, & pharmacists, Private Sector Providers, Voluntary Sector Providers, ambulance Trusts, CCGs, Social Services, NHS England and NHS Digital, Multi Agency Safeguarding Hub (MASH), Local Authorities, Police & Judicial Services & Voluntary Sector Providers

Shared care records

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Sharing your information without consent

there are times when we may be required by law to share your information without your consent, for example: where there is a serious risk of harm or abuse to you or other people; Safeguarding matters and investigations where a serious crime, such as assault, is being investigated or where it could be prevented; notification of new births; where we encounter infectious diseases that may endanger the safety of others, or where a formal court order has been issued.

How long will we store your information?

This is specified by the NHS Records management code of practice for health and social care.

Primary Care Network

The objective of primary care networks (PCNs) is to group surgeries together to create collaborative workforces. The surgery may share your information with other surgeries within the PCN.

Access to your personal information

Data Subject Access Requests (DSAR): You have a right to request access to view or obtain copies of the information the surgery holds about you and to have it amended should it be inaccurate. Your request should be made to the surgery – there is no charge.

Online access

You may request online access to your medical record. There are certain protocols we have to follow in order to give you online access. Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure.

Our website

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their Privacy Notice. We take no responsibility for the content of other websites.

Telephone system

Our system records calls. Recordings are retained for up to six months.

Objections/ complaints

Should you have any concerns about how your information is managed at the surgery, please contact Dr S Shahbaz or the Data Protection Officer (Ashley Morgan-Phillips). If you are still unhappy following a review by the GP surgery, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below:

Supplementary privacy notice

By order of the secretary of state our COPI Notice has been extended.

Please visit – Control of patient information (COPI) notice for more information.