1. Introduction

1.1 Policy Statement

NHS England (previously NHS Digital) collects and processes information to improve health and care for everyone. The information collected is used to:

  • Run and improve the health service
  • Manage public health concerns, including epidemics and pandemics
  • Plan future services and capacity
  • Support research into health conditions, diseases and treatments

1.2 Principles

Forest Hill Road Group Practice is a data controller and has a legal duty under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18) to explain why it uses patient data and how it is processed.
We are committed to being transparent and ensuring patients understand what information we collect, how we use it, who we share it with, and how it is protected.

1.3 Status

This document and any procedures contained within it form part of your contract of employment. Employees will be consulted on any modifications or changes to the document’s status.

1.4 Training and Support

The practice will provide training, guidance and support to all staff to ensure they understand their rights and responsibilities under this policy. Managers and supervisors will receive additional support to deal with data protection matters effectively.

 

2. Scope

2.1 Who it applies to

This policy applies to all employees, partners and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are also expected to comply with this policy.

2.2 Why and how it applies

All staff must be familiar with the practice Privacy Notice and be able to advise patients, their relatives and carers about:

  • What personal information is collected
  • How that information may be used
  • With whom that information may be shared

Transparency is a key principle of the UK GDPR and is essential in protecting patient rights.

 

3. Definitions

  • Privacy Notice – A statement explaining how the practice collects, uses, discloses and manages a patient’s data.
  • Data Protection Act 2018 (DPA18) – The UK legislation governing data protection, incorporating GDPR principles.
  • ICO (Information Commissioner’s Office) – The UK’s independent regulator for information rights and data privacy.
  • UK GDPR – Post-Brexit UK version of the EU GDPR, in force since 1 January 2021.
  • Data Controller – The entity that determines why and how personal data is processed.
  • Data Subject – A natural person whose personal data is processed.
 

4. Compliance with Regulations

4.1 UK GDPR Compliance

Forest Hill Road Group Practice will ensure that all information provided to data subjects is:

  • Concise, transparent, intelligible and easily accessible
  • Written in clear and plain language
  • Provided free of charge

4.2 Article 5 Principles

Personal data must be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up to date
  5. Kept for no longer than necessary
  6. Processed securely, with protection against unauthorised or unlawful processing, loss or damage

4.3 Communicating Privacy Information

Our Privacy Notice is:

  • Displayed on our website
  • Available on posters in the waiting area
  • Provided to patients during registration
 

5. What Data We Collect

Forest Hill Road Group Practice collects and holds the following data:

  • Personal details (name, date of birth, NHS number, address, next of kin)
  • Medical records (electronic and paper-based)
  • Appointment and consultation records
  • Medication, treatment and care details
  • Test results (e.g., pathology, imaging)
  • Telephone call recordings (see Section 6 below)
  • Any other information relevant to patient care
 

6. Call Recording Notice

Forest Hill Road Group Practice records both incoming and outgoing calls:

  • All calls are recorded for training, monitoring and quality purposes.
  • Call recordings can only be accessed by the Practice Management team.
  • Recordings are stored securely on a cloud-based system for a maximum of 3 months.
  • Access is strictly controlled and restricted to authorised staff only.
  • Recordings are protected against unauthorised access in compliance with UK GDPR and NHS standards.
 

7. National Data Opt-Out

Patients may choose whether their confidential patient information is used for:

  • Their own care and treatment only
  • Research and planning purposes

The National Data Opt-Out allows patients to register their preference. Staff can support patients who wish to opt out online or through alternative methods.

 

8. Confidentiality and Subject Access

  • We are committed to confidentiality and protecting patient data.
  • Patients have the right to access their records via a Subject Access Request (SAR).
  • Patients can request corrections if they believe their data is inaccurate.
 

9. Retention Periods

  • Health records are retained in line with the NHS Records Management Code of Practice.
  • Records are generally kept for 10 years after a patient’s death (or 10 years after emigration).
  • Call recordings are retained for 3 months only.
 

10. Questions and Complaints

Patients can:

  • Contact the Practice Data Controller (the GP Partners)
  • Write to: Forest Hill Road Group Practice, 1 Forest Hill Road, London, SE22 0SQ
  • Speak with the Practice Manager

The Data Protection Officer (DPO) for the practice is Roksana Kalisz.

If patients are dissatisfied, they may complain directly to the ICO via the “Raising a Concern” section of the ICO website.