1.           Introduction

The Data Protection Regulations in the UK include two key pieces of law:

• The Data Protection Act 2018
• The UK GDPR

There are other regulations in specific areas which need to be taken into account. This Privacy Notice has been written within the legislative framework as at November 2023. It will be revised as the framework and case law change.  This notice was last updated November 2023.

2.           What is this Privacy Notice about?

This Privacy Notice is part of the information to data subjects about how personal data is used. Being transparent and providing accessible information to individuals about how organisations will use their personal information is a key element of Data Protection Regulations.

This Privacy Notice is part of our programme to make the data processing activities we are carrying out in order to meet our healthcare obligations transparent.

The Privacy Notice tells you about information we collect and hold about you, the legal basis for collecting and holding the information, what we do with it, how we keep it secure (confidential), who we might share it with and what your rights are in relation to your information.

3.           Who we are

Fernlea Surgery provides Primary Healthcare Services to 12,000 patients.

Situated within South Tottenham Haringey, the surgery has a diverse group of patients and staff members. This includes a wide variety of age groups, different ethnicities and backgrounds.

Working as a team we ensure the highest quality of service is provided.

4.           Types of information we use

We use the following types of information/data:

• Personal data and special category personal data such as:
• demographics – name, address, date of birth, postcode, NHS number
• racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, medical/health data, sexual life or sexual orientation data.

(special category personal data is sometimes called sensitive personal data)

• Pseudonymised – about individuals but with identifying details (such as name or NHS number) replaced with a unique code.
• Anonymised – about individuals but with identifying details removed.
• Aggregated – anonymised information grouped together so that it doesn’t identify individuals.

5.           What we use your personal data and special category personal for

We use and share information about you in a number of ways. These include, if you are a patient:

Primary uses – information from your GP medical record which can be made available to other NHS and public sector organisations, including doctors, nurses and care professionals in order to help them make the best informed decision, and provide you with the best possible direct care delivery.

Secondary uses – information from your GP medical record involves extracting identifiable data and (usually) sharing that data with other NHS organisations, for the purpose of indirect care. Examples include using your information for research, auditing, and healthcare planning (population health management).

If you’re a member of staff, we process your data for the purposes of your employment contract, professional monitoring requirements, your health and safety and other employment-related matters.

You have rights to object to the use of your personal data in some circumstances, particularly for secondary use. These are often called “opt-outs”. Details of the available objections are given in section 15 below.

6.           Identity and Contact details of the Data Controller and Data Protection Officer 

5.           What we use your personal data and special category personal for

Practice Contact Details

Fernlea Surgery, 114 High Road, South Tottenham, London, N15 6JR, Tel: 02088096445

Practice ICO Reference Number: Z5137907

Data Protection Officer

You can contact the data protection officer by post at the practice address, addressed for the attention of the Data Protection Officer, or by email to

Name: Steve Durbin

Email: dpo.ncl@nhs.net

Please quote the practice name in any communication. The Data Protection Officer service is provided across NCL practices.

7.           Organisations we share your personal information with

We share information about you with other GPs, NHS acute or mental health Trusts, local authorities, community health providers, pharmacists, commissioning organisations, medical research organisations and some specific non-NHS organisations for the purposes of direct care and secondary uses.

We are required under the law to provide you with the following information how we process your personal data, the purpose of proposing, recipient/categories of your personal data, the identity of our Data Protection Officer (DPO), how long we retain personal information about you, the legal basis and justification for the processing, and your right to view, request access copies of your personal information, or object to the processing.

Included below is a table of the organisations we share information about you, and data processors we use to process your information, split into the following categories.

a.      Direct Medical Care and Administration

b.      Other primary care services delivered for the purposes of direct care

c.      Statutory Disclosures of Information

d.      Processing for the Purposes of Commissioning, Planning, Research and Risk Stratification

e.      Data Sharing Databases

f.       Data Processors

In most cases, the Data Controller and Data Protection Officer (DPO) are as listed in section 6 above. Where they are not, they are specified in the table.