Privacy Policy 

How We Use Your Personal Information

This information explains why Bexley Health Neighbourhood Community (BHNC) collects information about you and how that information will be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received. This can include care received within the GP practice, NHS Trusts, Walk-in clinics, Urgent Care centres, and the Bexley out of hours GP service.  These records help to provide you with the best possible healthcare.

BHNC is a registered data controller and must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA233912 and our entry can be found in the Data Protection Register on the ICO website.

What Type of Personal Data Is Used

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technologies to ensure that your information is kept confidential and secure.  Records which this organisation holds about you may include the following information;

  • Details about you, such as your address, carer, legal representative, emergency contact details and NHS number

  • Any contact BHNC the organisation has had with you, such as appointments, clinic visits, emergency appointments, etc

  • Notes and reports about your health

  • Details about your treatment and care

  • Results of investigations such as laboratory tests, x-rays, images etc

  • Relevant information from other health professionals, relatives or those who care for you

  • Sensitive information, such as  racial, ethnic origin, religious beliefs and sexual orientation

  • Criminal offence information and/or safeguarding 


How Is Your Data Used

To ensure you receive the best possible care, your records are used to facilitate the care and treatment you receive. Information held about you may also be used to protect the health of the public and to help us manage the NHS. Information may be used within BHNC for clinical audits to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.  This information can be used by other NHS statutory organisations to improve and develop services and information is de-identified so that your personal identifiable information is not seen.

All patients who receive NHS care are registered on a national database.  The database is held securely by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.  More information can be found on the NHS Digital website



Purposes For Using Your Information

To Meet your Healthcare Needs

In line with our statutory duty, information is processed to provide direct health or social care to individual patients.  When a patient agrees to a referral for direct care, such as to a hospital, relevant information about you will be shared with the other healthcare organisations and staff to enable them to give appropriate advice, investigations, treatment and/or other care. This will include providing details of prescription information to pharmacists and advising you of other beneficial health information.

Preventing Ill Health (Risk Stratification)

The NHS are increasingly using technology to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission to hospital,  this is known at ‘Risk Stratification’.   Information about you is collected from a number of sources including NHS Trusts and from BHNC.  De-identified information is analysed using special software and is provided back to BHNC in identifiable form.  This information enables BHNC to focus on preventing ill health and not just the treatment of sickness. Examples of these in Bexley are:

  •  Frailty

  • Diabetes

Quality and Clinical Audit

Your information may be used within BHNC for the purpose of clinical audit, to monitor the quality of the services we provide and improve care.

Medicines Management

BHNC may conduct medicines management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. BHNC works closely with the Bexley Clinical Commissioning Group medicines management team.

Patient and Public Involvement

If you are a member of BHNC patient participation group (PPG) information will be held about you so BHNC can keep you informed regarding the work BHNC organisation is involved in, as well as details of meetings and consultation events. When you submit your details to us for involvement purposes, we will only use your information for this purpose and you can opt out at any time by contacting Umar Sabat

Accessible Information Standard and Translation Services

In line with the Accessible Information Standard (AIS) which was introduced in July 2015, BHNC aims to ensure that people who have a disability, impairment or sensory loss receive information that they can access and understand.  For example, in large print, braille or via email or professional communication support if it is required. i.e. British Sign Language (BSL) interpreter. 

BHNC also offers translation services to support patients with their translation needs.

In both cases, this will require support from another service provider to assist with your requirements.  Organisations that provide these services may maintain small amounts of information about you, such as your name, address, contact and NHS number.

When these services are used, it will be done so with your consent and the information you provide will be handled in strict confidence in line with the data protection laws.

Your preferences for communication can be provided to BHNC and will be registered on your records.


Sometimes your information may be requested to be used for research purposes. BHNC will always gain your consent before releasing the information for this purpose.

Safeguarding Adults and Children

Sometimes, health and social care professionals may need to share information so that other people, including healthcare staff, children or other safeguarding needs are protected from risk of harm.

These circumstances are rare and we do not need your consent or agreement to do this.

People’s wellbeing is at the heart of the care and support system under the Care Act 2014 and the prevention of abuse and neglect is one of the elements identified under a person’s wellbeing.

BHNC is committed to working in partnership with local authorities and the Clinical Commissioning Group’s safeguarding team to fulfil their safeguarding responsibilities.

Care Quality Commission Access to Health Records

CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator.

This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.

More information about the CQC can be obtained on their website here

BHNC Website

As part of the enhanced services available on the BHNC website, personal information will be gathered when accessing on-line consultation services, such as, name, address/postcode, date of birth, gender, phone number and email address.

Staff and Job Applications

When individuals apply to work at BHNC the information is used to process applications and recruit staff. Where BHNC needs to disclose information to a third party, for example, to gain a reference, or to obtain a ‘disclosure’ from the Disclosure and Barring Service, BHNC will not do so without informing the applicant beforehand, unless the disclosure is required by law.

Once a person has taken up employment BHNC will maintain an employment file. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment.

What Is The Lawful Basis For Processing Your Information

The General Data Protection Regulations 2018, (Article 6(1) (a), 6(1)(e) and  9(2)(h) legally provides BHNC the right to process your information.  The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on BHNC to promote and provide the health services in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.


To do this we will need to process your information in accordance with current data protection legislation to:


  • Protect your vital interests

  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult

  • Perform tasks in the public’s interest

  • Deliver preventative medicine, medical diagnosis and medical research 

  • Manage the health and social care system and services


Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

Keeping Your Information Private

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulations, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of practice on confidential information.

Every member of staff who works for BHNC has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation or health care service, or processes it on their behalf, has a legal and contractual duty to keep it confidential.

BHNC will not share your information with third parties without your consent unless there are exceptional circumstances, such as when the health and safety of you or others is at risk, to protect the health and wellbeing of children and vulnerable adults, or where the law requires us to do so.

Sharing Information For Your Care And Well-Being

We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care.

For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions and the medication you are taking. This will involve the use of your Summary Care Record For more information see:  

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment.  This may include your name, address, NHS number and treatment date.  All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as:

  • Through a court order, where a judge has ordered that specific and relevant information should be disclosed – in such an event as preventing crime or fraud

  • When it is necessary for the reasons of public interest in the area of public health such as protecting again serious cross-border threats to health, such as a flu pandemic or rare infectious disease

  • When it is necessary to protect the vital interests of an individual to protect the safety and welfare of vulnerable children and adults

  • When there are specific lawful conditions to do so under the General Data Protection Regulations; or any subsequent data protection laws.

Caldicott Principle 7

The duty to share information can be as important as the duty to protect patient confidentiality. This means that health and social care professionals will share information in the best interest of their patients with the framework which is set out in the Caldicott principles.

Caldicott Guardian Details

All NHS organisations are required to nominate a Caldicott Guardian.  This role has the responsibility for protecting the confidentiality of patient information and enabling appropriate information sharing.

The name of BHNC Caldicott Guardian is:  Richard Money –

Setting A National Opt-Out Preference

Commissioned by the Secretary of State for Health Dame Fiona Caldicott, the National Data Guardian for Health Care (NDG) has reviewed data security and data sharing in the health and social care system. The so-called ‘Caldicott review’ provides for people to be able to make an informed choice about whether to share data or not.

Patients and public who decide they do not want their personally identifiable data used for planning and research purposes will be able to set their national opt-out preference.

As of the 25th May 2018, residents have the right to opt out of your personal confidential information being used for the following purposes.

  • Providing local services and running the NHS and social care

  • Supporting research and improving treatment of care


To set an opt-out preference, NHS Digital will offer digital (online) and non-digital national data opt-out systems.

For further information and support relating to opt-outs, please contact NHS Digital.

Exceptional circumstances

The opt-out will not apply where there is a mandatory legal requirement or an overriding public interest. These will be areas where there is a legal duty to share information (for example a fraud investigation) or an overriding public interest (for example to tackle the ebola virus).

Who Are Our Partner Organisation

Below are just some of the organisations that we may have to share your information with.  This would only be done in line with the lawful basis for sharing information under the data protection laws.

  • NHS Trusts / Foundation Trusts

  • General Practitioners

  • NHS Commissioning Support Units

  • Independent Contractors such as dentists, opticians, pharmacists

  • Private Sector Providers

  • Voluntary Sector Providers

  • Ambulance Trusts

  • Clinical Commissioning Groups

  • Social Care Services

  • NHS Digital

  • Primary Care Support England

  • Local Authorities

  • Education Services

  • Fire and Rescue Services

  • Police & Judicial Services

  • Other ‘data processors’ which you will be informed of


We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Ways We May Communicate With You

Sharing Your Information To Improve Your Care

To be able to provide the best care for our patients a system called Connect Care was developed. A similar system called Local Care Record is used in other parts of south east London. These systems  allows GP staff, hospital staff, district nurses and other local organisations involved in your care to share important information about the people they care for. This could include checking which medications a patient is taking or a child's immunisation history.


Only authorised staff will have access to these systems on a need to know basis and the information is operated over a secure network. 


You will be asked your permission at the point of care before viewing your record.  If you are unable to give permission e.g. in an emergency, your care provider may access your record if they believe it is in your best interest.


Health providers who have access to your records will be better informed about your care and it enables faster and effective delivery of your care, without the need for sharing information by letter, email, fax or phone.


You have the right to choose not to have your information available through Connect Care and the Local Care Record. If you don’t want your information to be available through this service and want to find out how to opt-out, or want to find out how this might affect your care, visit the Connect Care web page. If you do not have access to the website, you can call 020 8836 4592 and leave your name and number for someone to contact you.

BHNC may need to contact you for a variety of reasons including to:

  • Discuss your care and treatment

  • Offer you a new appointment or alter an existing one

  • Send you a reminder of an existing appointment

  • Ask your opinion of our services

  • Tell you about other care services (such as flu jabs)

  • Arrange for transport to be provided

  • Arrange for a home visit

  • If you are a member of the patient participation group)

  • It is important to confirm your communication preferences at the time of registering. 


Our standard way to contact you is by letter or telephone.  We may also use emails and SMS text messaging. 


When BHNC uses text messaging services, no confidential information will be contained in the message; it will generally be a reminder for an appointment or care service message. 


It is important that you advise BHNC of any change of details in relation to your phone and contact details as soon as possible.


You can change your communication preferences or opt out of the SMS text service at any time by contacting the surgery.


 (Please note: Changes of address must be done in writing or in person and will not be taken over the telephone)


Contact that is made to and from BHNC from an individual’s private email account, are not secure.  Any patient or service user using this method, do so at their own risk (however small).

How Do I Gain Access To My Personal Information

You have a right to request access to view or to obtain copies of what information the BHNC holds about you and to have it amended should it be inaccurate. You are able to either view or receive copies of records held in electronic or paper format.

This type of request is known as a ‘Subject Access Request’ (SAR) and can be made in writing to BHNC via email or post. For information from the hospital you will need to write direct to them.  In special circumstances your right to see some details in your health records may be limited, to protect you and others mentioned in your records from harm, and to

maintain the confidentiality of others.

Under the Data Protection laws BHNC are required to respond to your request within 30 days.  You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

No fee will be charged for this service, unless a request is manifestly unfounded, excessive or repetitive.


Other Additional Information Rights

As well as the right to have access to your personal information, under the data protection laws of 2018, individuals also have:


  • the right to be informed (Through this privacy notice and other methods of communication)

  • the right for information to be rectified

  • the right to erasure

  • the right to restrict processing

  • the right to portability

  • rights in relation to automated decision making and profiling

There are various exception and circumstances where your request may be refused and therefore individuals should always consult with Umar Sabat <> when making a request under your individual rights.

Can I Access The Records Of My Children

You may be able to access the records of your child/children.  However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child/children.

As above, there may be legal exceptions when it will not be appropriate or possible to obtain information, such as safeguarding or a court order.

To apply for access, please use the procedure above.

To carry out your rights or request a copy of your information please contact Umar Sabat <>.

How Long Do We Keep Your Information

Medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:

Transfer Of Information Outside The European Union To Third Countries Or International Organisations There are legal restrictions imposed on health and care organisations regarding the transfer of personal data outside the European Union, to third countries or international organisations.  BHNC does not share or transfer information outside of the European Union, to third countries or international organisations.

Personal Data Breaches

All organisations that process personal data have a duty to report certain types of personal data breach to the Information Commissioners Office within 72 hours of an incident occurring.

What To Do If You Have Any Questions

Should you have any concerns about how your information is managed at BHNC please contact Umar Sabat <>.

If you are still unhappy following a review by BHNC, you can contact NHS England or the Information Commissioners Office.

NHS England leads the National Health Service (NHS) in England and set the priorities and direction of the NHS and encourages and informs the national debate to improve healthcare.  The NHS England website provides information on how to provide your feedback or make a complaint.

The Information Commissioners Office is a UK independent body which has been established to uphold information rights for individuals.