Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Our data protection officer is: Jacqueline Williams

The organisation confirms your data will be processed in accordance with DPA18. Further details can be found here: UK GDPR Policy

Medical research

St Gabriel’s Medical Centre shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations with your explicit consent or when the law allows.

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

EWH Appointment Info

When you are offered an appointment at one of the Bury GP Federation Extended Access Hubs outside of the Practices normal opening hours, you will be asked for your consent to share your medical records with the healthcare staff working in the service.

Without this consent, you will not be able to be seen at one of the GP Hubs as the healthcare staff would not have access to your medical records.

You will then need to wait for the next available appointment at your registered Practice.

Full details of how and when your records will be shared are available here:

General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

How We Use Your Personal Information

Fair Processing/Privacy Notice

This fair processing notice explains why the practice collects information about you and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. Hospital, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice hold about you may include the following information;

  • Details about you, such as your address, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

Your records will be retained in accordance with the NHS Code of Practice for Records Management

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation (GDPR)
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security
  • Information: To Share or Not to Share Review (click here to read further information about this)

Every member of staff who works for the Practice or another NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on for example Child/Adult Protection and Serious Criminal Activity.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations or receive information from the following organisations:-

  • NHS England for Research and Planning Purposes*
  • GPs
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS Digital
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Other ‘data processors’ which you will be informed of

*For more information on the national data opt-out, please visit will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Access to personal information

You have a right under the Data Protection Act to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

• Your request must be made in writing to the GP – for information from the hospital you should write direct to them
• There may be a charge to have a copy of the information held about you if you make more than two requests within a six month period
• We are required to respond to you within 30 days
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located

Objections* / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the Practice Director. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (


Change of Details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.


GDPR requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The practice is registered with the Information Commissioners Office (ICO).

Who is the Data Controller?

The GP Partners of St Gabriel’s are the Data Controllers and are responsible for keeping your information secure and confidential.

GP Connect Transparency Notice


GP Connect helps clinicians gain access to GP patient records during interactions away from a patient’s registered practice and makes their medical information available to appropriate health and social care professionals when and where they need it, to support the patient’s direct care.

From a privacy, confidentiality and data protection perspective, GP Connect provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of transferring information, such as email or telephone.

GP Connect – key points

  • GP Connect can only be used for direct care purposes
  • Individuals can opt out of their GP patient record being  shared via GP Connect by contacting their GP practice
  • Access to GP Connect is governed by role-based access control (RBAC) and organisational controls; only people who need to see the GP patient record for a patient’s direct care should be able to see it
  • All organisations using GP Connect must comply with the National Data Sharing Arrangement (NDSA) and end-user agreement that sets out their responsibilities and obligations
  • All individuals who have access to the GP patient record using GP Connect must agree to terms and conditions of use
  • All systems that allow the use of GP Connect must undergo a robust compliance process and the organisations involved must sign a connection agreement holding them to high standards of information security

GP Connect is for direct care use only

GP Connect products can help health and social care professionals share, view or act on information that could be required for a patient’s direct care, but they would otherwise have difficulty accessing easily (for example if they are using different IT systems).

Organisations can have access to relevant information in GP patient records to provide direct care to patients only.

To be granted access to GP patient records organisations must:

Type of organisations that use GP Connect

Examples of organisations that may wish to use GP connect to view GP patient records include:

  • GP surgeries that patients are not registered at – for example, if they need to see a doctor when they are away from home
  • secondary care (hospitals) if they need to attend A&E or are having an operation
  • GP hubs/primary care networks (PCNs)/integrated care systems (ICSs), partnerships between healthcare providers and local authorities
  • local ‘shared care‘ record systems
  • ambulance trusts, so paramedics can view GP patient records in an emergency
  • healthcare professionals such as community services
  • acute and emergency care service providers
  • NHS 111
  • pharmacies
  • optometrists
  • dentistry
  • mental health trusts
  • hospices
  • adult and children’s social care
  • care and nursing homes

Details regarding how GP Connect can be used in various care settings can be found at NHS England’s GP Connect in your organisation pages.

All access to your GP patient record is stored within an audit trail at your GP practice and within the organisation that information has been shared with.

Details of the data held within the audit trail can be found in Appendix 1.

Who uses GP Connect

We have developed a GP Connect Data Transparency Portal where further information on which health care settings use GP Connect and the reason why this organisation is using a particular product.

Any new GP Connect users will need to agree to the terms of the products they intend to start using, and will be listed on these web pages.

GP Connect can work in different ways, depending on how it has been set up in a particular area.

Organisations using GP Connect are described as ‘Providers’ and ‘Consumers’, depending on the capacity in which they are acting.

Provider is a GP practice that makes available GP patient records via the GP Connect service.

Consumer is an organisation providing health and social care, which accesses the GP patient record made available by Providers for the purpose of direct care.

The GP Connect Products

A real life example

A patient with complex medical needs can call NHS 111 with a suspected infection, have their record triaged by an NHS 111 clinician (Access Record), get themselves an appointment with their local out of hours service, attend the appointment (Appointment Management)  and have antibiotics prescribed and information regarding their encounter can be sent in a PDF back to their registered GP to be added to the patient record, (Send Document) where the information will then be available the next time someone uses an Access Record product.

In the future, the information will be able to be auto-ingested into the GP Patient record (subject to extensive engagement with the GP profession) removing the burden on general practice in digesting the PDFs from Send Document we call this Update Record .

GP Connect: Access record

GP Connect: Access Record allows authorised clinicians to access GP patient records held on their practice system. Access Record has two methods of retrieving information:

  1. Access Record: HTML enables a read-only view of a patient record which can be viewed within another care setting via an accredited system or application.
  2. Access Record: Structured provides access to ‘sections’ of a patient record in a structured format.

GP Connect: Send Document

GP Connect: Send Document provides a simple way of updating a GP patient record. It sends a summary of a consultation in a document format to the patient’s registered GP practices that can be read and added to the GP patient record

GP Connect: Appointment Management

GP Connect: Appointment Management allows organisations to book appointments on behalf of a patient directly into their registered practice or another care setting within their primary care network.

Appendix 2 shows in more detail what data is used for each product.


Confidentiality and trust are essential to the relationship between GPs and their patients.

The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.

GP Connect relies on ‘implied consent’.

Explicit consent is not required when information is shared for a direct care purpose. If a patient does not want their information to be shared using GP Connect, they can opt out.

The NDSA and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.

In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.

Organisations using GP Connect are notified of their duty as ‘controllers’ to be fair and transparent about their processing of their patients’ information and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.

NHS England helps support the mitigation of information sharing risks by ensuring that:

  • NHS England audit data access is subject to two-factor authentication and role-based access controls – only certain assured users can have access to the full audit logs
  • a completed Supplier Conformance Assessment List (SCAL) which covers service and capability specific compliance requirements and controls of the consumer system is in place

It is the responsibility of organisations using GP Connect to ensure that they comply with the NDSA, and their statutory and legal obligations regarding data protection and confidentiality.

Data rights

Under the legal basis used for GP Connect, patients have the following rights:

The right to be informed – patients have the right to be informed of how their data is being processed. This should be reflected in the patient’s GP practice privacy notice.

The right to object – patients have the right to object to their data being used in this way. If patients do not wish for their data to be shared, they should contact their GP practice.

The right of access – in addition to the right for copies of their information, patients also have other rights, including the rights:

  • to be advised of the reasons why their data is being shared in this way
  • to know what data is being shared
  • to know who it has been shared with

The right to rectification – if patients find that the data that has been shared is factually incorrect, they have the right to request that this is corrected.

The right to restrict processing – Patients have the right to request processing is stopped, whilst either an objection is processed, or they are awaiting rectification of data.

More information regarding data rights available from an organisation that has shared or viewed a patient’s data can be found within that organisation’s privacy notice.

Opting out of GP Connect

If patients do not wish their information to be shared using GP Connect, they can opt out by contacting their GP practice.

National Data Opt-out

The National Data Opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

The National Data Opt-out only applies to any disclosure of data for purposes beyond direct care, so having National Data Opt-out will not prevent your GP patient record being shared via GP Connect.


Date published: 20th September, 2023
Date last updated: 7th June, 2024