This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

Fair Processing Notice

The Clanfield Practice – Enhanced Fair Processing Notice (Privacy Notice)

Your Personal Information – what you need to know

Who we are and what we do


The Clanfield Practice is responsible for providing Primary care services for the local population. Website:

Coronavirus (COVID-19) pandemic and your information

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that 'Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.'

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

 How we look after your personal information during the Covid-19 pandemic when staff work from home.

In accordance with government guidance and in order to protect the health and safety of our staff during this difficult period we will be requiring members of staff to work from home.

This means that staff may have access to any necessary personal and/or medical information in order to look after your healthcare needs.

We would like to assure you that our staff will be subject to all relevant security procedures and policies of the Practice to ensure that any information is kept safe, secure and confidential at all times.

 If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice. 

Using your information



In order to support your care, health professionals maintain records about you. We take great care to ensure your information is kept securely, that it is up to date, it is accurate and used appropriately.  All of our Practice staff are fully trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to.  They will only look at what they need to in order to do things like book you an appointment, give general health advice, provide you with care and if necessary refer you to other services.



We collect staff personal confidential information for personnel purposes. This may include, name date of birth, address, health related information, bank details, other correspondence.


What kind of information do we use?


As a General Practice we hold information about our patients and staff including medical records, complaints and concerns, and personnel records. The information they contain include;


  • Your name, address, your date of birth, your NHS number and contact details
  • Next of kin
  • What treatment you have received and where you received it – consultation information
  • Results of investigations, like laboratory tests, x-rays etc.
  • Referrals, communications regarding your care in other organisations
  • Communications from you including concerns or complaints you have raised about your health care provision
  • Staff records, including personal confidential details, health and disciplinary records


What do we use your Personal Confidential Data for?


The areas where we regularly use your personal confidential information include:


  • For your direct care needs
  • Responding to your queries, compliments or concerns
  • Where there is a provision permitting the use of confidential personal information under specific conditions, for example to:

    • understand the local population needs and plan for future requirements, which is known as “Risk Stratification for commissioning"


  • To maintain staff records

We may share your information with other organisations


We may share pseudonymised, anonymised and aggregated statistical information with other organisations for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared against other areas.


We do not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission; consented
  • We need to act to protect children and vulnerable adults;
  • When a formal court order has been served upon us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
  • To check the quality and efficiency of the health services we provide
  • Prepare performance reports on the services we provide
  • Work out what illnesses people may have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future

The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

A full list of details including the legal basis, any Data Processor involvement and the purposes for processing information can be found in Appendix A.

What safeguards are in place to ensure data that identifies you, our patient, is secure?

We only use information that may identify you in accordance with the General Data Protection Regulation 2016. The Data Protection Regulation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice:

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).


We ensure external organisations that process data and support us are legally and contractually bound to operate and proven security arrangements are in place where data that could or does identify a person are processed.


The practice has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. The contact details of our Caldicott Guardian are as follows:


Caldicott Guardian – Dr Rupert Crispin, GP Partner


 How long do we hold information for?


All records held by the practice will be kept for the duration specified by national guidance from Information Governance Alliance,


You have a right to opt out of data sharing and processing


The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit:


National Data Opt Out Programme

Your health and care information is used to improve your individual care. It is also used to help research new treatments, decide where to put GP clinics and plan for the number of doctors and nurses in your local hospital. Wherever possible data is used that does not identify you, but sometimes it is necessary to use your confidential patient information.

From April 2020 all NHS organisations are required to be compliant with the National Data Opt-out Programme.  After this date, the programme of opting out will not be held by the practice and if you do not express a preference, your confidential patient data may subsequently be used for research and planning purposes.  If you do not want your data to be used for this purpose, you need to register your preference on the National Data Opt-out website at:

There may still be times when your confidential patient information could be used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

To find out more or to make your choice visit the NHS Data Matters website at: or call 0300 303 5678.    

More information is available on NHS Digital Your personal information choices.


Your GP surgery and NHS Digital takes the responsibility for looking after care information very seriously. Please follow the NHS Digital links on how we look after information for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.


Gaining access to the data we hold about you


If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to the Practice Manager, the hospital or any other NHS Organisation which has provided your health care.


  • View this or request copies of the records by making a subject access request.
  • Request information is corrected
  • Have the information updated where it is no longer accurate
  • Ask us to stop processing information about you where we are not required to do so by law


Everyone has the right to see, or have a copy of information that is held about them. If you want to access your data you must make the request preferably in writing to the Practice. Under special circumstances, some information may be withheld.


Please note that you can also access your personal medical information using the Patient Access online portal, and print off any documentation you require. To do this you will need to come to the surgery with photographic id.  Please see the section of our website which explains this.


What is the right to know?


The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the practice holds, that does not fall under an exemption.  You may not ask for information that is covered by the Data Protection Act under FOIA. However you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’. 


Your request must be in writing and can be either posted or emailed to:



The Clanfield Practice, 2 White Dirt Lane, Clanfield, Hants PO8 0QL


Information Commissioners Office


The Clanfield Practice ICO Number Z8562717


For independent advice about data protection, privacy, data sharing issues and your rights you can contact:


Information Commissioner’s Office

Wycliffe House,

Water Lane,




Telephone: 0303 123 1113 (local rate) or 01625 545 745


Email: or Visit the ICO website. 


Complaints or questions


We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. The practice complaints procedure can be found on our website.


Please direct all complaints to the Practice Manager, Julie Craig.


Links to other websites


This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.


Changes to this privacy notice


We keep our privacy notice under regular review. This Fair Processing notice was last updated in February 2019.


Definitions of information/data:


  • Data Processor – An organisation or body that processors, reviews, updates or amends, or stores information about individuals.


  • Data Controller – An organisation or body that determines the purposes for which and the manner in which any personal data are processed.


  • Personal Confidential Information – this term describes personal information or data about identified or identifiable individuals, which should be kept private or secret. For the purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.


  • Pseudonymised – this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.


  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified


  • Aggregated – anonymised information that is grouped together so that it doesn’t identify individuals 

Appendix A

Who we share your information with and why



Clinical Commissioning Group

Purpose – Anonymous information is shared to plan and design care services within the locality.


Legal Basis – non identifiable data only.


Data Processor – Fareham & Gosport & SE Hants CCG

Individual Funding Requests – The CSU

Purpose – We may need to share your information with the IFR team for the funding of treatment that is not normally covered in the standard contract.


Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this.


Data processor – We ask NHS South, Central and West Commissioning Support Unit (CSU) to do this on our behalf.

Summary Care Records


Purpose – limited Personal identifiable data is shared with the Summary Care Record to help Healthcare Proffesionals help you when you contact them when the surgery is closed; or when you visit a healthcare organisation in another part of the country.


Legal Basis – This is for your direct care and in an emergency – you can opt out of your record being shared.


Data Processor – Central NHS database.


Purpose – To provide Healthcare Professionals with complete, accurate and up to date information. This information comes from a variety of sources including GP practices, community providers, acute hospitals and social care providers.  CHIE is used by GP out of hours, acute hospital doctors, ambulance service, GPs and others on caring for patients – you may opt out of having your information shared on this system. 


Legal Basis – This service is for your direct care and in an emergency.


Data Processor – NHS SCW.


Purpose – Is a database used for analysing trends in population health in order to identify better ways of treating patients.   CHIA is a physically separate database, which receives some data from CHIE.  Prior to this transfer from CHIE to CHIA patient identifiers are removed from the data.  This includes names, initials, addresses, dates of birth and postcodes.  NHS numbers are encrypted in the extract and cannot be read.  This process is called ‘pseudonymisation’.  This subset of data does not include information typed in by hand, so there is no possibility of it containing references to family members or other people.  It contains only coded entries for things like allergies and prescribed drugs.  It is not possible to identify any patient by looking at the ‘pseudonymised’ data on the CHIA database.  People who have access to CHIA do not have access to CHIE.  Data in CHIA is used  to plan how health and care services will be delivered in  future, based on what types of diseases are being recorded and how many are being referred to hospital etc.  Data is also used to help research into new treatments for diseases.


Legal basis – You can opt out of this service


Data processor – NHS SCW

Other GP practices within Fareham & Gosport and SE Hants CCG in relation to the GP Extended Access Service (GPEA)


Purpose -   We will enable other GPs and staff in other GP practices to have access to your medical record to allow you to receive acute medical care within that service.


Legal Basis – this service is for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service and again once you are in the consultation.


Data processor – Your registered surgery will continue to be responsible for your full medical record.

Community Nursing -

Complex Care Team

Diabetes Team

Home Visiting Service

Leg Ulcer Service

Heart Failure Service

Multi-Disciplinary Team

District Nurses




Purpose - We will enable the Community Nursing Team to have access to your medical record to allow you to receive care from the community nurses for the services listed.


Legal Basis – these services are for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service


Data processor – Your registered surgery will continue to be responsible for your full medical record.

Pharmacists from the CCG

Purpose – to provide monitoring and advice in line with the national directive for prescribing. Anonymous data is collected by the CCG.


Legal Basis – direct care.


Data Processor – Fareham & Gosport and SE Hants CCG.

MASH – Multi Agency Safeguarding Board - Safeguarding Children

Safeguarding Adults

Purpose – We share information with health and social care authorities for safeguarding issues.


Legal Basis - Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.


Data Processor – Multi Agency Safeguarding Authorities.

Risk Stratification

Purpose – Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.


Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems.


GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.


Legal Basis - Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority


NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP practices.


Data Processors – NHS South, Central and West Commissioning Support Unit (CSU) to assist us with providing Risk Stratification tools.


Data Processing activities for Risk Stratification – The GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number.


Opting Out - If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. They can add a code to your records that will stop your information from being used for this purpose.  Further information about risk stratification is available from:

Quality monitoring, concerns and serious incidents

Purpose – We need to ensure that the health services you receive are safe, effective and of excellent quality. Sometimes concerns are raised about the care provided or an incident has happened that we need to investigate.  You may not have made a complaint to us directly but the health care professional looking after you may decide that we need to know in order to help make improvements.


Legal Basis – The health care professional raising the concern or reporting the incident should make every attempt to talk to you about this and gain your consent to share information about you with us. Sometimes they can do this without telling us who you are.  We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.


Data processor – We share your information with health care professionals that may include details of the care you have received and any concerns about that care. In order to look into these concerns we may need to talk to other organisations such as Fareham & Gosport and SE Hants CCG as well as other Public bodies and Government agencies such as NHS Improvement, the Care Quality Commission, NHS England as well as the providers of your care.

Commissioning, planning, contract monitoring and evaluation

Purpose – We share aggregated, anonymous, patient data about services we have provided.


Legal Basis - Our legal basis for collecting and processing information for this purpose is statutory.   We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you. 


If patient level data was required for clarity and extensive evaluation of a service, consent will be gained for the surgery to share this information.


Data Processor – Various organisations, CCG, third party organisations commissioned by the NHS to perform actuarial services, NHS England


eConsult – online consultation

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.


Care Quality Commission

CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider it is necessary to carry out their functions as a regulator.

CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised.

CQC Privacy Notice is available on the CQC website

Surveys and asking for your feedback

Sometimes we may offer you the opportunity to take part in a survey that the practice is running. We will not generally ask you to give us any personal confidential information as part of any survey. 


Legal Basis – you are under no obligation to take part and where you do, we consider your participation as consent to hold and use the responses you give us.


Data Processor – Survey Monkey, We love surveys


Purpose - To support research oriented proposals and activities in our commissioning system


Legal Basis - Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. If this is not possible then the organisation wishing to use your information will need to seek formal approval from The Independent Group Advising on the Release of Data (IGARD) Digital NHS UK - IGARD

We may write to you offering you the opportunity to take part in research, for which your consent will be sought.


Purpose - To support disease monitoring and health prevention for specific patients


Legal Basis - Your consent is sought either implicitly or explicitly. You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Hampshire County Council

Purpose - To support disease monitoring and health prevention for specific patients


Legal Basis - Your consent is sought either implicitly or explicitly. You are invited to be screened either by the practice or the screening provider directly.  You can choose to consent or dissent at any point in the screening.

Continence and Stoma Service

Purpose – Improve patient care and provide better value and efficiencies, reduce waste.


Legal Basis - Your consent is sought explicitly. You can choose to consent or dissent at any point.

Other organisations who provide support services for us

Purpose - The Practice may use the services of additional organisations (other than those listed above), who will provide additional expertise to support the Practice.


Legal Basis - We have entered into contracts with other organisations to provide some services for us or on our behalf.


Confidential – Restore Datashred provide confidential waste destruction services


Restore for the storage and transfer of patient notes


NHS England use City Sprint to transfer medical records


i-Talk Counselling service


 For more information please follow click on the click:

NHS England Fair Processing

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website