Privacy Notice – Your Data




In order to comply with data protection legislation – specifically Data Protection Act 2018 and the UK General Data Protection Regulation - this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.

We are legally required to tell you:

  • What personal information we use
  • Why we need your personal information
  • The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it.
  • How we use, store, protect and dispose of your personal information
  • How long we keep it for and who we may share it with
  • About your information rights
  • How to report a complaint or concern

About Us

Haringey GP Federation is regulated by the Care Quality Commission and registered with the Information Commissioner’s Office as a Data Processor.

We are registered to the Information Commissioner’s Office. Registration number: ZA208551

If you have any questions or wish to make a request in relation to your information, please contact our Data Protection Officer.


Your Personal Information

When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however, this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.

Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.

Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you. This process allows personal information to be converted.

The personal information we collect may be used for any of the following specific purposes:

  • Health care for patients – diagnosis, treatment and referral
  • Accounting, financial management and auditing
  • Education and training
  • Consultancy and Advisory services
  • Human resources and staff administration
  • Recruitment candidate management
  • Crime prevention and prosecution
  • Health administration and services management
  • Business activity information and databank administration
  • Contractual arrangements for data processing by third parties
  • Occupational Health referrals
  • Research, national surveys
  • Security services e.g CCTV monitoring, confidentiality audits

Without your personal information, we cannot:

  • Direct, manage and deliver the health care you may require
  • Ensure we have accurate and up to date information to assess and provide what you require
  • Provide the appropriate level of assistance or adequate guidance
  • Refer you to a specialist or another service
  • Protect the general public or promote public health
  • Manage, develop or improve our services
  • Investigate complaints or proceed with legal actions for claims
  • Employ you to join our workforce
  • Procure products and services
  • Commission business activities
  • Comply with a court order
  • Comply with regulatory requirements
  • Meet some of our legal obligations
  • Compile statistics to review our performance
  • Educate and train our workforce
  • Undertake clinical trials and research studies you have consented to
  • Complete occupational health checks you have consented to
  • Keep you and other service users safe on our premises
  • Lawful Basis for Processing your Personal Information

We do not rely on consent to use your personal information as a ‘lawful basis for processing’ regarding using your information for healthcare instead follow guidance issued by the British Medical Association (BMA).

There is not generally a legal requirement to provide us with information, however without your information some care services may not be available to you.

We use services which process data in the UK and the EEA. Where we process your data in countries without a decision of adequacy from the UK Information Commissioner, we put in place additional safeguards to ensure that your data is treated safely and securely.

We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR: 

For your personal information

  • Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’
  • Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’  

For your special category information

  • Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’ Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ 
  • Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Please note: You have the right to say ‘NO’ (right to object) to our use of your personal information but this may have an impact on our ability to provide appropriate care or services. Please speak to a member of the Practice or our Data Protection Officer.

We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.

Retention and Disposal of Personal Information Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Practice. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Practice.


Keeping your Personal Information Safe

We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.

Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.

When there are data protection breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.


Sharing Personal Information

We may need to share your personal information with another organisation e.g. NHS organisations, general practices, the Integrated Care Board, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.

We are also authorised to process personal data on behalf of GP practices in Haringey.

This is because of our duty to share which is equally as important as our duty of confidentiality. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.


How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases 
  • monitoring safety 
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit NHS Your Data Matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at the websites below:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation is compliant with the national data opt-out policy.


How we locally use Information

We use a joined-up health and care record system across London called the London Care Record (LCR) to help practitioners deliver the best care to patients. 

We are part of the North Central London Integrated Care System which brings together health and social care providers such as doctors, NHS trusts, local authorities and the Integrated Care Board to ensure joined-up delivery across the region.

A digital platform (HealtheIntent) is also used to help provide more proactive care to residents and communities of North Central London. It helps highlight trends, concerns or gaps in care and helps us to address these.

Fuller details of these and detailed privacy notices 

You have the right to say no and opt-out of the sharing of your health and care record with the London Care Record and the HealtheIntent platform. Visit their website to find out more.

We also use information to help us plan future healthcare, identify wider population issues and concerns, and assess interventions. This is commonly called “secondary use” and we have an authorisation under Section 251 of the NHS Act 2006 for the purpose. You have the right to say no and opt-out of this data use; please visit their website to find out more.


Your Information Rights

You have the right to:

Be informed about the processing of your personal information by Haringey GP Federation (done through this notice)

  • Access the information we hold about you (paper, digital or electronic copies)
  • Ask us to correct or complete your personal information
  • Ask us to erase your personal information under certain circumstances, if we do not have a lawful basis to process it
  • Ask us to restrict the processing of your personal information under certain circumstances
  • Ask us not to process your personal information
  • Ask us not to use your personal information for public interests, direct marketing, profiling, research or statistical purposes
  • Receive a response to your access or change request within a calendar month

Requests for information

Please complete a Request for Access to Records request via the secure form.

We will require proof of identity before we can disclose any personal information. You can also email or write to us directly at the addresses noted above.


Report Complaint or Concern

We try to meet the highest standards when processing personal information. You should let us know when we get something wrong. Please use our secure online form. You can also email or write to us directly at the addresses noted above.

We employ an independent Data Protection Officer (DPO). The role of our DPO is to examine our information handling practices and ensure we operate within the law.

These services are provided by Steve Durbin. He can be contacted on He can only assist with complaints about your personal information. 

All other complaints can be directed to Cassie Williams, Chief Executive Officer, Haringey GP Federation by emailing or by telephoning 020 3074 2710

If you want to make a complaint to the commissioner you will need to contact North Central London Integrated Care Board.

  • Telephone: 020 3198 9743
  • E-mail:  
  • Post: North Central London Integrated Care Board, Complaints Team, Laycock PDC, Laycock Street, London N1 1TH

Last updated Nov 2023

To request a copy of the full data privacy notice, please contact us via our secure online form.