Privacy Notice Adults

What is a ‘privacy notice?’

A ‘privacy notice’ is a statement issued by an organisation which explains how personal and confidential information about patients, service users, staff and visitors is collected, used and shared. This may also be called a privacy statement, fair-processing statement or privacy policy. This privacy notice is issued by Mulberry Surgery as a healthcare provider, and covers the information we hold about our patients and other individuals that may use our services. A separate privacy notice is available for information we collect about staff as part of our responsibilities as an employer.


Who are we and what do we do?

Mulberry Surgery is a small General Practice Partnership providing healthcare services to 6500 patients, across 2 sites, in the Portswood and Highfield areas of Southampton.

Our vision is to deliver excellent person-centred care based on:

  • Compassion
  • Openness
  • Respect
  • Accountability
  • Safety

We are governed and monitored by a number of different organisations, including:

  • NHS England
  • Southampton City Clinical Commissioning Group
  • Public Health England
  • Southampton City Council Public Health
  • Care Quality Commission
  • Department of Health

Our GPs and nurses are also regulated and governed by professional bodies and numerous royal colleges.


Why have we issued this privacy notice for our patients and service users?

By issuing this privacy notice, we demonstrate our commitment to openness and accountability.

We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:

  • Data Protection Act 1998
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • Re-Use of Public Sector Information Regs 2004
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • International information Security Standards
  • Information Security Code of Practice
  • Records Management Code of Practice
  • Accessible Information Standards
  • General Data Protection Regulations 2018

Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules. We will not sell your information for any purpose, and will not provide third parties with your information for the purpose of marketing or sales.


What information do we collect?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (e.g. NHS Hospital Trust, other GP Surgery, Out of Hours GP Centre, A&E, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP Practice may include the following information:

  • Personal details, including name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through records of appointments, attendances and home visits
  • Details and records of treatment and care, notes and reports about your health including any allergies and health conditions, medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care
  • Other relevant information from people who care for you and know you well such as health professionals, relatives and carers

We may also collect other information about you such as your sexuality, race or ethnic origin, religious or other beliefs and whether you have a disability or require any additional support with appointments such as interpreters or advocates.


Why do we collect your information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

We collect and hold data for the sole purpose of providing healthcare services to our patients. In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and information such as outcomes of needs assessments


How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulations 2018 and the Data protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

All your GP NHS health records are kept electronically. Our GP records database is hosted by TPP Systmone, who are acting as data processors, and all information is stored on their secure servers in Leeds, is protected by appropriate security, and access is restricted to authorised personnel

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff has access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

We also make sure that data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. We only email you, or use your mobile number to text you, regarding matters of medical care, such as appointment reminders and (if appropriate) test results.

Unless you have separately given us your explicit consent, we will not email you for non-medical matters (such as surgery newsletters and other information)


How do we use your information and why is this important?

Confidential patient data will be shared within the healthcare team at the practice, including nursing staff, admin staff, secretaries and receptionists, and with other healthcare professionals to whom a patient is referred. We will always inform you if a referral is to me made and you always have the right not to be referred in this way. Those individuals have a professional and contractual duty of confidentiality.

We use your information to ensure that:

  • The right decisions are made about your care
  • Your treatment is safe and effective
  • We can work well with other organisations that may be involved in your care

This is important because having accurate and up-to-date information will assist us in providing you with the best possible care

 This GP Practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that information is kept confidential. We can disclose personal information if:

  • It is required by law
  • You consent – either implicitly for the sake of your own care or explicitly for other purposes
  • It is justified in the public interest

Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.

On some occasions it may be necessary to undertake clinical audits of records to ensure that the best possible care has been provided to you or to prevent the spread of infectious disease, wherever possible this will be done in anonymised form.

As a Practice we undertake accredited research projects. Where this involves accessing identifiable patient information, we will only do so with the explicit consent of the individual and Research Ethics Committee approval. Your information will not be passed on to any Research term without your approval and the majority of mailouts are conducted from the practice with only anonymised information being shared with the research team. It is then your choice as to whether you want to be actively involved in such projects.

We are not currently involved with other research projects such as the Clinical Practice Research Database (CPRD) or QResearch, and we do not permit secondary processing (e.g. for research, “analytics”, commissioning, commercial or political purposes) of our patients’ information uploaded to the Hampshire Health Record.

is also the potential for your information to help improve health care and other services across the NHS. Therefore your information may also be used to help with:

  • Ensuring that our services can be planned to meet the future needs of patients
  • Reviewing the care provided to ensure that it is of the highest standard possible, improving individual diagnosis and care
  • Evaluating and improving patient safety
  • Training other healthcare professional
  • Supporting the health of the general public
  • Evaluating Government and NHS Policies

Who might we share your information with?

Local Hospital, Community or Social Care Services

Sometimes the clinicians caring for you need to share some of your information with others who are also supporting you. This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.

Summary Care Record (SCR)

A Summary Care Record is an electronic record of important patient information, created from the GP medical records. It contains information about medication you are taking, any allergies you suffer from and any bad reactions to medications you have previously had. It can be seen and used by authorised staff in other areas of the health and care system involved in your direct care. Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed. Your Summary Care Record also includes your name, address, date of birth and your unique NHS Number to help identify you correctly. If you and your GP decide to include more information it can be added to the Summary Care Record, but only with your express permission. For more information visit the NHS Website.

Care and Health Information Exchange (CHIE)

The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems. The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire. 

National Services

There are some national services like the National Cancer Screening Programme that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening. Often you have the right to not allow these organisations to have your information.

You can find out more about how the NHS holds and shares your information for national programmes on the NHS Choices website.

Other NHS organisations

Sometimes the practice shares information with other organisations that do not directly treat you, for example, Clinical Commissioning Groups. Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you.

You have the right to opt out of any of these schemes at any time.


How long do we keep your information?

Health and social care records are subject to a nationally agreed code of practice which regulates the minimum period for which records must be kept. This specifies that GP record should be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the European Union. Electronic patient records must not be destroyed or deleted for the foreseeable future.


Other organisations

We are sometimes legally obliged to disclose information about patients to relevant authorities. In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

That organisation will also have a professional and contractual duty of confidentiality. Data will be anonymised if at all possible before disclosure if this would serve the purpose for which the data is required.

Organisations that we are sometimes obliged to release information to include:

  • NHS Digital (e.g. the National Diabetes Audit)
  • CQC
  • DVLA
  • GMC
  • HMRC
  • NHS Counter Fraud
  • The Courts
  • Public Health England
  • Local Authorities (Social Services)
  • The Health Service Ombudsman

Only with your explicit consent, can we as a Practice release information about you, from your GP record, to relevant organisations. These may include:

  • Your employer
  • Insurance companies
  • Solicitors
  • Local Authorities
  • Police

How can I access the information you hold about me?

You have a right under the Data Protection legislation to request access to obtain copies of all the information the surgery holds about you. You are also allowed to have information amended should it be inaccurate.

In order to access your medical record, you need to let the practice know by making a Subject Access Request (SAR).

The practice will respond to your request within one month of receipt of your request. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

It will be very helpful to the practice if you could specify any particular information you need so we can provide the information to you as soon as possible.

Usually there is no charge to see the information that the practice holds about you unless the request is excessive or complicated.

For information about your hospital medical records, you should write direct to them.

If you wish to make a SAR, please contact us and will be able to provide you with the relevant form to complete.


Your individual rights

Have inaccuracies corrected

If you feel that the personal data that the practice holds about you is inaccurate or incomplete then please let us know and we will update your records within one month of notification. If this incorrect information has been sent onwards, we will also inform any other organisations of this. If it is not possible to correct the information then we will write to you to let you know the reason behind the decision and inform you how you can complain about this.

Have information erased

If you feel information in your health record should not be there, you can ask the practice to erasure that information. We will look at each request specifically. Please bear in mind there may well be legal reasons why we will need to keep data even if you request it to be erased.

Data portability

You have the right to access your data in a format which allows you to re-use and share it with other organisations should you wish. As such, we will provide your data in a structured, commonly used and machine readable form.

The practice does not engage in any direct marketing, profiling or use any automated decision making tools.


Right to object

As a patient, you have the right to object to personal data about you being used or shared.

You also have the right to restrict the use of data the practice holds about you. If you do wish to object, please contact the practice. This will prevent your confidential information being used other than where necessary by law.

If you are a carer and have a Lasting Power of Attorney for health and welfare then you can also object to personal data being used or shared on behalf of the patient who lacks capacity.

If you do not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.



The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

The Practice is registered as a data controller under the General Data Protection Regulations 2018 and the Data protection Act 1998. The registration number is Z6516707 and can be viewed online in the public register on the ICO Website



If you have concerns or are unhappy about any of our services, please contact the Practice Manager. Details of how to complain are on our website, or available in practice.

For independent advice about data protection, privacy, and data sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane