Privacy Notice

Midway Privacy Policy

Our privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

To read and/or download the full notice, please click here:Midway Privacy Policy updated March 2025.pdf

At Midway Surgery, we are committed to protecting and respecting your privacy, informing you of your rights under Data Protection legislation and giving you access to these rights.

Who has information about you?

In order to provide safe and effective healthcare, several care providers hold and share information about you.  In our locality for example Midway Surgery along with West Hertfordshire Hospitals NHS Trust.

Information is shared for your direct care purposes. There may be instances where we are required under legislation to share information, but we will only do so if we have a legal basis to.

Information we hold about you

Personal data (data which identifies you) and Special Category (sensitive data such as racial or ethnic origin, health, sex life and sexual orientation)

How we collect your information

The information we collect and process about you has either been provided by you or by others involved in your care and treatment (i.e. hospital, community, employers).

We may collect information from you when you contact us via telephone calls, written mail, eConsult or our website or visit the practice for an appointment.

You should tell us if your personal information changes so that we can update our records, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

How we use your information

We use information about you in connection with treatment and/or care, tests or assessments and medical examinations.

We may use your phone number (or email address where you have provided it to us) to contact you in advance of an appointment or for reasons connected with your care or treatment. Where you have provided us with your mobile we may send you confirmations/reminders of your appointments via text message and send you questionnaires linked to your care.   

We may also use information about you for:

  • quality assurance,
  • maintaining our business records,
  • developing and improving our products and services, and
  • monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you.

This may include our staff planning and workload management systems to help support our staff and clinicians to develop and plan the most appropriate levels of care to our patients and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients.

We may use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud or safeguarding) or in connection with legal proceedings.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

Staff access to your personal and sensitive data.

We carefully control who has access to your information.  Staff only have access where they are required to do so to provide direct care or support (i.e. receptionist or secretary). 

If a data breach includes access to your information, we will contact you. 

Sharing your information

Information is shared for your direct care purposes to ensure you receive the best possible care. There may be instances where we are required under legislation to share information, but we will only do so if we have a legal basis to.

Audits, surveys, and initiatives

In common with all healthcare providers (both NHS and private), we also look at the quality of the care we provide:

  • to patients and health assessment clients and participate in national audits and initiatives,
  • to ensure that patients are getting the best possible outcomes from their treatment and care, and
  • to help patients make informed choices about the care they receive.

We can assure you that your personal information always remains under our control. Any information we provide for national audits and initiatives outside of Midway Surgery will not contain any information in which any patient can be identified unless it is required by law.  Any publishing of this data will be in anonymised statistical form. The Practice may partake in local audits where there has been a Serious Incident in order for to identify any potential clinical risks to yourself or other patients

Legal basis for using your information

Data protection law requires that we set out the legal basis for holding and using information about you.  We have set out the various reasons we use information about you and the legal basis for doing so. Please refer to the full privacy policy.

Where and for how long we store your information

The information about you that we hold, and use is held securely in the United Kingdom and stored electronically and in paper format and on secure servers.

No records are stored outside the EEA

We retain your records for certain periods (depending on the record) under our retention of records policy.  Midway Surgery follows the recommend best practice contained in the NHS Records Management Code of Practice. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information

Your information rights

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you. Please note that for some purposes, especially within health and care, some of your rights under UK GDPR have applicable exemptions. You can find out more about your rights and exemptions on the ICO website.

Please refer to the full policy and if you wish to exercise your rights, please contact the Practice Manager using the contact details set out above.

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

  • Your request should be made to the Practice – for information from the hospital you should write direct to them
  • There is no charge to have a copy of the information held about you
  • We are required to respond to you within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

Midway Surgery uses a processor, iGPR Technologies Limited (“iGPR”), to assist with responding to report requests relating to patient data, such as
subject access requests that you submit to Midway Surgery (or that someone acting on your behalf submits to Midway Sugery) and report requests that insurers submit to Midway Surgery under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.

iGPR manages the reporting process for Midway Surgery by reviewing and responding to requests in accordance with our instructions and all applicable laws,  including UK data protection laws.

The instructions Midway Surgery issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

General Practice Data for Research

The data held in the GP medical records of patients is used to support health research in England, helping to find better treatments and improve patient outcomes for everyone. Any data that could directly identify you (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS England.

If you do not want your patient data to be shared for purposes except your own care, you can opt-out of this process.

For further information please access the website here https://digital.nhs.uk/services/national-data-opt-out or contact the practice.

My Care Record

Midway Surgery is part of My Care Record, an approach to improving care by joining up health and care information. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care.

For further information please access the website My Care Record - Home or contact the practice.

Health Information Exchange Gateway

Joining up health and care information via the HIE (Health Information Exchange) used across the region to enable heath and care professionals to access up-to-date information held by different organisations or in different locations.

The Cerner HIE (Shared Care Record) system displays the feeds from partner organisations in a single user accessible dashboard, in real time.

Recordings

  • Telephone calls are recorded for training and monitoring purposes only.
  • When the Surgery carries out video consultations. The consultation is not stored or recorded within the system; the clinical staff member is required to record observations and outcomes of the consultation directly into your patient’s record in the same way as during a face-to-face consultation
  • Artificial Intelligence (AI) Tools

Midway Surgery doctors may wish to use transcription technology during your consultation.  Transcribing tools make it possible for your doctor to focus entirely on you during your visit while still capturing an accurate and comprehensive record of your consultation.  The clinician will check the accuracy of the transcription before saving it to your health record.  Only information directly related to your care will be recorded and the transcription will be held by the technology provider for a maximum of 7 days.

You are entitled to decline the use of transcribing tools, please inform your clinician at the start of the consultation of your dissent. 

  • CCTV

We have installed CCTV to:

  • ensure the security of our and your property and the security of our patients and staff
  • monitor the security of our premises.

Primary Care Network (PCN)

We are a member of Alban Healthcare Primary Care Network (PCN) (Midway Surgery, Parkbury House Surgery, Grange Street Surgery)

This means we will be working closely with these GP Practices and health and care organisations to provide healthcare services to you. No health data is automatically shared.

Integrated Care Systems (ICS)

As the country moves to an integrated care system based on geographical areas (East & North Herts, Herts Valleys and West Essex) Information may be available to other care providers in order to provide safe, effective and cost-efficient care.

Integrated Care Board (ICB)

The Integrated Care Boards are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We do share data with Herts and West Essex ICB who is working with GP practices, local hospitals and other providers, generating Population Health Management information and link all the information together but then remove information that identifies you.

The ICB are legally obliged to protect your information and maintain confidentiality in the same way as us (your GP) or hospital provider. 

Population Health Management

Population Health Management aims to improve the health of both local and national populations.

Population Health Management requires health and social care organisations to work together with communities and partner agencies. The organisations will share de-identified information (where information about you has been removed) with each other in order to get a view of health and services for the population in a particular area.

Data processing activities 

The ICB processes this data internally. Data is also processed by Arden & GEM Commissioning Support Unit (AGEM), and Cerner Ltd on behalf of the ICB.

AGEM and Cerner Ltd will make the GP data linkable with other local and national data sources to understand the population health more effectively. This process is called Pseudonymisation and any information that identifies you has been removed and replaced with a pseudonym (Unique Code).

The pseudonym will only ever be reidentified by your GP practice if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information in order to offer this service to you.

Using your data to plan and support better care

Summary Care records (SCR)

All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives health and care professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.

Your Summary Care Record contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Risk stratification

To find out more about which risk stratification tools are used, how your personal data is handled and your rights, you can view the HWE ICB Privacy Notice available at the web address provided below or your GP Practice privacy notice available.

https://hertsandwestessex.icb.nhs.uk/website/privacy-notice-1

 Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

The right to complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law. Please refer to the full privacy policy.