Get support from your GP

For the fastest, most convenient way to access our GP services.

Request support from your GP
Current Vacancies
Home / Privacy Policy

Privacy Policy

Operose Health Group Privacy Notice

Summary

Keeping your personal data safe is very important to us. This privacy notice will inform you of how we look after your personal data, tell you about your privacy rights and how to exercise
your rights under legislation.

Your personal data is stored securely at all times, in our clinical systems. Only authorised individuals who need access for the legal circumstances set out in the sections below can
access your personal data.

We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services,
and NHS commissioning organisations who are directly involved in providing or funding your care needs and for the purpose of indirect care (see secondary uses below). Your data will
not be shared with anyone who is not listed in this privacy notice unless we are obliged by law.

We do not share your personal information with marketing and advertising companies, and we do not share your data with anyone who would take your data outside of the UK (GDPR)
jurisdiction.

We will only share personal information about you with medical research organisations with your consent or as described in the section below, and you have the right withdraw your
consent at any time by contacting the Practice/Service you are registered with. The national data opt-out allows people to opt out of their confidential information being used for research
and planning. You can read more about it on the NHS.uk website.

A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

Who we are

Operose Health is the brand name for a number of companies that provide primary healthcare services across England. A full list can be found here:

What we do

At Operose Health, we are experts in working with complex health systems to provide the very best healthcare service to our patients and services users, and to transform their quality of
healthcare experience. We are part of a global healthcare family with over 30 years’ experience of delivering high quality healthcare in the most simple and seamless way to our patients and service users, and we are committed to protecting and respecting their privacy.

Our portfolio of services includes primary care, community outpatient services and referral management services. We respect your right with regards to privacy and data protection when
you communicate with us through our websites, events, telephone, or attend any of our face to-face consultation services.

Your personal data is stored in our secure clinical systems, only those who are involved in delivering your care have access to your personal data. Your data will not be shared with
anyone else, unless we are obliged by law.

Sharing your personal information

We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services,
and NHS commissioning organisations who are directly involved in providing or funding your care needs or for the purpose of indirect care (see secondary uses below). Your data will not
be shared with anyone else, unless we are obliged by law.

We do not share your personal information with marketing and advertising companies. We hold your information securely in the UK at all times. Your information is not shared
anywhere outside the UK.

We will only share personal information about you with medical research organisations with your explicit consent, and you have the right withdraw your consent at any time.
A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

What is this Privacy Notice about?

A privacy notice is a statement that describes how an organisation collects, use, retain and disclose personal data, or special categories of personal data. Different organisations
sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently we are required by law to provide
you with the following information:

• What information we collect and process about you
• How we process your personal data
• The purpose of processing
• Recipients or categories recipients of your personal data
• The identity of our Data Protection Officer
• How long we retain personal information about you
• The lawful bases for processing
• Your rights – to view, request access copies of your personal information, or object to the processing of your personal information.

Types of personal information we process

At Operose Health, we process the following categories of personal information about our patients and service users:

Category Data Type
Identity data and contact details Such as name, date of birth, gender, NHS number, telephone number, postal address, postcode, email address (if provided) etc.
Support contact details Names, contact details of carers, relevant close relatives, next of kin and representatives
Special categories of personal
data concerning physical, social
or mental health condition.		 Such as medical history, diagnosis, treatments, test results, appointment, attendances, referrals, care plans, care packages, medication, medical opinions etc.
Special categories of personal
with protected characteristics		 Such as racial or ethnic origin, religious or philosophical beliefs, genetic data, sexual life or sexual orientation data, child protection records, adoption records etc.
Aggregated data A combination of personal data, and special categories of personal data for the purpose of business intelligence and analytical services to enable us to predict future trends and plan our services.
Usage data Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our site.

What we process your personal information for

We process personal information about you in a number of ways. These include:

• Primary uses – we process personal information concerning your health to enable our registered and regulated healthcare professionals who are directly involved in your
care to provide you with the best possible direct care delivery.
Personal information concerning your health or social care is also made available to other health or social care provider organisations who are involved in your health or social care needs to enable them to make the best-informed decision about you when you use their service.

• Secondary uses – We process your personal information for purposes of beyond direct care in the following ways:

  • Reviewing the care we provide through clinical audit.
  • Investigating your queries, complaints and legal claims.
  • Ensuring we receive payment for the healthcare you receive.
  • Preparing statistics on NHS performance.
  • Auditing NHS accounts and services.
  • Undertaking health research, and development (with your explicit consent, and you have the right choose whether or not to be involved).
  • For business intelligence and analytical services to enable us to predict future trends and plan our services.
  • Training and educating our healthcare professionals (with your explicit consent, and you have the right choose whether or not to be involved).

Our identity and contact details

Operose Health includes the entities listed in this Privacy Notice. We can be contacted at:

Operose Health
108 High Street,
Great Missenden
Buckingamshire
HP16 0BG

Our Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please write to our Data Protection Officer who can be contacted at:

Data Protection Officer
Operose Health
108 High Street,
Great Missenden
Buckingamshire
HP16 0BG

Tel: 020 8678 5624
Email: dpo@operosehealth.co.uk

Organisations we share your personal information with

Included below is a table of the organisations we share information about you for the purposes of direct and indirect care, split into the following categories:

a. Direct Medical Care and Administration
b. Other primary care services delivered for the purposes of direct care
c. Statutory disclosures of Information
d. Processing for the purposes of Commissioning, Planning, Research and Risk
Stratification
e. Data sharing databases
f. Processors

Click here to view table

Details of data linkage with other datasets

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for statistical purposes,
stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Integrated Care Boards within our geographical areas are responsible for processing deidentified and linked data under this category, on our behalf. We ensure that the Processor is
legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Data retention period

All records held by Operose Health will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care 2021 and supplemented by our Records Management Standards.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount,
nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.

The details of transfers of the personal data to any third countries or international organisations

We do not transfer your personal data to any third countries or international organisations.

What safeguards are in place to ensure data that identifies you is secure?

We only use information that may identify you in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These legislations
require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held
on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

Our appropriate technical and security measures include:

  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems
  • The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
  • A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
  • Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.

Cookies

Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when
you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our websites.

We use the following cookies:

 Strictly necessary cookies: These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas
of our websites.

• Analytical/performance cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily.

• Functionality cookies: These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember
your preferences (for example, your choice of language or region).

• Targeting cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site
more relevant to your interests. We may also share this information with third parties for this purpose.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies
(including essential cookies) you may not be able to access all or parts of our site.

Except for essential cookies, all cookies will expire after 12 months.

What are your general rights?

Where information from which you can be identified is held, you have the:

• Right of access to view or request copies of the record
• Right to rectification of inaccurate personal data or special categories of personal data
• Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
• Right not to be subject to any automated individual decision-making
• Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
• data is processed by automated means, and
• you provided consent to the processing or,
• the processing is necessary for the fulfilment of a contract

Right to object

In line with the Data Protection Legislation, you do not have the right to object to the processing of your personal information where:

• The purpose of the processing is for direct provision of care or safeguarding concerns. As a primary care and community health provider, we have legitimate compelling grounds under the Health and Social Care Act 2012 to process your personal information for the purposes of direct care delivery, and to prevent an individual from harm, or to prevent a serious crime. This include personal information concerning your health which we share with other GP Practices, NHS acute or mental health Trusts, social services, community health providers and pharmacists who are also involved in your care.

• The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory           bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police, Courts of Justice, HMRC and DVLA.

You do not have the right to object to the processing of your personal information for risk stratification for indirect care purpose such as understanding the local population needs and
plan for future requirement in line with Section 251 NHS Act 2006.

You have the right to opt-out ofSummary Care Record, NHS Digital – National Data Opt-Out.

Right to erasure (right to be forgotten)

Your right to erasure (right to be forgotten) applies where you had given ‘consent’ to process your personal data and later withdrew the consent. Right to erasure does not apply to the
extent where the processing of your personal health data is necessary for:

• Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of
official authority vested on us;

• Medical purposes and/or for reasons of public interest in the area of public health; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
the establishment, exercise or defense of legal claims.

Exercising your right or gaining access to the data we hold about you

By contacting your registered practice, you can exercise your rights at any time, or request to see or have copies of personal information we hold about you.

Right to complain

If you are dissatisfied with the way we process your data, please contact us and we will try to resolve your complaint. You also have the right to appeal/complain to the Information
Commissioner (ICO). The ICO can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
Tel: 0303 123 1113 or 01625 545 745
Email: https://ico.org.uk/global/contact-us/

Operose Health Group Entity Names


Entity Name                                                                 Data Protection Registration Number 

Operose Health Limited                                                  ZA269280

AT Medics Limited                                                           Z9497012

AT Learning Limited                                                       ZA792188

AT Technology Services Limited                                  ZA239650

Primary Care Partners Limited                                    ZA688561

Operose Health Corporate Management Limited    Z2932107

Operose Health (Group) Limited                                 Z9518807

Operose Health (Group) UK Limited                          Z1159942

The Practice Surgeries Limited                                    Z1159956

Chilvers & McCrea Limited                                           Z7794195

The Practice U Surgeries Limited                                Z4783305

Phoenix Primary Care Limited                                    Z1273035

Phoenix Primary Care (South) Limited                     Z3383510

Footer