We understand how important it is to keep your personal information safe and secure, and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.
Please read this Patient Privacy Notice carefully. It contains important information about how we use the personal and healthcare information we collect about you.
This notice is for patients of the Practice. It is separate from our website privacy policy, which explains how information is collected and used when you visit our website.
How we use your personal information
This Patient Privacy Notice explains why the Practice collects information about patients, how we use your information, who we may share it with, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
So that we can provide you with the best possible care, we collect information about you from a range of sources. This may include information you provide directly to us, information recorded during your appointments, and information shared with us by other health and care organisations involved in your care, such as local NHS hospitals.
This information is used to support your healthcare. Under UK GDPR, information about your physical and mental health, racial or ethnic origin and religious belief is considered special category data, sometimes known as sensitive personal information. This type of information is subject to strict laws governing how it can be used.
The Practice is legally responsible for ensuring that any personal information we process is handled lawfully, fairly and securely.
The Practice is the data controller for the personal information we hold about you. This means we are responsible for maintaining the security and confidentiality of the personal information you provide to us.
Security of information
Confidentiality affects everyone. Croft Medical Services collects, stores and uses personal and sensitive personal data, including medical records and computerised information, to provide healthcare services.
We take our duty to protect personal information and confidentiality very seriously. We are committed to complying with all relevant legislation and taking all reasonable measures to ensure the confidentiality and security of the personal data we are responsible for, whether held electronically or on paper.
The partners have appointed a Senior Information Risk Owner, who is accountable for the management of information assets and any associated risks or incidents. The Practice also has a Caldicott Guardian, who is responsible for the management of patient information and patient confidentiality.
Legal basis for processing your information
Under UK GDPR, the Practice must identify a lawful basis for processing your personal information.
For personal data, the legal bases we may rely on include:
- Consent: where you have given clear consent for us to process your personal data for a specific purpose.
- Contract: where processing is necessary for a contract, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation: where processing is necessary for us to comply with the law.
- Vital interests: where processing is necessary to protect life.
- Public task: where processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
For special category data, including health records, the legal bases we may rely on include:
- Explicit consent.
- Employment, social security and social protection, where authorised by law.
- Vital interests, such as life and death situations.
- Information made public by the data subject.
- Legal claims or judicial acts.
- Reasons of substantial public interest, with a basis in law.
- Health or social care, with a basis in law.
- Public health, with a basis in law.
Why we collect information about you
All clinicians and health and social care professionals caring for you keep records about your health and any treatment or care you receive from the NHS.
These records help to make sure you receive the best possible care. They may be held on paper or electronically and may include:
- Basic details about you, such as your name, address, email address, NHS number, date of birth and next of kin.
- Contact we have had with you, such as appointments or clinic visits.
- Notes and reports about your health, treatment and care.
- Details of diagnoses and treatment given.
- Information about any allergies or health conditions.
- Results of x-rays, scans and laboratory tests.
- Relevant information from people who care for you and know you well, such as health care professionals and relatives.
It is important that your details are accurate and up to date. Please check that your personal details are correct when you visit us and let us know about any changes to your contact details. This helps minimise the risk of you not receiving important correspondence.
By providing the Practice with your contact details, you are agreeing to the Practice using those channels to communicate with you about your healthcare. This may include contact by letter, telephone, voicemail, text message or email.
How your personal information is used
In general, your records are used to direct, manage and deliver the care you receive. This helps ensure that:
- Doctors, nurses and other health or social care professionals involved in your care have accurate and up-to-date information to assess your health and decide on the most appropriate care for you.
- Health or social care professionals have the information they need to assess and improve the quality and type of care you receive.
- Your concerns can be properly investigated if a complaint is raised.
- Appropriate information is available if you see another clinician or are referred to a specialist, another part of the NHS, or social care.
We may offer you a consultation by telephone or video. By accepting the invitation and entering the consultation, you are consenting to this. Your personal and confidential patient information will be safeguarded in the same way as it would be during any other consultation.
AccuRX Ambient Scribe
We use AccuRX Ambient Scribe, an AI-powered medical scribe, to enhance the quality and efficiency of patient consultations. AccuRX acts as a data processor on behalf of the Practice.
AccuRX Ambient Scribe can transcribe patient interactions in real time and use this information to help generate clinical notes, complete documents, dictate letters for GPs to review, and support other administrative tasks. This helps ensure that information recorded during your consultation is accurate, up to date and available to support your care.
Using AccuRX Ambient Scribe helps us improve the accuracy of medical records, increase efficiency by automating the transcription process, and enhance patient care by allowing GPs and staff to focus more on your consultation rather than note-taking.
Your clinician will let you know when AccuRX Ambient Scribe is being used. You can withdraw your consent for its use during your consultation at any time. If you do not wish for AccuRX Ambient Scribe to be used, please tell the clinician.
AccuRX Ambient Scribe adheres to strict NHS standards, including the Data Security and Protection Toolkit (DSPT) and Digital Technology Assessment Criteria (DTAC), helping to ensure that personal information is handled securely and confidentially.
Transcriptions and summaries are kept on the AccuRX system for no longer than 30 days. For more information, please visit the AccuRX Scribe website, and also visit AccuRX webpage about how they protect patient data.
The NHS Care Record Guarantee
The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.
Copies of the full document can be obtained from the National Archives website.
The Records Management Code of Practice
The Records Management Code of Practice for Health and Social Care is a guide for the NHS on managing records. It is relevant to organisations that work within, or under contract to, NHS organisations in England. The Code is based on current legal requirements and professional best practice.
How long records are retained
All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.
The Practice does not keep patient records for longer than necessary. All records are destroyed confidentially once their retention period has been met and the Practice has decided that the records are no longer required.
We carefully consider any personal information we store about you and will not keep your information for longer than is necessary for the purposes set out in this Patient Privacy Notice.
When we share information about you
We may share information about you with others directly involved in your care. We may also share more limited information for indirect care purposes, such as service planning, audit and public health.
Everyone working within the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us also has a legal duty to keep it confidential.
Direct care purposes
We may share information about you with organisations directly involved in your care, including:
- NHS Trusts and hospitals involved in your care
- NHS England and other NHS bodies
- Other General Practitioners or Primary Care Networks
- Ambulance services
- Integrated Care Boards
- Social care services
- Local authorities
- Voluntary and private sector providers working with or for the NHS, such as dentists, pharmacies, opticians and care homes
You may receive care from other organisations as well as the NHS. We may need to share some information with them so we can work together for your benefit, where there is a genuine need for it or where we have your permission.
Indirect care purposes
We may also use information we hold about you to:
- Review the care we provide to ensure it is of a high standard and quality
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the appropriate organisations receive payment for the care you receive
- Prepare statistics about NHS performance
- Audit NHS accounts and services
- Undertake health research and development, where appropriate and with consent where required
- Help train and educate healthcare professionals
- Support health and social care policy, planning and commissioning
- Support GP Federations and wider NHS planning
- Support public health purposes
Refusing or withdrawing consent
Where the legal basis for sharing confidential personal information relies on your explicit or implied consent, you have the right to refuse consent or withdraw consent previously given.
The possible consequences of refusing or withdrawing consent will be explained to you at the time. In some cases, refusing consent may affect or delay the care we are able to provide.
In situations where the legal basis for sharing information relies on a statutory duty or legal power, such as the reporting of notifiable diseases, you cannot refuse or withdraw consent for the disclosure.
National Data Opt-Out
Whenever you use a health or care service, important information about you is collected in a patient record for that service. This helps ensure you receive the best possible care and treatment.
The information collected about you may also be used and provided to other organisations for purposes beyond your individual care, such as:
- Improving the quality and standards of care
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This will only take place where there is a clear legal basis to use this information. Most of the time, anonymised data is used for research and planning so that you cannot be identified.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy for your information to be used in this way, you do not need to do anything. If you choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit: www.nhs.uk/your-nhs-data-matters you can change your mind about your choice at any time.
Data used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes. Your data would only be used in this way with your specific agreement.
Public health purposes
In some situations, we may be required to use or share confidential patient information to protect public health or respond to public health emergencies.
Where information is used or shared for public health purposes, this will be done in line with the law and relevant national guidance. We will only use the minimum information necessary and will apply appropriate safeguards to protect your information.
Other ways we use your information
Call recording
Telephone calls may be recorded for the following purposes:
- To make sure staff act in line with Practice procedures
- Quality control
- Training, monitoring and service improvement
- To prevent crime or misuse
- To support the safety of patients and Practice staff
SMS text messaging
When attending the Practice for an appointment or procedure, you may be asked to confirm that we have an accurate contact number and mobile telephone number for you.
Your mobile number may be used to send appointment details, reminders, automated calls or other important information about your healthcare.
CCTV
We use surveillance cameras on and around our Practice premises to:
- Protect patients, visitors, staff and Practice property
- Help provide a safer environment
- Deter unlawful activity
- Help investigate operational, safety-related or security incidents
- Provide evidence where required for criminal or civil proceedings
- Help improve services, for example by enabling staff to identify patients or visitors who may require assistance
You have the right to make a Subject Access Request for CCTV images of yourself and to ask for a copy of them. Requests should be made to the Practice using the contact details below. You will need to provide enough information to help us identify you and locate the relevant images.
We reserve the right to withhold information where permitted under UK GDPR and the Data Protection Act 2018. CCTV data will only be retained for a reasonable period, or for as long as required by law.
In certain circumstances, such as serious incidents or investigations, we may need to disclose CCTV data for legal reasons. Where this happens, the organisation receiving the images must comply with data protection law.
Your rights as a patient
You have certain rights in relation to the personal information held about you by the Practice. These include:
- The right to be informed about why, where and how we use your information
- The right to ask for access to your information
- The right to ask for your information to be corrected if it is inaccurate or incomplete.
- The right to ask for your information to be deleted or removed where there is no need for us to continue processing it
- The right to ask us to restrict the use of your information
- The right to ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
- The right to object to how your information is used
- The right to challenge any decisions made without human intervention, also known as automated decision making
Please note that the right to be forgotten and the right to erasure do not usually apply to health records or where information is required for public health purposes.
Your right to object
You have the right to restrict how and with whom we share information in your records that identifies you.
If you object to us sharing your information, we will record this within your records so that healthcare professionals and staff involved in your care are aware of your decision.
If you choose not to allow us to share your information with other health or social care professionals involved in your care, it may make the provision of treatment or care more difficult or unavailable.
Please discuss any concerns with the clinician treating you so that you understand any potential impact. You can change your mind at any time about a disclosure decision.
How you can access your health records
UK GDPR gives you the right to access the information we hold about you in your records.
Requests must be made in writing to the Practice. The Practice will usually provide your information within one month of receiving your request. This may be extended in some circumstances, depending on the complexity of the request.
Freedom of Information
The Freedom of Information Act 2000 gives any person the right to request certain information held by the Practice, subject to a number of exemptions.
If you would like to request general information from us, please contact the Practice.
Please note that if your request is for information we hold about you, such as your health record, you should make a Subject Access Request instead. Please see the section above, “How you can access your health records”.
Changes to this notice
We may amend this Patient Privacy Notice at any time, so please review it regularly. The date at the bottom of this page will be updated each time this notice is amended.
Data Controller
The Data Controller responsible for keeping your information confidential is: Dr Burhan Ahmed
Data Protection Officer
The appointed Data Protection Officer is: Helen McNae
Address: Unit 13, Ainley Bottom, Ainley Industrial Estate, Elland, HX5 9JPT
Tel: 07748 623531
Email: Helen.mcnae@this.nhs.uk
Raising a concern
If you have a concern about any aspect of your care or treatment at the Practice, or about the way your records have been managed, please contact the Practice Manager.
If you have concerns about how we handle your information, you have the right to complain to the Information Commissioner’s Office.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Last Updated: 8 July 2026
