Privacy Notice

Patient Privacy Notice: Lynton Health Centre

This Privacy Notice explains why we collect information about you, what information we collect about you, how your information will be used, how we store this information, how long we retain it, your rights in respect of your data and with whom and for which legal purpose we may share it.

The Organisation also publishes a number of specific notices, which are available at the bottom of this page.

In addition to the below:

 Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.

This shared system is called the Devon and Cornwall Care Record.

It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.

For more information about the Devon and Cornwall Care Record, please go to


Who we are?

Symphony Healthcare Services [06633460, Registered Office: Wincanton Health Centre, Dyke’s Way, Wincanton, BA9 9FQ] was formed in April 2016, as a wholly owned subsidiary of Yeovil District Hospital NHS Foundation Trust.

SHS is a provider of NHS services, not a privatised company.

It was created to support primary care to continue to provide high quality, sustainable, healthcare services in Somerset with a focus on patient care and joining up the healthcare system.

We now have 16 GP surgeries who have joined us, with a patient population of approximately 117,000.

Why we collect personal information about you?

Personal data is information about a living, identifiable individual. Therefore, your personal data is any information that can be attributed to you personally, including your name, weight, height, date of birth, health conditions and treatments you receive.

So long as you can be identified from that information, it becomes your personal data.

Organisations that use personal data must do so in line with the provisions of the General Data Protection Regulations and the Data Protection Act 2018. The Act applies to personal data held in both electronic and physical media.

The staff caring for you need to collect and maintain information about you, your health, and your treatment and care, so that you can be given the safest and highest quality care.

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

Your information helps us to make the best decisions about your care and helps provide you with proactive advice and guidance.  Important information is also collected to help us to remind you about specific treatment, which you might need, such as health checks, immunisations for children and reminders for screening appointments.  We work with other NHS services to co-ordinate these.

Information held about you may be used to help protect the health of the public and to help us to improve NHS services.

Information may also be used within the GP practice to monitor the quality of the service provided (known as ‘clinical audit’).

To note: The surgery will be piloting the use of [ONLINE SYSTEM] (the Service) as a messaging service for you to contact your GP Practice. Your practice will recommend the Service to you in the belief that it will help you. The decision to use the Service will be yours. If you decide to use the Service, it should be through your informed consent.

[ONLINE SYSTEM] act as a Processor of the personal identifiable information you provide to your GP and for which we act as the Controller.

Your GP will share your basic data including; name, address, contact details and identification numbers (e.g. NHS number). You will be responsible for any data you share with your GP while using the Service.

Klinik Healthcare Solutions will also request additional consent to use the following data in a pseudonymised format as a Controller to support the development of the AI system:

·         Age

·         Sex

·         Symptoms/Ailments

We recommend you read the Privacy Notice on the [ONLINE SYSTEM] website: [WEBSITE] . These documents advise you how your data will be used.


Patients are given the option to submit images via [ONLINE SYSTEM] (or by other means) to support their request and it is their choice to do so.

Patients are advised via all Symphony Healthcare Service media channels that intimate images (genitalia, anus, and breasts) should not be submitted without prior communication with a clinician.

Parents, guardians and carers are reminded that intimate images of the following should never be sent via an online consultation system (such as [ONLINE SYSTEM]), via email or by any other means:

·         Children

·         Frail patients

·         Those lacking capacity

Sending intimate pictures of these groups may lead to criminal investigations and prosecution or seriously impact the dignity of those unable to consider the action for themselves.

If a submitted image, whether provided by the patient’s own accord or requested by the surgery, is of an intimate nature, once assessed by a clinician for the purpose of completing the consultation the image will be deleted.

Only in exceptional circumstances will a clinician seek informed consent from a patient to place an intimate image submitted on the patients’ medical record.


Telephony at the surgery

Calls to the surgery are recorded for monitoring and training purposes.  If you do not wish for your call to be recorded please inform the member of staff dealing with your call who will be able to manually pause the recording. Please note that a new request will be required for each call made and a written account of the call may still be placed on your patient record.

All call recordings are kept securely for 36 months. Following this, the recording is removed and deleted.


Non-NHS Work

The surgery uses Medi2Data to support patients with their non-NHS requests such as, but not limited to, insurance reports and private forms. Medi2Data is a processor of patient information.

If patients request that Medi2Data do not complete their non-NHS forms and reports then they acknowledge that the surgery is unable to complete these forms on their behalf and the patient will have to identify an alternative provider to undertake the work.

Currently Medi2Data are unable to complete firearm and DVLA forms. It is at the practices discretion as to whether it will undertake the private work that is unable to be completed by Medi2Data.

What is our legal basis for processing personal information about you?

When you consent to treatment we do not rely on that same consent to use your information as a ‘legal basis for processing’. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, specifically:

Article 6(1)(e): ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

Article 9(2)(h): ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

In particular the Organisation has a legal duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to maintain securely an accurate, complete and up to date record in respect of each service user. Including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided. Because of this there are limitations on your rights to object to the keeping of records or to ask for them to be deleted. For more information, see the section on ‘What are your rights’.

This means we can use your personal information to provide you with your care without seeking your consent.

Other legal duties may require us to use your information for processing a complaint, for assessing, monitoring and improving the quality and safety of the services we provide, to seek feedback on the quality of services, or for the general management of the NHS.

The NHS is supported by a complex network of statutory duties and powers. We have provided here an overview of the main provisions applying to the practice. If you require specific information about the particular duty or power supporting any activity please contact the Data Protection Officer.

How we use your information for providing care


Where you have agreed we will send information on your prescriptions to pharmacies, either by electronic systems or by paper.

Test requests and results

Where we undertake tests on you, such as blood tests, we will send the sample and details of the tests we are requesting to the most appropriate pathology laboratory.  The data shared with the laboratory will include your NHS number, name, the type of test requested and any health information relevant to doing the test and producing the result or report.  We will receive the test results back from the laboratory electronically and these will be stored in your patient record.

Extended services and out of hours

We work closely with neighbouring practices and ‘out of hours’ providers including NHS 111 to ensure that if you need care from a doctor outside of normal hours that they have access to your records when needed to give you the best possible care.  This may be delivered over the phone or via video consultation as appropriate.  Services may be run by ‘GP Federations’ and ‘Primary Care Networks’.

Patient referrals

With your agreement, your GP or Nurse may refer you to other services not provided by the practice, or they may work with other services to provide your care in the practice.  Information will be shared by letters, emails and shared record systems.

Once you have been seen, the other care agency will tell us about the treatment they have provided for you and any support which your GP needs to provide. This information is then included in your record.  Referrals can be to lots of different services, such as smoking cessation services, social prescribers, voluntary services and other health and care agencies, as appropriate, for your care.

Hospital, Community or Social Care Services

Sometimes the staff caring for you need to share some of your information with others who are also supporting you. This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.  Information will be shared to organisations where you receive care, whether that is local or further away, if you need specialist care or emergency care in another.


Shared computer systems

Health and Social care services are developing shared systems to share data efficiently and quickly.  It is important for anyone treating you to be able to access your shared record so that they have all the information they need to care for you. This will be during your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an Out of hours appointment.  It is also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised staff can access the systems and the information they see is carefully checked so that it relates to their job.  Systems do not share all your data, just data which services have agreed is necessary to include.

For more information about shared care records, please go to

Safeguarding of children or vulnerable adults

If we have significant concerns or hear about an individual child or vulnerable adult being at risk of harm, we may share relevant information with other organisations, such as local authorities and the Police, involved in ensuring their safety.

Ensuring medicines work well

We work with the local Medicines Management team of the Clinical Commissioning Group to help get the best out of medicines for patients and ensure they are effective in managing conditions.  This generally uses anonymous data, but occasionally they will assist in reviews of medication for patients with complex needs.  Doctors may also seek advice and guidance on prescribing queries.

Identifying health risks

Systems known as ‘risk stratification tools’ are used to help determine a person’s risk of suffering particular conditions and enable us to focus on preventing ill health before it develops.  Information in these systems comes from a number of sources, such as hospitals and the practice.  This can help us identify and offer you additional services to improve your health.

Population Health Management


Health and care services work together as ‘Integrated Care Systems (ICS)’ and share data for the following reasons:

·         Understanding the health and care needs of the care system’s population, including health inequalities

·         Provide support to where it will have the most impact

·         Identify early actions to keep people well, not only focusing on people in direct contact with services but, looking to join up care across different partners.

Multi-disciplinary team meetings

For some long-term conditions, such as diabetes, the practice participates in meetings with staff from other agencies involved in providing care, to help plan the best way to provide care to patients with these conditions.

National Services (including screening programmes)

There are some national services like National Diabetes Audit and the National Cancer Screening Programmes that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening.

You can find out more about how the NHS holds and shares your information for national programmes on the NHS screening website (

Data may also be shared on anyone who contracts a ‘communicable disease’, such as Covid-19, in order to manage public health and safety.

What personal information do we need to collect about you and how do we obtain it?

Personal information about you is collected in a number of ways, including referral details from other health providers, or personal details directly from you or your authorised representative.

The data we hold includes basic personal information about you such as your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts and your GP details.  We may also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.

In addition to the above, we may hold healthcare information about you including:

  • Health notes and reports, including details of treatment and care, Physical and Mental Health conditions, results of investigations and what future care you may require
  • Appointments, visits, emergency appointments
  • Details about any medications you are taking
  • Personal information from people who are carers such as relatives, or health or social care professionals
  • Other personal information such as smoking status, any learning disabilities, and your family, lifestyle and social circumstances
  • Details of your religion and racial or ethnic origin
  • Whether or not you are subject to any protection orders (safeguarding status), Offences, Criminal proceedings Outcomes and sentences.
  • Information from other organisations that are caring for you that we hold in your record, including letters and test results

It is important for us to have a complete picture because:

  • Accurate and up to date information assists us in providing patients with the right care
  • Full information will be readily available in the event you need to see another doctor, or are referred to a specialist or another part of the NHS
  • Accurate and up to date information assists us in providing staff with the information and training required to carry out their role in the Organisation
  • It helps the NHS prepare statistics on its performance and audits of its services, and enables better monitoring of public spending and planning and management of the health service.
  • It improves the Training of NHS healthcare professionals and employees, and assists the NHS in conducting its Research and Development activities

What website information do we collect?

Information about your computer hardware and software is automatically collected. This information can include your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain the quality and provide general statistics regarding use of the SHS websites.

The Organisation or practice websites will disclose your personal information without notice, only if required to do so by law or in the good faith belief that such action is necessary to:

(a) conform to the statutes of the law or comply with legal process served on Symphony Healthcare Services or the sites;

(b) protect and defend the rights or property of Symphony Healthcare Services; and,

(c) act under exigent circumstances to protect the personal safety of users of Symphony Healthcare Services, or the public.

Please keep in mind that if you directly disclose personally identifiable information or personally sensitive data through the Organisation’s public message boards, this information may be collected and used by others. Note: the Organisation does not read any of your private online communications.

Links to other websites: The Organisation encourages you to review the privacy statements of websites you choose to link to from our site so that you can understand how those websites collect, use and share your information. The Organisation is not responsible for the privacy statements or other content on websites outside The Organisation’s family of websites. Therefore we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.

Collecting personal information on E forms: The Organisation websites do use electronic forms, and these forms enable you to give us feedback about the web site, to give feedback about specific activity; to give feedback as part of a formal consultation; to take part in fundraising activities or giving; to register for an event or activity; to register interest as a member or volunteer; or to provide information regarding accessing/registering at the surgery.

Our Patient Participation Groups (PPG) also have an E Form available to enable patients to join their virtual group and mailing list. Please note that personal information submitted is for the purpose of contributing to and receiving information from the PPG. The information collected from the form is maintained by the Patient Participation Groups themselves. The information provided will be used lawfully, in accordance with GDPR and Data Protection regulations.

Where we are asking for personal information we will always ask you to acknowledge acceptance and understanding of this Fair Collection/Privacy Notice, before the electronic form can be submitted.

Direct Marketing: The Organisation may also use your personally identifiable information to inform you of other products or services available from Symphony Healthcare Services and its affiliates. The Organisation may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered. The Organisation keeps track of the websites and pages our patients visit in order to determine which of our services are the most popular. This data is used to deliver customised content and advertising within to customers whose behavior indicates that they are interested in a particular subject area. You have the right to refuse /withdraw consent to direct marketing at any time.

Use of Cookies: The Organisation website uses “cookies” to help you personalise your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.

One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalise pages, or register with Symphony Healthcare Services site or services, a cookie helps to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same Symphony Healthcare Services Web site, the information you previously provided can be retrieved, so you can easily use the features that you customised.

You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Organisation’s services or websites you visit.

You can read more about the cookies used by the Organisation’s web sites by clicking on the Privacy & Usage link at the bottom of the web page.  For more details visit Symphony Healthcare Services website’s Privacy & Cookies Policy – Symphony Healthcare Services and our Terms of use policy – Symphony Healthcare Services.

What do we do with your personal information?






Your records are used to directly, manage and deliver healthcare to you to ensure that:

  • Staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
  • Staff have information they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate information is available, should you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

The personal information we collect about you may also be used to:

  • Improve the quality and standards of care.
  • Remind you about your appointments and send you relevant correspondence.
  • Review the care we provide to ensure it is of the highest standard and quality through audits or service improvements.
  • Support funding of your care with commissioning organisations.
  • Preparing NHS performance statistics required by The Department of Health or other regulatory bodies.
  • Assist in training and education of healthcare professionals.
  • Report and investigate complaints, claims and untoward incidents, report events to the appropriate authorities when required to do so by law.
  • Review your suitability for research studies or clinical trials.
  • Contact you with regards to patient satisfaction surveys relating to services you have used within The Organisation, so as to further improve our services to patients in future
  • Prevent illness and disease
  • Monitor safety
  • Plan new services
  • Investigate fraud
  • Public Health Screening
  • Research into the development of new treatments.
  • Assist the Care Quality Commission with any investigations.

Where possible, we will always look to minimize and anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis to act otherwise.  All these uses help to provide better health and care for you, your family and future generations.

Sharing Patient Feedback

The Friends and Family Test results and other feedback provided about the service may be used by the practice and organisation anonymously. Publishing free text comments can be a useful way to improve morale and share examples of success. You can opt out of having your anonymised feedback published by contacting [email protected]

Who do we share your information with and why?

The Organisation may share your information for health purposes with other NHS organisations, e.g. health authorities, NHS Organisations, NHS Trusts, general practitioners (GPs), ambulance services, NHS England, Public Health England and other NHS common services agencies such as primary care agencies.   We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.  Examples include:

·         NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations and our legal duty under s259 Health and Social Care Act 2012. For further information about how NHS Digital looks after your data follow this link.

·         [Effective July 2021] NHS Digital has issued a DPN (data provision notice) as part of the development of GPDPR (GP data for planning and research). This is a planned replacement for the GPES (GP extraction service) to collect data for planning and research from general practices in England. This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.”

·         Clinical Commissioning Groups Information may be shared with a Clinical Commissioning Group where it is necessary for them to comply with their legal duties. Please also see the Somerset Clinical Commissioning Group’s Privacy Notice.

For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

A new service called SIDeR (Somerset Integrated Digital electronic Record) is being rolled out across Somerset over the next few years to allow GP practices, hospitals and Social Care to securely view your health and care information. SIDeR will help us to link up our existing IT systems that record and securely store your information, so that medical and care staff can view your information to help them deliver better and safer care for you. For example, they will be able to see what medications you’re taking, what allergies you have and what appointments you have coming up. If you have a care plan in place, they will also be able to see this to understand what your exact needs are.

We may also be asked to share basic information about you, such as your name and address, which does not include sensitive information from your health records. Generally, we would do this to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Act.

Where patient information is shared with or processed by other non-NHS organisations, an information sharing agreement is drawn up to ensure information is managed in a way that complies with relevant legislation. These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the Police, voluntary sector providers and private sector providers.

Symphony Healthcare Services does not sell, rent or lease its customer lists to third parties. From time to time we may contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party. In addition, Symphony Healthcare Services may share data with organisational partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to Symphony Healthcare Services, and they are required to maintain the confidentiality of your information under data processing agreements. Information may sometimes be shared with system suppliers for the purposes of maintenance.

There are occasions where the Organisation is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. the Driver and Vehicle Licencing Agency, the General Medical Council, Her Majesty’s Revenue and Customs and Counter Fraud services). In these circumstances we will always try to inform you before we are required to disclose and we only disclose the minimum information that the law requires us to do so.

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

The Organisation is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Organisation in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so.  Where there is cause to do this, the Organisation will always do its best to notify you of this sharing.

How we maintain your records

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 (subject to Parliamentary approval) as amended by the GDPR, as explained above.  In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.  Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. This will be noted in your records.

We have a duty to:

  • maintain full and accurate records of the care we provide to you
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

The Organisation is committed to securing your personal information from unauthorised access, use or disclosure, and secures it on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure.

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Organisation has made the decision that the records are no longer required.

If you move to a new practice, your record will be transferred.  If the practice you have left need to access your record, for example to deal with a historic complaint, they will let you know.

What are your rights?

Records are kept for the lifetime of the patient. If you move to a new practice, your record will be transferred. If the practice you have left need to access your record, for example to deal with a historic complaint, they will let you know. When information has been identified for destruction or deletion it will be disposed of using approved confidential disposal procedures.

Data Protection law gives you significant rights over the use of your personal data. The most important is the right to make a “Subject Access Request” for access to the information we hold, usually by being provided with a copy. Further details are provided below.

Your other rights include:

·         Rectification: a right to ask us to change any personal data which is wrong

·         Erasure: a right to ask us to delete any personal data we hold. This is sometimes referred to as “the right to be forgotten”

·         Restriction: a right to ask us not to process your information for certain purposes. There is also a specific right to ask us not to use your contact details for marketing purposes.

·         Objection: a right to object to some types of processing based on your own individual circumstances

·         Data portability: the right to receive your information in a specific form so that it can be used by another organisation. However this right usually only applies where we are processing information by consent so it does not apply to medical records. For more information please see the Information Commissioner’s website.

These rights are not absolute (other than prevention of marketing) and will not apply in all circumstances. For example, you do not have a right to insist that we delete your medical records as we have a legal duty to keep them. For more information about your rights please see:

If you wish to exercise any of the rights other than a Subject Access Request please contact the Organisation’s Data Protection Officer.

You also have a right to complain to the Information Commissioner if you are in any way unhappy with the way we have processed your personal information or allowed you to exercise your rights. Please see:

Subject Access Requests

GDPR gives you the right to access the information we hold about you on our records. For medical records requests should be made in writing to the practice. The practice will provide the information to you within one month of receipt of your request and sufficient information to identify you. There is no charge but the organisation reserves the right to make a reasonable administrative charge in the case of requests which are manifestly unfounded or excessive, in particular because of their repetitive character.

It is possible for you to make requests on behalf of children you are responsible for and in some cases for adults e.g. where you have their specific authority or a Power of Attorney or they are incapable of making their own request.

There are some safeguards regarding what you will have access to and you may find information has been removed for the following reasons.

·                Where your doctor has decided that some information may cause significant harm to you or someone else

·                Where the information is about someone else (third party) and is confidential to them

If you would like to access your GP record online visit our website for more information.


If you think that the data we hold on you is inaccurate or incomplete you may ask us to rectify or complete it. You can make your request by contacting the practice. We will tell you within one month what action we intend to take in response to your request.


Under GDPR you sometimes have a right to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. You can make your request by contacting the Organisations’s Data Protection Officer. We will tell you within one month what action we intend to take in response to your request. However this right does not apply to many of our key data holdings such as health records and employees’ records as we are keeping such records as part of our legal duties. For a full explanation of the right and when it applies please see the Information Commissioner’s website.


This is closely linked to other rights. You have the right to restrict processing in limited circumstances for example if you think our data is inaccurate and you want to limit what we do with it until we have considered rectification (see above). You can make your request by contacting the Organisation’s Data Protection Officer. We will tell you within one month what action we intend to take in response to your request.


You have a general right to object to our processing your personal data if we are processing your information for direct marketing. We will always respect such an objection. You also have a right to object on “grounds relating to your particular situation” when we are processing your personal data:

·         On the basis of our legitimate interests or the performance of a task in the public interest/exercise of official authority. This would include our processing of medical records and employee records; or

·         For purposes of scientific/historical research and statistics.

In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This ‘National Data Opt-out’ enables patients to opt-out from the use of their personal confidential data for research or planning purposes.  To find out more or to register to opt out, please visit

For example, someone might object to us sharing identifying or address information if they were on a witness protection program. We can refuse to uphold an objection, if it is not based on their particular situation or in any event on compelling grounds – for example to save the life of a child of the person on the witness protection program.

You can make your request by contacting the Organisation’s Data Protection Officer. We will tell you within one month what action we intend to take in response to your request.  If you have any concerns about use of your data not covered by the National Data Opt out, please contact the practice.

For a full explanation of the right and when it applies please see the Information Commissioner’s website.

If you wish to obtain a copy of the Organisation’s Data Protection Policy which covers individual rights, raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

Change of details

It is important that you tell us as soon as you can if any of your details such as your name or address, email address or mobile number have changed.  This is to make sure no information about you is sent to an old address.

Use of Mobile Telephone Number

If you provide us with your mobile phone number, we may use this to send you text reminders about your appointments or other health screening information.  Please let us know if you do not wish to receive text reminders on your mobile.

Use of Email Addresses

Where you have provided us with your email address we will use this to send you information relating to your health and the services we provide.  If you do not wish to receive communications by email, please let us know.

Data Protection Officer

SHS Data Protection Office:

Louise Coppin,

[email protected]

01823 344199

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Organisation under Data Protection and Freedom of Information legislation.  If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the. ICO at:

Information Commissioner’s Office

Wycliffe House

Water Lane




Tel: 0303 123 1113 (local rate) or 01625 545 700 if you prefer to use a national rate number

Email: [email protected]

Changes to this statement

Symphony Healthcare Services Limited will occasionally update this Privacy Notice to reflect the law and feedback received. You are encouraged to periodically review this notice on our website to be informed of how Symphony Healthcare Services is protecting and using your information.

Appendix 1: Data Sharing/Usage List

The following table builds upon the information in our Data Privacy Notice and is published to ensure transparency.  This list is not exhaustive.  Where the offering of a service to a patient will inform them about the sharing of their data, e.g. support from smoking cessation services, it is not necessarily included here.  This list does not set out uses of anonymous data where identity has been completely removed (such as anonymised data to the Department for Work and Pensions on provision of ‘fit notes’).


Organisation/ Activity Relevant to surgery

[Y / N]

Shared Care Records – Somerset Integrated Digital electronic Record (SIDeR)


[] Purpose – To ensure you receive effective, safe care, we will, through digital means enable your record to be available to those providing your care in whichever care setting you are seen, such as an A&E attendance, a physiotherapy appointment, a social care needs assessment.

In order to achieve this, the aim of Shared Care Records is to enable health and care staff to view your information, to save valuable time in getting you the right treatment. Your information will only be available to the staff involved in your direct care, and not at any other time, or for any other reason.

Further information can be found here

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Processor – Black Pear

Summary Care Record [] Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. Further information can be found here

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Controller of summary care record data – NHS Digital

Test requests and results [] Purpose – Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken.  The laboratory will also hold the details of the request and the result.  The result/report will be sent electronically to the practice who will hold it in the patient’s record.

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Controller of test data – The laboratory that process the request and result are a controller of the data generated by the test process.

Research [] Purpose – We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose then it will not be used.  Details on how to opt out are here.

Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales

The organisation leading the research will be the controller of data disclosed to them.

Individual Funding Requests [] Purpose – We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available.

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time.  If you are happy for the request to be made, the basis for processing your data is:  Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process.

Child Health Information Service [] Purpose – We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses.

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

Controller to which data is disclosed:  Health Intelligence Ltd

Risk Stratification – Preventative Care [] Purpose – ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

In addition, data with your identity removed is used to inform the development and delivery of services across the local area.

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

Controller to which data is disclosed:  NHSE/CCG*

(NB identifiable data is not disclosed to other controllers)

*In 2013 NHS England gained approval from the Secretary of State, through the Confidentiality Advisory Group for its application for the disclosure of Secondary Use Services (SUS), commissioning data sets (approved under CAG 2-03(a)/2013) and GP data for risk stratification purposes to data processors working on behalf of GPs and CCGs.

The application was made by NHS England on behalf of GPs and CCGs, as the relevant data controllers. It will enable GPs, supported by Clinical Commissioning Groups (CCGs), to target specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate interventions.  It will also support Commissioners to understand service use and to target interventions to improve care pathways.

In August 2020, NHS England applied to the Confidentiality Advisory Group for an extension of the Risk Stratification CAG approval which was due to expire at the end of September 2018. The Confidentiality Advisory Group has confirmed that support for the use of GP’s and CCGs Secondary Use Data can continue risk stratification purposes until the end of September 2022.

Clinical Digital Tools [] Purpose – A variety of clinical digital tools are used at GP practices to support clinicians managing patients with very specific conditions or to identify patients who may be at risk of health conditions in the future. These digital tools enable clinicians to focus on preventative care or very specialist care for specific conditions.

Prior to introducing clinical digital tools to NHS services, a strict process of assessment is undertaken to ensure that NHS criteria are met – Digital technology assessment criteria.

Where relevant to use of a digital tool, your patient information is collected from your record held at the GP practice. This data is processed by the authorised third-party supplier and the results are made available to the healthcare professional at the Practice and linked to your patient record.

The use of clinical digital tools is often linked with ‘risk stratification for case finding’ (please see above section) enabling resources to be used efficiently and effectively for patient care in GP practices.

Although digital technology is used to support healthcare professionals in their work, decisions about patient care are made by a person and not automated.

Digital support tools are being developed/updated and introduced to NHS services regularly. Examples that may be used in GP practices are:


·         Support for anticoagulation management plans and medications for a specific cohort of patients

·         A clinical decision support tool to identify potential patients who may benefit from additional health care services or support to help keeping them well and avoiding admission to hospital

·         A clinical decision support tool that identifies patients at higher risk of cancer at the earliest stage

We will use and share your information using these digital tools for your direct care purposes.

If you have concerns about how your data is used, please let us know, noting if you do object this may limit our ability to identify if you have or are at risk of developing certain serious health conditions or be included in specialised monitoring of specific conditions.


Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Population Health Management [] Purpose – Health and care service providers across Somerset work together as ‘Integrated Care Systems’ (ICS) and are sharing data in order to:


·         Understanding the health and care needs of the care system’s population, including health inequalities

·         Provide support to where it will have the most impact

·         Identify early actions to keep people well, not only focusing on people in direct contact with services but, looking to join up care across different partners.


Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data. NB only organisations that provide your individual care will see your identifiable data.

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) Provision of health and care


Processor to which data is disclosed: South West Central Commissioning Support Unit and Optum.


Population Health Management also incorporates the use of risk stratification tools as an integral part of the purpose (please see the risk stratification section of this notice above).

Public Health

Screening programmes (identifiable)

Notifiable disease information (identifiable)

Smoking cessation (anonymous)

Sexual health (anonymous)

[] Purpose – The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Personal identifiable and anonymous data is shared.  More information can be found at:

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Controller to which data is disclosed:  Public Health Services (England). Local Data Controllers may include Somerset District Council, SWISH Services

NHS Trusts [] Purpose – Personal information is shared with Hospitals, Community Services, Mental Health Services and others in order to provide you with care services. This could be for a range of services, including treatment, operations, physio, and community nursing, ambulance service.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Controller to which data is disclosed:  Yeovil District Hospital NHS Foundation Trust, Somerset NHS Foundation Trust, Dorset County Hospital NHS Foundation Trust

Care Quality Commission [] Purpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data but only where it is needed to conduct their services.

More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on CQC website:

Legal Basis – Article 6(1)c “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)h ‘management of health and care services’

Controller data is disclosed to – Care Quality Commission

Payments [] Purpose – Payments to the practice come in many different forms.  Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws.

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below

Controllers that data is disclosed to – NHS England, CCG, Public Health

Patient Record data base support [] Purpose – The practice uses electronic patient records.  Our supplier of the electronic patient record system is EMIS Ltd

Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.

Medicines optimisation [] Purpose – We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective.  We do not share your identifiable data with the companies that provide these packages

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Multi-Disciplinary Teams [] Purpose – We work closely with a range of other care providers to deliver the best care possible for you.  Multi-disciplinary teams are our way of bringing together care providers for conversations in a confidential environment about care arrangements for you where this is appropriate.  For example, if you have a number of long term conditions and would benefit from additional support.  Where possible, we will inform you that your care will be discussed in this type of forum.  However, if this may not always be possible and in these circumstances, we will consider your best interests and will share information on this basis.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

Clinical Audit [] Purpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.

Controller – Somerset Clinical Commissioning Group

National Fraud Initiative – Cabinet Office [] Purpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see:

NFI activities vary each year, so data would only be disclosed if required by the focus of their activities

Legal Basis – Part 6 of the Local Audit and Accountability Act 2014

Controller – Cabinet Office

National Registries [] Purpose – National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Legal Basis – Section 251 of the NHS Act 2006

Police [] Purpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

Legal Basis

Article 6(1)e – task carried out in the public interest

Article 9(2)c – Vital Interests

Article 9(2)f – Legal claims or judicial acts

Article 9(2)g – Reasons of substantial public interest

Controller disclosed to – Police

Anticoagulation [] Data held for the purposes of anticoagulation management is currently held within the INRstar Anticoagulation Management system and a planned migration of this information from its current location to a new cloud-first technology is scheduled for 25th-27th June 2021 by LumiaDx Care Solutions.

The data residency of the information will remain in England in a UK government approved data centre. The data will not be modified in any way, and the way it is processed will remain the same following migration.

The privacy policy and data protection impact assessment relating the migration can be found here:

Advanced Care Planning [Marie Curie] [] Purpose –

The practice will search health records for specific and pertinent diagnosis and use this information to invite you to self-refer to participate in advance care planning. The only data that we share with Marie curie is your basic contact details such as telephone number or email address so that you are not invited twice and can be contacted to remind you of the service offer. Advanced Care Planning is recorded on the SiDER service described above. If you are not interested in participating when offered, there will be no effect on your care from the practice.

Marie Curie Privacy Notice

Your security

Legal Basis –

Article 6(1)(e) “processing is necessary to perform a task in the public interest’. And Article 9(2)(h) ‘management of health and care services’

Medi2Data [] Purpose –

The practice uses Medi2Data to undertake private non-NHS work for patients on its behalf.

All private work is discretionary as it does not form part of the NHS contract [] and therefore using Medi2Data enables the work to be completed for patients at a time when the surgery cannot commit to undertaking work outside of its main duties.

The data processed will be dependent on the private work request of the patient.

Legal basis –

Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

Doctaly [] Purpose –

The practice may be using Doctaly to support patients review and monitor their long term health conditions. This service is run through whatsapp. Patients will be asked whether they wish to participate in the service.

Initially the patients name and number will be processed.

Legal basis –

Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes