Data Protection Privacy Notice



This privacy notice lets you know what happens to any personal data
that you give to us, or any that we may collect from or about you.
This privacy notice applies to personal information processed by or on
behalf of this company.

This Notice explains:

  • Who we are, how we use your information and our Data Protection Officer
  • What kinds of personal information about you do we process?
  • What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • What should you do if your personal information changes?
  • For how long your personal information is retained by us?
  • What are your rights under data protection laws?

The General Data Protection Regulation (GDPR) became law on 24th May 2016. This is a single
EU-wide regulation on the protection of confidential and sensitive information. It enters into
force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General
Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection
Act 2018 (currently in Bill format before Parliament) the company responsible for your personal
data is GP First.

This Notice describes how we collect, use and process your personal data, and how, in doing so,
we comply with our legal obligations to you. Your privacy is important to us, and we are
committed to protecting and safeguarding your data privacy rights

How we use your information and the law

GP First will be what’s known as the ‘Controller’ of the personal data you provide to us.

We collect basic personal data about you which does not include any special types of information
or location-based information. This does however include name, address, contact details such as
email and mobile number etc.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in
accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality

We will not disclose your information to any third party without your permission unless there are
exceptional circumstances (i.e. life or death situations), or where the law requires information to
be passed on.

Our policy is to respect the privacy of our providers and our staff and to maintain compliance
with the General Data Protection Regulations (GDPR) and all UK specific Data Protection
Requirements. Our policy is to ensure all personal data will be protected.

All employees and sub-contractors engaged by us are asked to sign a confidentiality agreement.
We will, if required, sign a separate confidentiality agreement if the client deems it necessary. If
a sub-contractor acts as a data processor for us then an appropriate contract (art 24-28) will be
established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of
data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent.
If some circumstances we may need to store your data after your consent has been withdrawn to
comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do
this, we take strict measures to ensure that individual patients cannot be identified. Sometimes
your information may be requested to be used for research purposes – we will always gain your
consent before releasing the information for this purpose in an identifiable format. In some
circumstances you can opt-out of us sharing any of your information for research purposes.

With your consent we would also like to use your information

We would however like to use your name, contact details and email address to inform you of
services that may benefit you, with your consent only. There may be occasions were authorised
research facilities would like you to take part on innovations, research, improving services or
identifying trends.

At any stage where we would like to use your data for anything other than the specified
purposes and where there is no lawful requirement for us to share or process your data, we will
ensure that you have the ability to consent and opt out prior to any data processing taking place.
This information is not shared with third parties or used for any marketing and you can
unsubscribe at any time via phone, email or by informing the DPO as below.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of
IT hosting and maintenance this information may be located on servers within the European

No third parties have access to your personal data unless the law allows them to do so and
appropriate safeguards have been put in place. We have a Data Protection regime in place to
oversee the effective and secure processing of your personal and or special category (sensitive,
confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used,
with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for
this happen when this is required.

We may also use external companies to process personal information, such as for archiving
purposes. These companies are bound by contractual agreements to ensure information is kept
confidential and secure. If a sub-contractor acts as a data processor for GP First, an appropriate
contract (art 24-28) will be established for the processing of your information.

How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as
specified by the NHS Records management code of practice for health and social care and
national archives requirements.

More information on records retention can be found online at

You can download a copy of this privacy policy here GP First GDPR Privacy Notice.