Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously.

We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

Why we are providing this privacy notice?

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you.

If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer (details below).

The Law says:

1. We must let you know why we collect personal and healthcare information about you;
2. We must let you know how we use any personal and/or healthcare information we hold on you;
3. We need to inform you in respect of what we do with it;
4. We need to tell you about who we share it with or pass it on to and why; and
5. We need to let you know how long we can keep it for.

The Data Protection Officer

The Data Protection Officer at the Surgery is Barry Moult. You can contact them by writing to:

Data Protection Officer

Rothschild House Surgery
Chapel Street
Tring
HP23 6PU

• You have any questions about how your information is being held;
• If you require access to your information or if you wish to make a change to your information;
• If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you;
• Or any other query relating to this Policy and your rights as a patient.

About Us

We, at the Rothschild House Group (‘the Practice”) situated at Rothschild House Surgery, Tring, HP23 6PU; The New Surgery, Tring, HP23 5AE; Berkhamsted Surgery, HP4 1DL; Pitstone Surgery,  LU7 9AX and Markyate Surgery, AL3 8LJ, are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient. We are registered with the Information Commissioners Office – registration reference Z6581704.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

Information we collect from you

The information we collect from you will include:

1. Your contact details (such as your name and email address, including place of work and work contact details)
2. Details and contact numbers of your next of kin
3. Your date of birth, gender, ethnicity
4. Details in relation to your medical history
5. The reason for your visit to the Surgery
6. Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Practice involved in your direct healthcare
7. Clinical history
8. Medications
9. Test results and investigations
10. Health plans and alerts
11. Mental health alerts and diagnoses
12. Social care information
13. Emergency and out-of-hours treatment
14. Social care plan
15. Dates of future and past appointments and the clinicians you have seen
16. The reasons for your visits to the Surgery

Information about you from others

We also collect personal information about you when it is sent to us from the following:

1. A hospital, a consultant or any other medical or healthcare and social care professional, or any other person involved with your general healthcare
2. Firearms applications
3. Court orders
4. DWP, DVLA or similar Government correspondence requesting medical information

Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

For further information see our Summary Care Record Policy

Who we may provide your personal information to, and why

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment.

This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in proving better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs.

It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

1. Hospital professionals (such as doctors, consultants, nurses, etc.);
2. Other GPs/Doctors;
3. Pharmacists;
4. Nurses and other healthcare professionals
5. Dentists;
6. Community Services
7. Out of Hours Services
8. Ambulance Services
9. Any other person that is involved in providing services related to your general healthcare, including mental health professionals.

Other people who we provide your information to:

• Commissioners
• Local authorities
• Community health services
• For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies
• Anyone you have given your consent to, to view or receive your record, or part of your record

Data Extraction by the commissioners (ie the Integrated Care Board (ICB)) - the ICB at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

There are good reasons why the ICB may require this pseudo-anonymised information, these are as follows:

• To assist in analysing current health services and proposals for developing future services.
• To develop risk stratification models to help GP's to identify and support patients with long term conditions and to help to prevent un-planned hospital admissions or reduce the risk of certain diseases developing, such as diabetes.
• Using risk stratification to help the CCG to understand the health needs of the local population in order to plan and commission the right services.

The ICB may commission 3rd party organisations to carry out this process on their behalf.

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Sharing Your Health Records

NHS England uses information about patients (patient data) to research, plan and improve:

• the services they offer
• the treatment and care patients receive

NHS England get this data from your GP surgery, hospitals and other healthcare providers. To help improve services, NHS England shares this data with researchers from organisations such as universities or hospitals. This type of data-sharing has been happening for many years. All data that is collected and shared is protected by strict rules around privacy, confidentiality and security. NHS England never sell patient data or share it with insurance or marketing companies.

To stop the Practice from sharing your data - This is called a Type 1 opt-out.

To do this you need to complete our Type 1 opt-out form

If you choose a Type 1 Opt-out, we will not share your data for research and planning. However, the NHS will still be able to collect and share data from other healthcare providers, such as hospitals.

To stop NHS England and other health and care organisations from sharing your data for research and planning - This is called the National Data Opt-out (previously known as Type 2 Opt-out)

• To opt out online or find out more, visit Make your choice.
• If you choose this opt-out, the NHS and other health and care organisations will not be able to share any of your personal data with other organisations for research and planning, except in certain situations. For example, when required by law.
• If you want to check if you have opted out, you can enter your details again at Make your choice or check your settings in the NHS App.

For more information please see the NHS website

OpenSAFELY COVID-19

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish for their data to be used as part of this process can register a Type 1 opt out.

Here you can find additional information about OpenSAFELY.

Use of third party software and devices

The Practice uses accredited 3rd party medical software and medical devices to process information in the normal course of its business in providing medical care to you. Personal and medical information collected using these is transferred to your medical record.

Data Privacy Impact Assessments (DPIA) are undertaken as appropriate. DPIAs are a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”. By completing a DPIA we can systematically analyse our processing to demonstrate how we will comply with data protection law and in doing so identify and minimise data protection risks.

Medical software and medical devices used include:

• eConsult (Patient Online consultation tool)
• Hero Health (Patient appointment online booking tool)
• AccuRX (SMS and email tool)
• Heidi AI (Medical Scribe tool)
• Lexacom (GP Dictation tool)

Your rights as a patient

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

Access and Subject Access Requests

You have a right to view or obtain copies of information the Practice holds about you and to have it amended if it is inaccurate. For information from a hospital or any other provider, you should write directly to them.

For further details and how to request a SAR please see our Subject Access Requests page

Online Access

You may ask us if you wish to have online access to your medical record (ie to the NHS App). However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

When we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

Removal

You have the right to ask for information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

How we use the information about you

We use your personal and healthcare information in the following ways:

• when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare;
• we participate in the My Care Record programme to help ensure that health and care professionals directly involved in a patient’s care have access to the most up-to-date information about them.

My Care Record will provide health and social care professionals directly involved in your care, access to the most up-to-date information about you and will provide better, joined-up care for our patients in west Hertfordshire.

Currently, you will be asked at the point of treatment whether your information can be accessed by a clinician or health and care professional. My Care Record does not share your record, but provides health and care clinicians and professionals’ access to view information relevant to your care and treatment. Allowing access to your record will ensure that health and social care professionals have an overview of your care in order to make the best decisions about your diagnosis and treatment.

You can opt out, but this will mean we won’t be able to see your history (eg what medications you are on or what long term conditions you have) to provide the best possible care. You are in control and can change your mind at any time to limit who accesses your information and for what time period. Third parties, private companies or health and care staff not directly involved in your care will not be able to access your record.

Further information about My Care Record can be found on our practice website

• When we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.
• We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

Research Projects – Practice based

We are part of a network of General Practices in Hertfordshire who host medical research on a regular basis.

Patients registered with this Practice have an opportunity to help shape the future of health care by taking part in research projects. From time to time we may invite you to participate in a research project. Contacting you in this way we consider to be a “Public Task” (see below). However, you will not be enrolled to participate in a research project without your explicit consent.

Legal justification for collecting and using your information

The Law says we need a legal basis to handle your personal and healthcare information.

Contract

We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

Consent

Sometimes, we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.

Note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

Necessary care

Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.

Law

Sometimes the Law obliges us to provide your information to an organisation (see above).

Public task

Sometimes we have reason to perform a task in the public interest, which has a clear basis in law.

Special categories

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

Public interest

Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.

Consent

When you have given us consent.

Vital interest

If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment).

Defending a claim

If we need your information to defend a legal claim against us by you, or by another party.

Providing you with medical care

Where we need your information to provide you with medical and healthcare services.

How long we keep your personal information

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

Complaints

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, please contact our Data Protection Officer.

However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office.

Our website

The only website this Privacy Notice applies to is the Practice’s website. If you use a link to any other website from the Practice’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

Cookies

The Surgery’s website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

Security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

Text messaging and contacting you

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up-to-date details. This is to ensure we are sure we are contacting you and not another person.

Changes to our privacy notice

We regularly review and update our Privacy Notice. This Privacy Notice was last updated on 17th October 2025