Privacy Notice

The Albion Health Centre is a registered healthcare provider with the Care Quality Commission; we are situated at Whitechapel GP practice location:

The Albion Health Centre
333 Whitechapel Road
London
E1 1BU

We are also part of the East End Health Primary Care Network. 

As a registered patient or service user at our GP practice, we understand how important it is to keep your personal and healthcare information safe and secure, and we take this very seriously. We have taken steps to make sure your information is looked after in the best possible way, and we review this regularly. 

When we use your personal information, we must ensure that the use is lawful, fair and transparent and complies with all the other principles and requirements of the UK General Data Protection Regulation (UK GDPR). Please read this privacy notice carefully, as it contains important information about how we use the personal information we collect about you. 

If you are a person with legal responsibility of a registered patient or service user such as a parent or carer, or you are a named next of kin, please also read this privacy notice. 

What is a privacy notice? 

A privacy notice explains the personal information (also known as personal data) we collect about our patients and service users and how it is used. Being open and providing clear information to patients about how we use your personal information is an essential requirement of the UK GDPR. 

Under the UK GDPR, we must use personal information in a fair and lawful manner. This applies to everything that is done with a patient’s personal information. This means that the GP practice must: 

• Have lawful and appropriate reasons for the use or collection of personal information 
• Not use the information in a way that may cause harm to the individuals (e.g. improper sharing of their information with third parties) 
• Be open about how the information will be used and provide appropriate privacy notices when collecting personal information 
• Handle personal information in line with data protection legislation and guidance 
• Not use the collected information inappropriately or unlawfully.

Our data controller contact details 

The Albion Health Centre is the data controller of your personal information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient or service user. 

The purposes for which we use your information are set out in this privacy notice. 

We are registered with the Information Commissioner; our registration number is Z5210536.

You should contact our Practice Manager if you have a question about your personal information.

Data Protection Officer Contact Details 

Our Data Protection Officer is the NHS NEL GP practice Data Protection Officer (DPO) and is responsible for monitoring our compliance with data protection.

You can contact our DPO with queries or concerns relating to the use of your personal information:

NHS NEL GP DPO 
NHS North East London Integrated Care Board  

Telephone: 0300 303 6778

Subject Access Requests (SARs) should be made in writing our Practice Manager and will be handled by the GP practice administration team.

Personal information we collect from you

The information we collect from you will include: 

• Your contact details (such as your name and email address, including place of work and work contact details)
• Details and contact numbers of your next of kin or emergency contacts 
• Your date of birth, gender, ethnicity 
• Details in relation to your medical history 
• The reason for your visit to the GP practice 
• Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the GP practice or Primary Care Network involved in your direct healthcare. 

Personal information we collect from third parties 

When you register with our GP practice, we will receive your GP medical records if you were registered with another practice. 

Whilst registered with us, we also collect personal and healthcare information about you when it is sent to us from a hospital, a consultant or any other medical or healthcare professional, or any other person involved with your healthcare. 

We may also receive personal information from other organisations, such as: 

• Your employers
• Law enforcement e.g. police 
• Courts e.g. court order 
• Border control and immigration 
• Social services 
• Insurance companies
• Community-based support organisations.

Special category information we collect about you 

Personal information about your health falls into a special category of information because it is very sensitive. 

When we receive your personal and healthcare information, either from you or a third party, in addition to the health information, it may contain other special category information. 

Special category information is personal information revealing your: 

• Racial or ethnic origin 
• Political opinions 
• Religious or philosophical beliefs 
• Trade union membership 
• Genetic data 
• Biometric data (where used for identification purposes) 
• Health 
• Sex life 
• Sexual orientation

How we use your personal information and special category information 

We use your personal and healthcare information in the following ways: 

• To provide you direct healthcare. 
• When we refer you to another health and care service.
• When we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or ongoing healthcare. 
• When we receive a complaint or legal claim from you. 
• When we are required by law to share your information to another organisation, such as other organisations within the North East London Integrated Care System, government bodies, the police, by court order, solicitors, or immigration enforcement. 
• When we receive data sharing access requests from other organisations for the purposes of your direct healthcare, clinical audits or for research and planning. 

We will never pass on your information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

The legal justification for using your personal information and special category information

Common Law Duty of Confidentiality

When we use your healthcare information, in addition to complying with data protection law, we are also obliged to follow the common law duty of confidentiality. This means that when you share your health and care in confidence it must not be disclosed without some form of legal authority or justification. We satisfy this requirement by relying on your implied consent to provide you care, and will ask you for your explicit consent for any other uses where we do not have a lawful basis.

Third parties mentioned in your GP medical records 

Sometimes we will record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to privacy and confidentiality, are removed before we send any information to any other party including yourself.

Third parties can include (but not limited to): spouses, partners, and other family members.

Data Sharing

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible healthcare and treatment. 

This information may be passed to other approved organisations where there is a legal basis, to help with planning health and care services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. 

However, as explained in this privacy notice, confidential information about your health and care is only used where it is allowed by law, and it would never be used for any other purpose without your explicit consent.

Data Sharing for Direct Healthcare

Data sharing with healthcare organisations and people for your healthcare

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you: 

• Hospital professionals (such as doctors, consultants, nurses, etc.) 
• Other GPs/Doctors 
• Pharmacists 
• Nurses and other healthcare professionals 
• Dentists 
• Any other person that is involved in providing services related to your general healthcare, including mental health professionals, community based-support organisations, and private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc. 

We may also share your personal information at Multi-Disciplinary Team (MDT) meetings and clinics about your care and treatment. MDTs are a group of health and care professionals from various disciplines and organisations who collaborate to make decisions about patient care.

Your NHS Summary Care Record (SCR) 

The Summary Care Record (SCR) is a national database that holds electronic records of important patient information such as current medication, allergies and details of any previous bad reactions to medicines, created from GP medical records. It can be seen and used by authorised staff in other areas of the NHS health and care system involved in your direct care. 

Learn more about the SCR. Please visit the NHS England website

As a registered patient you will already have a SCR, unless you have previously chosen not to have one. The record will contain key information about the medicines you are taking, allergies you suffer from and any adverse reactions to medicines you have had in the past. You can also wish to share further medical information that includes: your significant illnesses and health problems, operations and vaccinations you have had in the past, how you would like to be treated (such as where you would prefer to receive care), what support you might need and who should be contacted for more information about you. 

Information about your healthcare may not be routinely shared across different healthcare organisations and systems. You may need to be treated by health and care professionals that do not know your medical history. Essential details about your healthcare can be difficult to remember, particularly when you are unwell or have complex care needs. 

Having a SCR can help by providing healthcare staff treating you with vital information from your health record. This will help the staff involved in your care make better and safer decisions about how best to treat you. 

As a patient you have the right to opt-out from your SCR being shared with other healthcare organisations. If you wish to enquire further as to your rights in respect of not sharing information on this record, then please contact our Practice Manager. You can opt-in again at any time.

GP Connect Access Record

We use an NHS IT service called GP Connect to support your direct healthcare. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care. 

Authorised clinicians such as GPs, NHS 111 clinicians, care home nurses (if you are in a care home), secondary care trusts (hospitals) and social care clinicians are able to access the GP records of the patients they are treating via GP connect. 

The NHS 111 service (and other services determined locally e.g., other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services. 

Learn more about GP Connect. Please visit the NHS England website

As a patient you have the right to opt-out from your healthcare information being shared with another provider via GP Connect. If you wish to enquire further as to your rights in respect of not sharing information via GP Connect, please contact our Practice Manager. You can opt-in again at any time.

London Care Record

The London Care Record is a secure view of your health and care information. It lets health and care professionals involved in your care see important details about your health when and where they need them.

It can show doctors, nurses and other care professionals any conditions you have, your test results, medicines you take, anything you’re allergic to, plans for your care and other important information.

Having a single, secure view of your information helps speed up communication between care professionals across London, and beyond and helps informs the decisions they make about your care.

You can read the London Care Record Privacy Notice. This website explains why health and care organisations share information about you and how that information may be used in the London Care Record programme.

Primary Care Network 

GP practices across England work together with community, mental health, social care, pharmacy, hospital and voluntary services in their local areas in groups of practices known as primary care networks (PCNs).

PCNs build on existing primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care for people close to home. Clinicians describe this as a change from reactively providing appointments to proactively caring for the people and communities they serve.

We are part of the East End Health Primary Care Network. 

The practice may share your information with other practices within the PCN to provide you with your care and treatment. 

NHS health checks and screening programmes

The NHS provides health checks and national screening programmes so that certain diseases can be detected at an early stage.

These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms, and a diabetic eye screening service. The law allows us to share your contact information with the UK Health Security Agency, or other relevant health organisations, so that you can be invited to the appropriate screening programmes.

You can opt out of receiving invitations for screening programmes; however, we advise that you first speak to a GP.

Medicines Management

The GP practice may conduct a medicines management review of your prescribed medications.

This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by clinicians such as Pharmacists, and in strict accordance with agreements that we have in place.

Risk Stratification

Risk stratification data analytics tools are used across the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. 

Information about you is collected from several sources including hospitals and from this GP practice. The identifying parts of your data are removed, analysis of your data is undertaken, and a risk score is then determined. This is then provided back to your GP in an identifiable form. 

Risk stratification enables your GP and your other healthcare providers to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. 

Safeguarding

The GP practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.

Safeguarding information such as referrals to safeguarding teams is retained by us when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

Data sharing for NHS planning, research and other non-healthcare purposes

Your personal information may be shared with other organisations for non-direct healthcare purposes, these organisations include:

• NHS England 
• NHS Integrated Care Boards 
• Multi-agency Safeguarding Hubs
• Local authorities 
• Social care services 
• Education services 

We will only share your personal information if we have a lawful basis.

Data sharing for healthcare research

The GP practice supports medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We may also use your GP medical records to carry out research within the practice.

There may be occasions where authorised research organisations would like you to take part in research. Your contact details may be used to invite you to receive further information about such research opportunities. 

We will never use your GP medical records for research unless the law allows us or we have your explicit consent. To opt-out from your personal information or GP medical records being shared for research purposes please contact our Practice Manager to register a Type-1 opt out.

Data sharing for invoice validation 

Your personal information may be shared if you have received treatment to determine which Integrated Care Board is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

Data sharing with the North East London Integrated Care Board 

NEL ICB (North East London Integrated Care Board) is the NHS organisation responsible for planning and buying health services across North East London to meet the population’s needs, making sure all parts of the local health system work effectively together. 

NEL ICB extracts medical information about you as a patient, but the information we pass to the organisation via our electronic patient record system (EPRS) cannot identify you to them. 

This information only refers to you by way of a code that only the GP practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at NEL ICB from ever identifying you when accessing the information. We will never give NEL ICB the information that would enable them to identify you. 

There are good reasons why NEL ICB may require this information, these are as follows: 

• To assist in analysing current health services and proposals for developing future services. This is called Population health management.
• To develop risk stratification models to help GPs to identify and support patients with long term conditions and to help prevent unplanned hospital admissions or reduce the risk of certain diseases developing, such as diabetes. 
• Using risk stratification to help NEL ICB to understand the health needs of the local population in order to plan and commission the right services. Examples include:
  • Flu vaccination uptake 
  • Enhanced access 
  • Commissioned healthcare services 
  • Medicines management (review of prescribed medicines) 
  • Childhood immunisations 
  • Risk stratification (such as hospital admission prevention). 

Learn more about NEL ICB. Please visit the organisation’s website

Data sharing with NHS England 

We will share structured and coded data from your GP medical records with NHS England. We are required to do this by law under the Health and Social Care Act 2012.

Information that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS England. This means that no one will be able to directly identify you in the data. 

NHS England will collect:

• Data on your sex, ethnicity, and sexual orientation 
• Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health 
• Data about the staff who have treated you
• Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old 
• Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment.

OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service 

NHS England has been directed by the Department of Health and Social Care to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

The GP practice remains the data controller of your personal information but is legally required to let approved users to run queries on pseudo anonymised patient data via the OpenSAFELY platform. Patient identifiers are removed and replaced with a pseudonym, and only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies you.

If you do not wish for your personal information to be used as part of this process, please contact the Practice Manger to record a Type-1 Opt-Out

Learn more about OpenSAFELY. Please visit the OpenSAFELY website

Anonymised data 

Sometimes we may provide other organisations information in anonymised form. If we do so, then none of the information we provide to any other party will not identify you as an individual and cannot be traced back to you.

Clinical audits and patient safety

Auditing of clinical notes

The GP practice regularly audit clinical notes as part of our commitment to the effective management of healthcare. Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. We always maintain confidentiality.

National Clinical Audits

The GP practice contributes data to national clinical audits so that healthcare can be checked and reviewed. Information from GP medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you. 

The results of the checks or audits can show where hospitals are doing well and where they need to improve. And the results of the checks or audits are used to recommend improvements to patient care.

Care Quality Commission

The Care Quality Commission (CQC) regulates health and social care services to ensure that safe care is provided. NHS health and social care legislation requires the GP practice to report certain serious events to the CQC, for example, when patient safety has been put at risk. We will only share your personal information with CQC if it is necessary, and we will seek your explicit consent to share your GP medical records.

Data Security

Data retention - how long we keep your personal information

As an NHS provider we keep your personal and healthcare information in line with NHS England’s Records Management Code of Practice.

We are the data controller for your GP medical records whilst you are a registered patient at our GP practice. If you register with another GP practice your GP medical records will transfer with you, and the new GP practice will be the data controller responsible for keeping your records up to date and giving you access if you make a subject access request (SAR).

Security and storage of your personal information

We take the security of your personal and healthcare information very seriously and we do everything we can to ensure that it is protected. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out risk assessments and security reviews. 

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. 

We also have contractual arrangements with all our data processors that covers data protection responsibilities that they must maintain when working with us. 

We hold your GP medical records in an electronic patient record system (EPRS) called EMIS Web which is provided by Optum UK. Optum UK stores the information in cloud storage supplied by Amazon Web Services (AWS). The information is stored in the UK and is fully encrypted both in transit and at rest. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the highest levels of security and support. They do not have access to your personal information.

Contact details

Keeping your records up to date

Under the UK GDPR we are legally obliged to protect any personal and healthcare information that we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details. 

Please inform us of any changes by contacting us online.

Contacting you by email or text message

We may contact you using your email address or by SMS text to your mobile phone if we need to notify you about appointments and other services that we provide to you involving your direct healthcare, therefore you must ensure that we have your up-to-date details. This is to help us with the security of your personal information and to ensure we are contacting you and not someone else. 

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details. 

The email and SMS text service is operated on an ‘opt-in’ basis, and we will assume that you have given us permission to contact you via email or SMS if you have provided your email address and mobile telephone number as part of your contact details. 

If you wish to opt-out from email or text message, or need to inform us of any changes to your contact details please tell us by contacting us online.

Call Recordings, Website

Telephone call recordings

All our inbound and outbound calls are recorded. 

We record calls for purposes of seeking clarification in the event of a dispute with a patient or service user, and also for staff training. Our staff access to call recordings is restricted to our senior management.

At The Albion Health Centre call recordings are retained for up to 12 months.

If you require access to your calls with the GP practice, you will need to submit a Subject Access Request to our Practice Manager.

Our website and cookies

When you visit the GP practice website, cookies are placed on to your computer to optimise your experience. A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. You have the option to decline the use of cookies on your first visit to the website.

Marketing

The GP practice will never use your personal information for marketing.

Your privacy and confidentiality rights

Your data subject rights

Under the UK GDPR all individuals have certain rights in relation to the personal information an organisation holds about them. 

These rights are: 

• The right to be informed about the processing of your data 
• The right of access to the data held about you (subject access request) 
• The right to have that information amended in the event that it is not accurate
• The right to have the information deleted 
• The right to restrict processing 
• The right to have your data transferred to another organisation (data portability) 
• The right to object to processing 
• Rights in relation to automated decision making and profiling. 
• Currently we do not use automated decision-making such as Artificial Intelligence (AI) that does not include human involvement.

How to make a subject access request, or exercise your other data subject rights 

Under the UK GDPR you have the right to access and receive a copy of your personal information held by us, this is called a Subject Access Request (SAR). You also have the right to ask us to amend any inaccuracies.

To submit a SAR, please contact our Practice Manager using the contact details above. 

There is no charge to have a copy of the personal information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive. 

We are required to provide you with the personal information within one month. 

We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require. 

In your request, please provide adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located. 

For information from a hospital or other Trust/NHS organisation you should write directly to the organisation.

Right to amend

You have the right to amend your personal information held by the GP practice which is inaccurate or a mistake. Please contact our Practice Manager.

We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Accessing your GP medical records via the NHS App

The NHS App gives you a simple and secure way to access a range of NHS services. Download the NHS App on your smartphone or tablet via the Google play or App store. You can also access the same services in a web browser by logging in through the NHS website. 

You must be aged 13 or over to use the NHS App. You also need to be registered with a GP surgery in England or the Isle of Man. Find out more about who can use the NHS App.

What you can do with the NHS App

You need to prove who you are to get full access to the NHS App. With full access you can:

• Order repeat prescriptions and nominate a pharmacy where you would like to collect them
• Book and manage appointments
• View your GP health record to see information like your allergies and medicines (if your GP has given you access to your detailed medical record, you can also see information like test results)
• Book and manage COVID-19 vaccinations
• Register your organ donation decision
• Choose how the NHS uses your data
• View your NHS number (find out what your NHS number is)
• Use NHS 111 online to answer questions and get instant advice or medical help near you

Before proving who you are, you can use the NHS App to:

• Search trusted NHS information and advice on hundreds of conditions and treatments
• Find NHS services near you.

Visit the NHS England website to learn more about the NHS App

Your data opt-out rights (research and planning purposes)

The NHS uses personal information belonging to patients to research, plan and improve the services it offers, and the treatment and care patients receive. 

To help improve and innovate services, NHS England collects patient information from GP practices, hospitals and other healthcare providers. You can choose whether or not your personal information is used for research and planning. There are different types of data sharing you can opt out of. 

Type 1 opt-out 

To stop your registered GP practice from sharing your personal information for research and planning purposes, you will need to fill out the opt-out form and return it to your GP practice. Please download the form from the NHS England website

National data opt-out

The national data opt-out (NDOO) is a service that allows patients to opt-out of their confidential patient information used for research and planning purposes. The opt-out choice is recorded and managed by NHS England, and not your registered GP practice. 

There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt-out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer. 

You do not need to do anything if you are happy about how your confidential patient information is used. 

If you do not want your confidential patient information to be used for research and planning, you can choose to opt-out by using one of the following: 

• Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice
• Telephone service 0300 303 5678 which is open Monday to Friday between 9am and 5pm.
• NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play
• “Print and post” registration form: Request at the surgery.
  • Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.
  • It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ

Your right to complain

If you have any concerns about the use of your personal information, you can make a complaint to our Practice Manager using the contact details at the top of this privacy notice. 

If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the Information Commissioner.

Accessibility

Access to this privacy notice, and where English is not your first language. 

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Practice Manager.

Changes to this privacy notice 

We regularly review and update our Privacy Notice; the next update is due on 30th June 2026.