Privacy Notice

The Care Quality Commission (CQC) is the independent regulator of health and adult social care services in England. It was set up by law to make sure that care is safe, effective, and meets high standards.

CQC checks all GP practices in England. These checks are called inspections. They look at how care is provided and whether it meets national standards. Inspections happen regularly, but not always on a fixed schedule. They may happen more often if there are concerns about safety or quality.

CQC has legal powers to look at personal and medical records when needed to carry out its work. This includes checking how services are run, investigating serious incidents, and making sure care is safe. GP practices must also tell CQC about certain events, such as serious injuries or safeguarding concerns.

CQC follows data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act. It has strict rules to make sure your information is kept safe, secure, and used properly.

You can read more about how CQC uses personal information in its privacy statement - https://www.cqc.org.uk/about-us/our-policies/privacy-statement

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

CFH Docmail Ltd is acting as a data processor. We provide them with names & addresses and a template letter (e.g. an invitation for flu vaccination), and CFH Docmail perform a mail merge and post the letter to those patients. The least amount of sensitive data is provided to CFH Docmail.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable Frome Medical Practice to send out letters to patients regarding their medical care. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

CFH Docmail Ltd acting as data processor.

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

CFH Docmail delete all personal/sensitive data provided to them under the agreement within 30 days.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As part of benefit claim assessments, the Department for Work and Pensions (DWP) may request medical information from your GP practice. This information helps DWP determine eligibility for benefits such as Universal Credit, Personal Independence Payment (PIP), and Employment and Support Allowance (ESA).

1) Data Controller contact details    

Frome Medical Practice, Frome Medical Centre, Enos Way, Frome, Somerset, BA11 2FH

Telephone: 01373 301301

2) Data Protection Officer contact details    

Kevin Caldwell
GP Data Protection Officer
Somerset ICB
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR

Telephone: 01935 384000
Email: somicb.GPDPO@nhs.net

3) Purpose of the processing    

To enable Department of Work & Pensions to process benefit claims.

The information shared may include:

• Diagnoses and clinical history
• Functional difficulties (e.g., mobility, communication)
• Treatment plans and medication
• Ability to travel to assessments
• Any relevant information from your medical records

4) Lawful basis for processing    

The following Article 6 and 9 conditions apply: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Article 9(2)(b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”  

Common law duty of confidentiality: Satisfied by DWP’s assurance of your explicit consent

5) Recipient or categories of recipients of the shared data    

Department for Work and Pensions (DWP) acting as data processor

6) Rights to object     

You have the right to object. If you wish to do so, please contact the practice.

7) Right to access and correct  

DWP’s medical reports are exempt from the provisions of the Access to Medical Reports Act 1998 because the reports are not for employment or insurance purposes. This means the person cannot request access to it before it is sent to the DWP.

If a person wishes to see the report, they should request it from DWP through the Subject Access Request process. The practice will not keep a copy of the report that is sent to the DWP.

8) Retention period   

Data retained in line with DWP policies  

9)  Right to Complain

You have the right to complain to the Information Commissioner’s Office, you can use this link or calling their helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate) 

Sharing information in an emergency

Sometimes we need to act quickly to protect someone’s life or prevent serious harm. This might happen if a person collapses, has a diabetic coma, or is badly injured. In these situations, the person may be unconscious or too unwell to speak. When this happens, we have a duty to do everything we can to help. This may include sharing your health information with emergency services like paramedics, hospital staff, the police, or fire and rescue teams. We only share what is needed to make sure you get the right care. The law supports this. It allows us to share information without asking for consent if it is needed to protect someone’s life or prevent serious harm.

Advance decisions (sometimes called living wills) 

You can make decisions in advance about the care you want to receive if you become seriously ill in the future. These are called advance decisions to refuse treatment. If you have made one and it is recorded in your medical notes, we will follow it even in an emergency unless there is a very strong reason not to..

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres. This includes the Dorset and Somerset Air Ambulance, South West Ambulance Service Foundation Trust, Devon and Somerset Fire & Rescue Service, Avon and Somerset Police, Out of Hours Service (Devon Doctors), Accident & Emergency and Urgent Care Centres.

6) Rights to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

You also have the right to have an "Advance Directive" placed in your records and brought to the attention of relevant healthcare workers or staff.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How we use your information for your care

We keep records about your health and care to help us provide safe and effective treatment. These records may be stored electronically or on paper and include personal details like your name, address, emergency contacts, carers, and legal representatives. They also include:

• Appointments and visits, including emergencies
• Notes and reports about your health
• Details about your diagnosis, treatment and care
• Medicines you are taking
• Results of tests, such as blood tests or x-rays
• Information from other health and care professionals, relatives or carers

We also receive letters, test results and other updates from organisations involved in your care. These are added to your record so we have a full picture of your health.

Your NHS Record

When you register for NHS care, your details are added to a national database. This is managed by NHS England, which has legal responsibilities to collect and protect NHS data.

Who is involved in your care

Your GP is responsible for your overall care, but they work with a team. It is not possible for one GP to personally deliver care to every patient, so tasks are shared with other trained professionals in the practice and sometimes with trusted organisations outside the practice. If you need care from another NHS service, we will share the information they need to treat you. When you use NHS services outside the practice, they usually send us a summary of your care, which we add to your record. We may also receive reports from non-NHS services, but this is less consistent.

Sharing your information

We share your information with others involved in your care when it is necessary. This is called implied consent, and it is supported by UK law. People who access your information will only see what they need to do their job. You have the right to object to this sharing, but we may still share information if it is in your best interests or required by law.

Remote consultations

We may offer you a consultation by phone or video. By joining the call, you are agreeing to this type of consultation. Your information will be protected in the same way as in a face-to-face appointment, and any risks will be explained to you beforehand.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Direct Care is care delivered to the individual alone, most of which is provided in the practice. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this practice and at hospitals, diagnostic and treatment centres who contribute to your personal care. This includes:

• AccuRx
• Amazon Web Services
• Apollo Medical (Eclipse)
• Bath Clinic
• Bering (Brave AI)
• Belmont Villa Care Home
• BOC Healthcare
• Catherine House Care Home
• CFH Docmail
• Child Health Information Services (CHIS)
• Cinapsis
• Citizens Advice Bureau
• CQRS
• Critchill Court Residential Home
• DESMOND
• Diabetic Retinopathy Screening Service
• Dieticians
• District Nurses
• Dorothy House Hospice
• EMIS Health
• Engage Health
• Formstack
• Frome Community Hospital
• Frome Nursing Home
• Greenhill Grange Residential Home
• Health Connections Mendip
• Health Visitors
• Healthy.Io
• Home Oxygen service
• InHealth
• Integrated care team
• Klinik Healthcare UK
• Medical Examiners Office
• Midwives
• Momenta
• NHS 111
• NHS Foundation Trusts
• NHS South, Central and West Commisioning Support Unit (SCWCSU)
• Open Exeter
• Paramedics
• Pharmacies
• Pinnacle
• Rossetti House
• Rowden House Care Home
• Royal National Hospital for Rheumatic Diseases
• Royal United Hospital, Bath
• Shepton Mallet Treatment Centre
• Social Services
• Somerset County Council
• Somerset ICB
• Somerset Integrated Digital Electronic Record (SIDeR)
• Sulis Hospital Bath
• Surgery Connect (X-on)
• Treeview Designs
• University of Bath
• Your Health and Wellbeing Mendip

and other third sector organisations supporting your direct care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Sharing information with the police

Sometimes the police ask us for information to help with an investigation. These requests are taken seriously and are always reviewed carefully.

We will only share information if:

• the law says we must, for example after a road traffic accident
• the police give a strong reason, such as preventing or investigating a serious crime
• it is necessary to protect someone from serious harm

We will only share the minimum amount of information needed, and only with authorised officers. We may not always be able to tell you about the request if doing so would put someone at risk.

Each request is looked at on a case-by-case basis. We follow data protection laws and national guidance to make sure your information is handled safely and lawfully.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

As with any disclosures to the police, there must be:

• A legal duty to disclose, or
• A sufficiently important reason to disclose AND a legal basis for doing so.

This includes:

• The Prevention of Terrorism Act (1989) and Terrorism Act (2000)
• The Road Traffic Act (1988)
• The Female Genital Mutilation Act (2003)

4) Lawful basis for processing

To enable the police to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and:

Article 9(2)(g) "Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards"

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Police (or other judicial authorities)

6) Rights to object

Not applicable

7) Right to access and correct

Not applicable

8) Retention period

Data retained in line with Police policies.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Applicants & license holders have a legal duty to notify the DVLA of any injury or illness that would have a likely impact on driving ability.

GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Driver & Vehicle Licensing Agency (DVLA).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with DVLA policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Using your email address

You can choose to give us your email address. This helps us contact you quickly and easily. We may use your email to:

• send appointment reminders or cancellations
• respond to repeat prescription requests
• share information about our services
• support your direct care

We will only use your email for things related to your care.

We do not use it for marketing or share it with others without your permission.

You can ask us to remove your email address from your record at any time. We will respect your choice and stop using it.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable staff at Frome Medical Practice to communicate with patients via email. This is for direct care purposes.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data subject (you).

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Not applicable.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: http://www.cqc.org.uk/

The type of information we keep incorporates, but is not limited to:

• Personal details, including Name, address, contact details
• Recruitment and employment checks
• Financial (bank and salary)
• Trade union membership
• Personal Demographics
• Relevant medical information
• Professional registration
• Employee relations (disciplinary, grievances, complaints, etc)
• Criminal Record Checks (dependent on employee position)

We are also required by HMRC and various taxation laws, such as "The Income Tax (Pay As You Earn) Regulations 2003" to keep financial records. Employee health data may also be shared with Occupational Health.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To comply with the Health and Social Care Act and taxation law.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 6(1)(b) "necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract."

and;

Article 9(2)(b) "...processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;"

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC and Fairway Training, for payroll purposes. Employee health data will be shared with Occupational Health, when required.

6) Rights to object

You have the right to object to some or all of the information being shared with CQC. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The Friends and Family Test helps us understand what you think about our services. We ask how likely you are to recommend our care to your friends and family.

Giving feedback is completely voluntary. It will not affect the care you receive.

You can give feedback by:

• filling in a Friends and Family Test form
• using the feedback section on our website

You can also add comments in your own words. This helps us understand what we are doing well and where we can improve.

We do not ask for your name, and we will not be able to tell who you are from your answers unless you choose to give us your contact details. If you do, we may get in touch to talk about your feedback.

Your answers are used in a way that protects your identity. We follow data protection laws to keep your information safe.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Collecting this feedback gives us the opportunity to see what our patients are saying about our services and helps us to understand what we are doing well and where we need to improve our services.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital via the Calculating Quality Reporting Service (CQRS)

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance 

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practice.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The General Medical Council (GMC).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with GMC policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The HSO has the power to request access to a patient’s medical records for the purposes of an investigation based on the Health Service Commissioners Act 1993, s12

4) Lawful basis for processing

To enable the HSO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The Health Service Ombudsman (HSO).

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with HSO policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

As part of the compensation process for individuals affected by infected blood, GP practices may be required to share relevant medical information with the Infected Blood Compensation Authority. This is to support claims and ensure accurate assessment of eligibility and compensation.

1) Data Controller contact details    

Frome Medical Practice, Frome Medical Centre, Enos Way, Frome, Somerset, BA11 2FH

Telephone: 01373 301301

2) Data Protection Officer contact details    

Kevin Caldwell

GP Data Protection Officer
Somerset ICB
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000
Email: somicb.GPDPO@nhs.net

3) Purpose of the processing    

This is to support claims and ensure accurate assessment of eligibility and compensation.

The information shared may include:

• Patient identifiers (e.g., name, date of birth, NHS number)
• Relevant medical history and diagnoses
• Treatment records and outcomes
• Supporting documentation from the patient’s medical file

4) Lawful basis for processing    

IBCA has been created through the Victims and Prisoners Act 2024 (VAP), which sets out its duties and obligations.
Section 53 of the VAP provides IBCA with the legal power to require information from NHS organisations when needed to process an infected blood compensation claim.

It also provides NHS providers with a legal power to provide information to IBCA for the purposes of any matter connected with the administration of the compensation scheme, which includes personal data such as medical records or information. The Act imposes a duty upon NHS providers to comply with requests for information from IBCA. Section 53 also allows IBCA to seek a court order in the event a notice to provide is not complied with.

The requirement to send information to IBCA is not therefore a Subject Access request on behalf of the patient but a request for information using the statutory powers of the VAP.
Section 53 of the VAP sets aside the Common Law Duty of Confidentiality and gives the practice the legal power to provide the information to the IBCA upon request. This means patient consent to share information with IBCA is not required.

Under UK GDPR, the following Article 6 and 9 conditions apply: 

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
• Article 9(2)(g) ‘processing is necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.’ 

5) Recipient or categories of recipients of the shared data    

The Infected Blood Compensation Authority (IBCA) acting as data processor

6) Rights to object     

You have the right to object. If you wish to do so, please contact the practice.

7) Right to access and correct    

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period     

Data retained in line with the IBCA policies  

9) Right to complain    

You have the right to complain to the Information Commissioner’s Office, you can use this link or calling their helpline 0303 123 1113 (local rate) or 01625 545 745 (national rate) 

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The practice is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The practice collects a range of information about you. This includes:

your name, address and contact details, including email address and telephone number;

details of your qualifications, skills, experience and employment history;

information about your current level of remuneration, including benefit entitlements;

whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;

information about your entitlement to work in the UK; and

equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

The practice collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment. The practice will also collect personal data about you from third parties, such as references supplied by former employers and where applicable information from criminal records checks. The organisation will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems

The practice takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all. You are also under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Some of the organisation's recruitment processes are based solely on automated decision-making, for example whether or not you are eligible to work in the UK.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The practice needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the practice needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The practice has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the practice to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The practice may also need to process data from job applicants to respond to and defend against legal claims.

The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

The organisation will not use your data for any purpose other than the recruitment exercise for which you have applied.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

Article 6(b) Contract

and…

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the processed data

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, the Digital, Data and Technology team if access to the data is necessary for the performance of their roles, and interviewers involved in the recruitment process.

The practice will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The organisation will then share your data with former employers to obtain references for you, and where applicable the Disclosure and Barring Service to obtain necessary criminal records checks.

The organisation will not transfer your data outside the European Economic Area.

6) Rights to object

You have the right to delete or stop processing your data. If you wish to do so please contact the practice. 

7) Right to access and correct

You have the right to access a copy of your data and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. There is no right to have UK taxation related data deleted except after certain statutory periods.

8) Retention period

If your application for employment is unsuccessful, the organisation will hold your data on file for 6 months after the end of the relevant recruitment process. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How the NHS and care services use your information

Frome Medical Practice is part of the wider NHS and care system. When you use health or care services, such as visiting A&E or receiving community care, important information about you is collected and added to your health record. This helps make sure you get the best possible care. Sometimes, information from your health record is also used for reasons beyond your individual care. This can include:

• improving the quality of care
• developing new treatments
• preventing illness
• checking safety
• planning NHS services

This kind of use is only allowed when there is a clear legal basis. Most of the time, the data used is anonymised so you cannot be identified.

You can choose whether your confidential patient information is used for purposes beyond your care. If you are happy with this, you do not need to do anything. If you choose to opt out, your information will still be used to support your individual care. You can change your choice at any time.

To find out more or to set your choice, visit: Your NHS Data Matters

On this website, you can:

• learn what confidential patient information means
• see examples of how your data is used
• understand the benefits of sharing data
• find out who uses the data and how it is protected
• set or change your opt-out choice
• find contact details if you prefer to do this by phone
• see when the opt-out does not apply

You can also find more information at:

• Health Research Authority - about health and care research
• Understanding Patient Data - about how and why patient data is used

Your data will never be shared with insurance companies or used for marketing without your specific permission.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "…necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "…necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS Digital. If you wish to opt out please visit Your NHS Data Matters

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The NHS offers national screening programmes to help find certain health conditions early, when they are easier to treat. These programmes are based on age, sex, and other health factors.

You may be invited for screening for:

• Bowel cancer
• Breast cancer
• Abdominal aortic aneurysm (AAA)
• Diabetic eye disease
• Fetal anomalies during pregnancy
• Sickle cell and thalassaemia
• Newborn hearing
• Newborn blood spot conditions
• Newborn and infant physical checks

To make sure you receive your invitation, we share your contact details with NHS England. This is allowed by law and helps ensure you get the right care at the right time.

Screening and gender identity

Screening invitations are usually based on the gender recorded in your GP record. If you are transgender or non-binary, this may affect which invitations you receive.

For example:

• Trans women registered as female may be invited for breast screening but not AAA screening.
• Trans men registered as male may not be invited for cervical or breast screening, even if they still need it.

If you are not invited for a screening programme you think you should be part of, you can speak to your GP or contact the screening service to request it.

You can find more information about screening for trans and non-binary people here: NHS screening information for transgender people

More details about all NHS screening programmes are available at: NHS screening programmes

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at Population screening programmes. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Avon and Somerset Breast Screening, Somerset Diabetic Eye Screening, Somerset Bowel Cancer Screening, Somerset and North Devon Abdominal Aortic Aneurysm (AAA) Screening, Public Health Services (England).

6) Rights to object

You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. For national screening programmes: you can opt to no longer receive an invitation to a screening programme.

Visit Opting out of the NHS population screening programmes

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

GP medical records will be kept in line with the law and national guidance.

Information on how long records can be kept can be found at: Records management code of practice

9) Right to complain

You have the right to complain to the Information Commissioner's Office

National Fraud Initiative (NFI)

We take part in the National Fraud Initiative, a government programme that helps prevent and detect fraud in public services.

The Cabinet Office runs this programme by comparing sets of data from different public bodies. This is called data matching. It helps identify unusual patterns that may suggest fraud, error, or other issues that need to be looked into.

What this means for you

We may share some of your information with the Cabinet Office if it is needed for a data matching exercise. This could include details like your name, address, or NHS number. The exact data shared depends on the focus of each year’s exercise.

This is allowed by law under Part 6 of the Local Audit and Accountability Act 2014. It does not require your consent, and it does not breach confidentiality. However, we still follow data protection laws to keep your information safe.

How your data is protected

The Cabinet Office follows a strict Code of Data Matching Practice to make sure your data is used fairly, securely, and lawfully. You can read the code here:  Code of Data Matching Practice for the National Fraud Initiative

Each year, the types of data used may change depending on the focus of the fraud prevention work. We only share data when it is required.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information.

4) Lawful basis for processing

To enable the cabinet office and NHS counter fraud authority to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

NHS Counter Fraud Authorities, Cabinet Office.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with NHS Counter Fraud policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How NHS England uses your information

NHS England is responsible for collecting and analysing patient data from across the NHS. It helps improve care by producing reports, statistics, audits, and research.

Examples include:

• A&E and outpatient waiting times
• NHS staffing numbers
• GP payments and performance
• National audits like the Female Genital Mutilation dataset, General Practice Appointments Data, CVD PREVENT, and the National Diabetes Audit

Why we share data

GP practices are required by law to share certain information with NHS England when instructed. These instructions are called “Directions” and are issued under the Health and Social Care Act 2012. This is a legal duty and does not require patient consent. We support important health and care planning and research by sharing your data with NHS England. This helps improve services for everyone.

Your privacy and rights

NHS England keeps your data safe and follows strict rules under data protection law. Most of the time, data is anonymised so you cannot be identified.

You can find more information here:

• NHS England Privacy Notice
• NHS England – Data and Information
• Directions and Data Provision Notices
• GP Practice Privacy Notice – Planning and Research

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. To provide specific reporting functions on identified quality standards.

4) Lawful basis for processing

To enable the HCO to receive information concerning a patient for the purposes of an investigation, the following Article 6 and 9 conditions apply:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS England according to directions

6) Rights to object

You have the right to object to some or all of the information being shared with NHS England. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to third party organisations such as solicitors (e.g. personal injury claims), insurance companies (e.g. life assurance), employers etc.

The explicit consent of patients must be obtained and demonstrable before the release of any such information.

Only the minimum necessary information relevant to the request will be disclosed.

4) Lawful basis for processing

To enable the Frome Medical Practice employees to provide information to other third parties, the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and;

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

Consent must be freely given, specific, informed, and unambiguous. You may withdraw your consent at any time.

5) Recipient or categories of recipients of the processed data

Third party organisations such as solicitors, insurance providers, employers, or other entities acting on your behalf.

6) Rights to object

You do not have to consent to your data being shared with a third party. If you have consented to your data being shared with a third party you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Data retained in line with the third party organisation’s policies on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

The health and social care system will take action to manage and mitigate the spread and impact of any pandemic outbreak. Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the pandemic outbreak and incidents of exposure.

Any notices of pandemic will be posted on the GOV.UK website  

Supplementary privacy notices may be issued on the privacy page on our website for specific pandemics as they occur.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

The purpose of this Notice is to require organisations to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to the pandemic. "Processing" for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI.

This includes sharing information to support public health efforts, deliver care, and monitor the spread and impact of the pandemic.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”

“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) requires organisations to process confidential patient information in the manner set out in Regulation 3(1) of COPI.

5) Recipient or categories of recipients of the processed data

Recipients may include NHS organisations, public health bodies, research institutions, and other entities involved in pandemic response.

You (the data subject) may also receive information about how your data is used.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

While you have the right to object, certain legal obligations under COPI may limit the ability to uphold your objection in all cases.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected.

8) Retention period

Data will be retained in accordance with national guidance issued via the GOV.UK website and NHS record retention schedules. Specific retention periods may vary depending on the nature of the pandemic and associated legal requirements.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

Your data during the COVID-19 outbreak

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our Privacy Notice for Pandemics.

Why your information can help us manage COVID-19

The health and social care system is facing significant pressures due to COVID-19. Health and care information is essential to deliver care to individuals, to support health and social care services and protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. Existing law that allows patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS England and other organisations, such as the UK Health Security Agency (UKHSA), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during COVID-19 will be limited to the period of the outbreak unless there is another legal basis to use the data.

Opt outs

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111.  We may also use the details we have to send public health messages to you, either by phone, text or email. 

Telephone and video consultations

During this period we may offer you a consultation via telephone or video conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/ confidential patient information will be safeguarded in the same way it would with any other consultation and any risks explained to you before the consultation begins.

Sharing your information

We will also be required to share certain personal/ confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. 

NHS England have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England and the UKHSA. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

This privacy notice explains how Frome Medical Practice handles your personal information when you choose to activate online access to your GP record.

Online access allows you to securely view parts of your medical record through the NHS App or other approved platforms. This includes features such as booking appointments, requesting repeat prescriptions, and viewing test results or consultation notes.

We are committed to protecting your privacy and ensuring that your personal data is handled safely, lawfully, and transparently. This notice is designed to help you understand:

• What information is collected and why
• Who is responsible for your data
• Your rights in relation to your data
• How to raise concerns or make a complaint

Activation of online access is entirely optional and only takes place with your explicit consent (or that of a parent/guardian or representative, where applicable).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable patients to securely access their GP record online via the NHS App, to access health care features such as, booking appointments, requesting repeat medication and viewing their medical information.

4) Lawful basis for processing

The following Article 6 and 9 conditions apply:

Article 6(1) (a)  - Consent of the data subject

and;

Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality". This means we must keep your information confidential unless you give consent or there is a legal requirement to share it.

5) Recipient or categories of recipients of the processed data

The data subject (you);

6) Rights to object

Article 6(1)(e) gives the data subject the right to object. Although we rely on your consent, you may withdraw it at any time by contacting the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

Your data is retained in line with NHS record retention policies. Online access does not affect how long your records are kept.

9) Right to complain

You can contact the practice directly if you have concerns about how your data is handled. You also have the right to complain to the Information Commissioner's Office

This privacy notice explains how Frome Medical Practice uses your personal data in relation to payments received by the practice for providing NHS services. These payments are made by NHS England and other authorised bodies based on the care we provide to our registered patients.

Payments to GP practices are calculated using various factors, including the number of registered patients, their age and health needs, and the practice’s participation in national and local health programmes.

These include:

• Capitation payments based on patient demographics
• Quality and Outcomes Framework (QOF) achievements
• Enhanced services such as extended hours or immunisation programmes
• Education and research activities
• Premises and infrastructure support

To ensure accurate and lawful payment, basic and relevant information about you may be shared with authorised NHS bodies. This is required under UK law, including the Health and Care Act 2022, and is governed by strict data protection regulations.

This notice outlines:

• What data is shared and why
• Who is responsible for your data
• Your rights under UK GDPR
• How to raise concerns or make a complaint

We are committed to handling your information securely, transparently, and in accordance with your legal rights.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable the practice to receive payments.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

5) Recipient or categories of recipients of the processed data

For payment purposes, your data may be shared with:

• NHS England
• Somerset Integrated Care Board (ICB)
• UK Health Security Agency

For direct care, your data may also be shared with:

• Health professionals within this practice
• Hospitals, diagnostic centres, and treatment providers

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance. While you may object to certain uses of your data, we may be legally required to continue processing it for payment purposes.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. To request access or corrections, please contact the practice.

8) Retention period

The data will be retained in line with the law and national guidance. See Records management code of practice for health and social care

9) Right to complain

If you have concerns, we encourage you to contact the practice first. You also have the right to escalate your complaint to the Information Commissioner's Office

This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process and will be in line with the principles of Article 89(1) of General Data Protection Regulation (GDPR)

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. If section 251 is appropriate the National Data Opt Out applies. Please see our Privacy Notice for National Data Opt Out. We may also use your medical records to carry out research within the practice.

Under Section 251 we share information with the following medical research organisations and you can opt out of this via the National Data Opt Out:

• Clinical Practice Research Datalink (CPRD)
• University of Bath

We also share information with the following medical research organisations:

• QResearch

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.

For QResearch; patients who do not wish their data to be included in the upload are able to opt out by informing  the practice who will add SNOMED CT code (1898191000006104) to your record which will cancel any future data collection.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Medical research.

4) Lawful basis for processing

Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;

Article 6(1)(e) may apply "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"

and in addition there are three possible Article 9 justifications:

Article 9(2)(a) – "the data subject has given explicit consent…"

or;

Article 9(2)(j) – "processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject".

or;

Article 9(2)(h) – "processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services..."

Under Section 251 please see the lawful basis for processing or sharing on the Privacy Notice for the National Data Opt Out.

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with Clinical Practice Research Datalink (CPRD), University of Bath and QResearch.

6) Rights to object

You do not have to consent to your data being used for research. If you have consented to your data being used in research you can change your mind and withdraw your consent at any time. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

The data will be retained for the period as specified in the specific research protocol(s).

9) Right to complain

You have the right to complain to the Information Commissioner's Office

How we use your health records to support your care

We use a process called risk stratification to help identify patients who may be at risk of certain health conditions, such as diabetes or heart disease, or who may need extra support, such as people living with frailty.

This helps us plan your care and offer services that could improve your health and wellbeing. We use information from your GP record and other NHS services, such as hospitals, to calculate a risk score.

We also use anonymised data (with your identity removed) to help design and improve services across Somerset.

Risk stratification is carried out in line with NHS guidance and data protection laws. If any part of this process is done outside the practice, your identity is protected; only the GP practice can see who you are and what your risk score is.

You have the right to object to this type of data use. If you do, we will not make decisions about your care based on this information. However, if we believe you are at serious risk, for example, of a heart attack or stroke, we may still use this data to act in your best interests.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

We use information from your health records to help identify people who may be at higher risk of certain health conditions, such as diabetes, heart disease, or falls. This process is called risk stratification or case finding.

By doing this, we can:

• Offer you extra support or services to help prevent illness or manage your condition.
• Make sure you get the right care at the right time.
• Work with other healthcare professionals to plan your treatment and support.

Sometimes, we work with trusted organisations who help us link your GP records with other NHS data, such as hospital visits. This helps us build a fuller picture of your health needs.

Only the healthcare professionals involved in your care will see your identifiable information. They may include GPs, specialists, therapists, or technicians. We only share what’s needed to help them give you the best possible care.

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(e); "necessary… in the exercise of official authority vested in the controller"

and:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

To carry out risk stratification and support your care, we may share your information with trusted NHS organisations and approved partners. These include:

• Somerset Integrated Care Board (ICB)
• NHS Foundation Trusts
• NHS England
• NHS South Central and West Commissioning Support Unit (CSU)
• Bering Ltd (Brave AI) – a technology partner that helps us analyse health data securely
• DataSyrup - provides secure, privacy-preserving data analytics to support population health management and risk stratification.

We only share the minimum amount of information needed, and only with organisations that meet strict data protection and security standards.

Everyone who receives your information is bound by law and NHS rules to keep it safe and confidential.

6) Rights to object

You have the right to object to us using your information for risk stratification.

This means you can ask us not to include your data in searches that help identify people at risk of certain health conditions. You can also object to your data being shared with other organisations for this purpose.

We will consider your request based on your personal circumstances. In some cases, we may still need to use your data if it’s in your best interests or required by law.
If you’d like to object, please contact the practice. We’ll explain your options and what it means for your care.

7) Right to access and correct

You have the right to:

• See the information we hold about you.
• Ask us to correct anything that’s wrong or out of date.

We’ll always make sure your records are accurate and up to date. If you spot something that doesn’t look right, please let us know.

Please note: You can’t ask us to delete accurate medical records unless a court has ordered it.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

If you’re unhappy with how your information is being used, please contact the practice. We’ll do our best to resolve any concerns.

You also have the right to complain to: Information Commissioner's Office

We have a legal and professional duty to protect people who may be at risk of harm. This includes children and adults who may be vulnerable due to their circumstances.

If we believe someone is at risk, we may need to share relevant information with other organisations involved in safeguarding, such as social services, healthcare teams, or the police. This helps ensure the person gets the support and protection they need.

We only share information when the law allows us to. Sometimes we’ll ask for your consent. But in urgent or serious situations, we may share information without asking you first; for example, if someone is in danger.

We follow the rules set out in:

• The Children Act 1989 (Sections 17 and 47)
• The Care Act 2014 (Section 45)
• The Data Protection Act 2018 (Schedule 1, Paragraph 10)
• UK GDPR and the Data Use and Access Act 2025

We also respect your rights under the Common Law Duty of Confidentiality, which means we treat your information with care and only share it when it’s lawful and necessary.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

We share information to help protect children and adults who may be at risk of harm. This is known as safeguarding.

Our aim is to make sure people get the right support, at the right time, from the right services. Sharing information helps professionals work together to keep people safe.

We only share what’s necessary, and we do this in line with the law and national guidance.

4) Lawful basis for processing

We only share information when the law allows us to. This means we must have a lawful reason to do so.

In safeguarding situations, we may share information:

With your consent

If it’s safe and appropriate, we’ll ask for your permission before sharing your information. This is known as consented processing and is based on:

• UK GDPR Article 6(1)(a) – you’ve given clear consent for us to process your personal data
• UK GDPR Article 9(2)(a) – you’ve given explicit consent for us to process sensitive health or care information

Without your consent

Sometimes, we may need to share information without asking you first. This is known as unconsented processing and is allowed when:

• We have a legal duty to protect someone from harm

• It’s in the public interest to do so

This is based on:

• UK GDPR Article 6(1)(c) – we’re complying with a legal obligation
• UK GDPR Article 9(2)(b) – it’s necessary to meet our responsibilities under social protection law
• Data Protection Act 2018 Schedule 1, Paragraph 10 – to prevent or detect unlawful act
• Children Act 1989 Section 47 – duty to investigate if a child is at risk
• Care Act 2014 Section 45 – duty to share safeguarding information

We also follow the Common Law Duty of Confidentiality, which means we only share information when:

• You’ve given consent
• It’s in the public interest
• We’re legally required to do so

5) Recipient or categories of recipients of the processed data

To help protect children and vulnerable adults, we may share relevant information with professionals and organisations involved in safeguarding.

We only share what’s necessary, and we do this securely and in line with the law.

We may share information with:

• Somerset Social Services
• Get Set Early Help teams
• Somerset NHS Foundation Trust, including mental health services
• School nurses and health visitors
• Other healthcare professionals or safeguarding teams involved in your care

These organisations work together to make sure people at risk get the right support and protection.

6) Rights to object

We understand that you may have concerns about your personal information being shared. In most situations, you have the right to say no.

However, when it comes to safeguarding (protecting someone from serious harm) we may need to share information, even if you don’t agree. This is because we have a legal and professional duty to act in the best interests of the person at risk.

This means:

• You can’t object to safeguarding-related sharing if it’s required by law or in the public interest
• We’ll always try to tell you when we share your information, unless doing so would increase the risk of harm

We follow guidance from the General Medical Council (GMC) and other professional bodies to make sure we act responsibly and lawfully.

7) Right to access and correct

You have the right to know what personal information we hold about you.

If you think something is wrong or out of date, you can ask us to correct it. We’ll look into it and make changes if needed.

Please note:

• You can’t ask us to delete accurate medical records unless a court tells us to
• We may not be able to share everything if it could put someone at risk or affect a safeguarding investigation

We’ll always explain your rights and help you understand what you can expect.

8) Retention period

We keep your information for as long as it’s needed to support safeguarding and meet legal requirements.

This means:

• We’ll keep your information while a safeguarding concern is being looked into
• After that, we’ll store it securely in line with national guidance and NHS records management policies

We don’t keep information for longer than necessary. When it’s no longer needed, we delete it safely and securely.

9) Right to complain

We take your privacy seriously and aim to handle your information responsibly and lawfully.
If you have any concerns about how your personal information is used, or how we’ve handled a safeguarding matter, please speak to us first. We’ll do our best to resolve the issue quickly and fairly.
Alternatively, you can complain to the Information Commissioner's Office

We use text messages (SMS) to help you manage your care. If you give us your mobile number and agree to receive texts, we’ll send reminders about appointments you’ve booked and other messages related to your direct care.

We’ll only use SMS for purposes that support your health and wellbeing. You can choose whether or not to receive these messages, and you can change your mind at any time.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

SMS messages are automatically generated to remind patients of forthcoming practice consultations that they have booked and for direct medical care purposes.

4) Lawful basis for processing

We send text messages to support your direct care. This is part of our public task as an NHS organisation.
Under UK data protection law, we rely on the following legal bases:

Article 6(1)(e) "…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…"

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services."

We also follow the Common Law Duty of Confidentiality, which means we only share your information when there is a lawful basis to do so — for example, when you give consent or when it’s needed to provide safe and effective care.

5) Recipient or categories of recipients of the processed data

The data subject (you). We only send SMS messages directly to you, using the mobile number you’ve provided. Your information is not shared with anyone else for this purpose.

6) Rights to object

You have the right to object to receiving SMS messages from us.

If you no longer wish to receive text messages, please contact the practice and let us know. We’ll update your preferences and stop sending SMS messages unless required for urgent care.

7) Right to access and correct

You have the right to see the personal information we hold about you.

If you think any of your details are wrong or out of date, like your mobile number, you can ask us to correct them.

8) Retention period

We do not keep SMS messages once they’ve been sent. However, we may record that a message was sent as part of your medical record, if it relates to your care.

We follow NHS guidance on data retention and only keep information for as long as it’s needed to support your care and meet legal requirements.

9) Right to complain

If you have any concerns about how we use your information, including SMS messages, please speak to a member of our team. 
You can contact the practice directly and we’ll do our best to resolve the issue.

If you're not satisfied with our response, you can complain to the Information Commissioner's Office (ICO), which oversees data protection in the UK

The Summary Care Record is an NHS England initiative. It consists of a basic medical record held on a central government database on every patient registered with a GP Practice in England.

The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient

As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.

Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.

You can find out more about the SCR here

You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

During a pandemic information about vaccines may be available for clinicians to see in a clinical setting if necessary. This information is available through an NHS system called the Summary Care Record application (SCRa).

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

Upload of basic and detailed additional SCR data.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) "necessary for the performance of a task carried out in the public interest or in the exercise of official authority."

and;

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.” 

and;

Article 9(2)(b) "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject."

and;

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The data will be shared with NHS Digital and health and social care organisations who contribute to your personal care.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of law.

8) Retention period

The data will be retained in line with the law and national guidance.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

This covers information provided to Frome Medical Practice via surveys created by Frome Medical Practice. This includes online and paper based surveys for patients and/or staff members.

By completing the survey the person is giving consent to process their information.

4) Lawful basis for processing

To enable the Frome Medical Practice to process survey information the following Article 6 and 9 conditions apply:

6(1) (a)  - Consent of the data subject

and:

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Frome Medical Practice will be the sole processor of person identifiable information. The findings of the survey may be shared with other third parties but all shared data will be anonymised.

6) Rights to object

By completing the survey you are giving consent to process and share your anonymised data. If you have consented to your personal data being processed you can change your mind and withdraw your consent at any time. 

7) Right to access and correct

You have the right to access any of your identifiable data that is being processed and have any inaccuracies corrected.

8) Retention period

Some data may be added to the patient medical record and this will be retained in line with the law and national guidance.

All other electronic survey or form data is retained for a period of up to 7 years after which the data will be securely destroyed. Any paper records are destroyed as soon as they have been recorded electronically. 

9) Right to complain

You have the right to complain to the Information Commissioner's Office

This privacy notice explains about our telephony system. When calls come into the practice there will be a message to explain that all telephone calls are recorded for training and monitoring purposes.

Calls going out of the practice will also be recorded for the same reason and this information can be found in this privacy notice, displayed on our website and in the practice. We lawfully do not require your consent; however, you do have the right to end the call if you do not wish for the call to be recorded.

All calls will be stored securely on the telephony system.

When a call is recorded we collect:

• a digital recording of the telephone conversation
• the telephone number of both parties personal data revealed during a telephone call will be digitally recorded for example name and contact details to deliver appropriate services
• occasionally 'special category' personal information may be recorded where a customer request for advice and/or services.
• telephone call recording will be turned off, when a customer's credit or debit card details are given, in line with Payment Card Industry Data Security Standards (PCS DSS) and data protection legislation including UK General Data Protection Regulations (UK GDPR).

People will only have access to data necessary to fulfil their roles.

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable a safe two-way communication between patients, or other individuals or services, and the practice.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in the practice and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

and;

Article 6(1)(b) ‘…necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract.’

and;

Article 9(2)(h) ‘…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”

and;

Article 9(2)(b) ‘…carrying out of obligations under employment, social security or social protection law, or a collective agreement’

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

Data is accessible by the Practice as the Data Controller for this information. Information may be accessed remotely by the supplier for support purposes. Recordings are available for the Practice. Patients, individuals, and services may request access to their recordings.

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. If you wish to do so please contact the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The recording data will be retained for 36 months on the telephony system before deletion.

9) Right to complain

You have the right to complain to the Information Commissioner's Office

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

To enable healthcare professionals working at Frome Medical Practice to provide all necessary information about individuals to the courts when instructed (Court Order).

4) Lawful basis for processing

The legal basis will be:

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Or alternatively:

Article 9(2)(h) "necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..."

We will also recognise your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality".

"Common Law Duty of Confidentiality", common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

5) Recipient or categories of recipients of the processed data

The courts.

6) Rights to object

Not applicable.

7) Right to access and correct

Not applicable.

8) Retention period

Data retained in line with judiciary policies on storing identifiable data

9) Right to complain

You have the right to complain to the Information Commissioner's Office

UKHSA encompasses everything from national smoking and alcohol policies, the management of pandemics or epidemics such as flu, the control of large-scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform UKHSA, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with UKHSA.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

1) Data Controller contact details

Frome Medical Practice
Frome Medical Centre
Enos Way
Frome
Somerset
BA11 2FH
Telephone: 01373 301301

2) Data Protection Officer contact details

Kevin Caldwell
GP Data Protection Officer
Somerset CCG
Wynford House
Lufton Way
Yeovil
Somerset
BA22 8HR
Telephone: 01935 384000

3) Purpose of the processing

There are occasions when medical data needs to be shared with UKHSA either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.

4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

and:

Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,.."

5) Recipient or categories of recipients of the processed data

The data will be shared with UK Health Security Agency

6) Right to object

You have the right to object to some or all of the information being shared with the recipients. If you wish to do so please contact the practice.

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained for active use during the period of the public interest and according to legal requirements and UKHSA’s criteria on storing identifiable data.

9) Right to complain

You have the right to complain to the Information Commissioner's Office