Call us: 01524 843333

Email: [email protected]
Address: 2 Queen Square, Lancaster, LA1 1RP

UK General Data Protection Regulations (UKGDPR)


Queen Square Medical Practice aims to ensure the highest standard of medical care for all our patients, and we are committed to protecting and respecting your privacy.  To do this, we keep records about you, your health, and the care we provided or plan to provide to you.

The Data Controller, responsible for keeping your information secure and confidential is Queen Square Medical Practice. The Data Protection Officer (DPO) for Queen Square Medical Practice is Yvonne Bailey.

The United Kingdom General Data Protection Regulation (UKGDPR) is the UK’s data privacy law that governs the processing of personal data from individuals inside the UK.  The UKGDPR was drafted because of the UK leaving the EU, which resulted in the EU’s GDPR not applying domestically to the UK any longer.  The UKGDPR sits alongside an amended version of the Data Protection Act (DPA) 2018.

Why do we collect your personal information?

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation.  These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide.  In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services.  We will keep your information in written form and/or in digital form.  The records will include both personal and special categories of data about your health and wellbeing.

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests.
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult.
  • Perform tasks in the public’s interest.
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services.

About the personal information we use

We use personal information on different groups of individuals including:

  • Patients
  • Staff
  • Contractors
  • Suppliers
  • Complainants, enquirers
  • Survey respondents
  • Professional experts and consultants

What types of personal information do we collect about you?

We may collect the following types of personal information:

  • Your name, address, email address, telephone number and other contact information
  • Gender, NHS Number and date of birth and sexual orientation
  • Details of family members and next of kin details
  • Health (Medical) information, including information relating to your sex life
  • Details of any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls.
  • Results of investigations such as laboratory tests or x-rays
  • Biometric data
  • Genetic information


How will we use the personal information we collect about you?

We may use your personal information in the following ways:

  • To help us assess your needs and identify and provide you with the health and social care that you require
  • To determine the best location to provide the care you require
  • To comply with our legal and regulatory obligations
  • To help us monitor and manage our services
  • To support medical research

How will we share your personal information?

We work with a number of other NHS and Partner agencies to provide healthcare services to you.  Below is a list of organisations that we may share your information with:

  • Other NHS hospitals
  • Relevant GP Practices
  • Dentists, opticians, and pharmacists
  • Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS).
  • Voluntary Sector Providers who are directly involved in your care.
  • Ambulance Trusts.
  • Specialist Trusts.
  • The Health & Social Care Information Centre (HSCIC).
  • Clinical Commissioning Groups.
  • NHS 111.
  • Out of hours medicals services/centres.
  • NHS England.
  • Local Authorities.
  • Other ‘data processors’ which you will be informed of

We may also share your information, with your consent, and subject to strict sharing protocols about how it will be used, with:

  • Local authority departments, including social care and health (formerly social services), education and housing and public health.
  • Police and fire services.

Who else may ask to access your information?

  • The law courts can insist that we disclose medical records to them.
  • Solicitors often ask for medical reports. These will always be accompanied by your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (e.g., wife, children, parent etc.) unless we also have their consent.
  • Life Insurance Companies frequently ask for medical reports on prospective clients. These are always accompanied by your signed consent form.  We must disclose all relevant medical conditions unless you ask us not to do so.  In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them. You have the right, should you request it, to see reports to insurance companies or employers before they are sent.

Any medical or health related personal information will be treated with confidence in line with the common law duty of confidentiality and the Confidentiality NHS Code of Practice.

We may be required to share information with organisations to comply with our legal and regulatory obligations. This may include:

  • Care Quality Commission (CQC): The CQC regulates health and care services to ensure that safe care is provided. The law requires that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. Further information about the CQC can be found here.
  • Public Health England: The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to local health protection team or Public Health England. Further information about Public Health England can be found here.

We will not share your information with organisations other than health and social care providers without your consent unless the law allows or requires us to.

Requests for your information are referred to as a Subject Access Request.

How long do we keep your personal information?

We follow the Records Management Code of Practice for Health and Social Care 2016 records retention schedule published by the Information Governance Alliance for the Department of Health which states that electronic patient records should be retained for 10 years from the date of death.  At that point, all personal data we hold regarding you will be securely deleted.

The basis on which we process information about you. 

The Law requires us to determine under which of six defined bases we process different categories of your personal information, and to notify you of the basis for each category. If a basis on which we process your personal information is no longer relevant, then we shall immediately stop processing your data. If the basis changes then, if required by Law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.

Lawful basis for processing 

The legal basis will be:

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”


Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.

Information we process because we have a contractual obligation with you.

When you join our Practice, receive medical services from us, or otherwise agree to our terms and conditions, a contract is formed between you and us.  In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information.

We may use it to:

  • verify your identity for security purposes
  • provide you with our services
  • provide you with suggestions and advice and how to obtain the most from using our website

We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract.  Additionally, we may aggregate this information in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide.  If we use it for this purpose, you as an individual will not be personally identifiable.

We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.

Keeping your information confidential and the Gender Recognition Act 2004

Queen Square Medical Practice understands that sexual orientation and trans status are protected characteristics and therefore protected data which must be kept confidential.

The 2004 Gender Recognition Act (GRA) makes it a criminal offence to disclose an individual’s transgender history to a third party without their written consent if that individual holds a Gender Recognition Certificate (GRC).  Patients do not need to show a GRC or birth certificate for the GRA 2004 to be in effect, so we will act in best practice and act as though every trans patient has one.

We will always obtain a trans patient’s written consent before sharing details about their social or medical transition, sometimes also called gender reassignment, with other services or individuals.  This includes information such as whether a patient is currently taking hormones or whether they have had any genital surgery, as well as information about previous names or the gender they were given at birth.

Consent will always be obtained before information relating to the patient being trans is shared in referrals and this information will only be shared where it is clinically relevant, e.g., it would be appropriate when referring a trans man for a pelvic ultrasound but not if referring him to Ear, nose, and throat departments.

Research and Development

Queen Square Medical Practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of UKGDPR.

Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. We may also use your medical records to carry out research within the Practice.  We share information with accredited medical research organisations with your explicit consent or when the law allows.  More information about our research can be found here

Queen Square Medical Practice contributes to the Clinical Practice Research Datalink (CPRD)

Information in patient records is important for medical research to develop new treatments and test the safety of medicines.  This practice supports medical research by sending some of this information from patient records to CPRD.

CPRD is a government organisation that provides anonymised patient data for research to improve patient and public health.  You cannot be identified from the information sent to CPRD.

If you do not want anonymised information from your patient record to be used in research you can opt out by speaking to one of our Doctors, Nurses or Patient Advisors and ask them to let our IT Lead know.

For more information about how your data is used please click here:

Digitisation of Medical Records

Lancashire and South Cumbria was chosen by NHS England to be a national pilot for the digitisation of Medical Records.  Scanning these paper-based records and making them digital will enable better utilisation of space, creating more clinical space, staff areas, multi team space and video hubs, removing the need for some practices to build extensions. In addition, it will also make your record more easily and speedily accessible to clinical staff within your practice.

Your complete GP medical record will be digital and stored in a secure cloud based clinical system (only accessible by your GP practice) with the paper-based records being securely destroyed following BS EN 15713:2009 Secure destruction of confidential material.  Your GP will still be able to access your records easily within this system.  The scanning and destruction of the paper records will follow strict data protection guidelines adhered to by the NHS.  As with paper-based records, digital records are stored for the durations specified in the Records Management Codes of Practice for Health and Social Care.  For GP patient records, this states that they may be destroyed 10 years after the patient’s death if they are no longer needed.

Medicines Management

The Practice may conduct Medicines Management Reviews of medication prescribed to its patients.  This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.  This service is mainly carried out in the Practice however there are times when it may also be supported by LSC ICB.

Shared Care Records

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems.  The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.

Text (SMS) messages

If you have provided your mobile telephone number, we may use this to send automatic appointment reminders, requests to complete surveys or to make you aware of services provided by the surgery that we feel will be to your benefit.

If you do not wish to receive these text messages, please let the reception team know.


We use accuRx to communicate with our patients, for example via SMS or video call.

Full details about how accuRx will process your personal information can be found on their privacy notice

Telephone Call Recording


This policy outlines the practice’s call recording process.

The purpose of call recording is to provide a record of incoming and outgoing calls which can:

  • Identify practice staff training needs.
  • Protect practice staff from nuisance or abusive calls.
  • Establish facts relating to incoming/outgoing calls made (e.g. complaints)
  • Identify any issues in practice processes with a view to improving them (e.g. to aid workforce planning)


The purpose of this policy is to ensure that call recording is managed in line with Data Protection Act 2018 requirements.

The practice will make every reasonable effort to advise callers that their call may be recorded and for what purpose the recording may be used. This will normally be via a pre-recorded message within the telephone system and via signage at the practice. The voice file will be stored within the telephone recording system software to which the same rules of confidentiality will apply. The practice’s data protection registration covers voice files similarly to other data.

Where a patient requests to listen to a recording then this should be allowed within the general provision of a data subject access request under the General Data Protection Regulations (GDPR)/Data Protection Act. 


This policy applies to all practice staff including any contracted or temporary workers.

All external incoming and outgoing calls made by practice staff via the telephone system will be recorded.

Recording will automatically stop when the practice staff member terminates the call.

Callers will be advised that the call will be recorded for training and monitoring purposes in the form of an automated voice message and via an information notice displayed at the surgery plus information contained on the surgery website.

Playback, Monitoring and Storage of Recorded Calls 

Monitoring of the call recordings will be undertaken by the Practice Manager or IT Lead.

Any playback of recordings will take place in a private setting and where applicable, individuals should be given the opportunity to listen to the relevant recordings to receive feedback and developmental support.

All recordings and call recording equipment will be stored securely on site at the practice and access to these will be controlled and managed by the IT Lead.

Recordings will be accessed by logging into a dedicated, password protected computer system.

Call recordings will be retained by the practice for 3 years.


The Data Protection Act allows patients access to information that is held about them. This includes recorded telephone calls.

Requests for copies of telephone conversations can be made under the Data Protection Act as a “Subject Access Request”. After assessing whether the information can be released, the requestor can be invited to the practice premises to hear the recording. A data subjects have the right to the erasure of personal data concerning them. ‘The right to be forgotten’ does not override legal and compliance obligations.

If there is a request from an external body relating to the detection or prevention of a crime (e.g. police), then requests for information should be directed to the Practice Manager.

Under GDPR, organisations are prohibited from recording the personal conversations of staff, even with consent, and therefore need to ensure that while business calls are recorded, personal calls always remain private.

Type 1 Opt-Out Information

The data held in your GP medical records is shared with other healthcare professionals for the purposes of your individual care. It is also shared with other organisations to support health and care planning and research.

If you do not want your personally identifiable patient data to be shared outside of your GP practice for purposes except your own care, you can register an opt-out with your GP practice.  This is known as a Type 1 Opt-out and you can register your preference here.

NHS National Data Opt-out.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected in a patient record for that service.  Collecting this confidential patient information helps to ensure you get the best possible care and treatment.

The confidential patient information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, where allowed by law.

You have a choice about whether you want your confidential patient information to be used in this way.  If you are happy with this use of information, you do not need to do anything.  If you choose to opt out, your confidential patient information will still be used to support your individual care.  We do not share your confidential patient information for purposes beyond your individual care without your permission.  When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

Information being used or shared for purposes beyond individual care does not include your confidential patient information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement. Health and care organisations that process confidential patient information must put systems and processes in place so they can be compliant with the national data opt-out.  They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care.

Queen Square Medical Practice are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care without your permission.

To find out more or to register your choice to opt out, please visit

You can change your choice at any time.  Your preference for NHS National Data Opt-out cannot be updated by your GP practice.

Your rights

You have a right to:

  • ask for a copy of the information we hold about you – via a Subject Access Request
  • correct inaccuracies in the information we hold about you
  • withdraw any consent you have given to the use of your information
  • complain to the relevant supervisory authority in any jurisdiction about our use of your information

Although we must provide this information free of charge, if your request is considered unfounded or excessive, or if you request the same information more than once, we may charge a reasonable fee.

In some circumstances you may:

  • ask us to erase information we hold about you
  • request a copy of your personal data in an electronic format and require us to provide this information to a third party
  • ask us to restrict the use of information we hold about you; and
  • object to the use of information we hold about you.

You can exercise these rights by contacting the practice.  You can write to us, or we have a form available for you to complete where you can specify your request.  Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However, if your request is complex, we may take longer, by up to two months, to respond. If this is the case, we will tell you and explain the reason for the delay.

You have the right under Article 21 of the UKGDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.

GP Practices process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with:

  • The UK General Data Protection Regulation (UKGDPR)
  • The Freedom of Information Act (FOI)
  • The NHS Constitution
  • The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009

By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights, and freedoms in the right to object.

How to contact us

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information then please contact our Data Protection Officer via post at:

Data Protection Officer

Queen Square Medical Practice

2 Queen Square



How to make a complaint

You also have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioners Office (ICO) by clicking here to visit their website or calling 0303 123 1113.

Changes to our privacy notice

We keep our privacy notice under regular review, and we will place any updates on this webpage. This privacy notice was last updated on 01/08/2023.

COVID-19 supplementary notice

In order to look after your health and care needs, health and social care bodies may share your confidential patient information contained in your Summary Care Record with clinical and non-clinical staff in other health and care organisations, for example hospitals, NHS 111 and out of hours organisations. These changes will improve the healthcare that you receive away from your usual GP practice.

Further information regarding COVID-19 supplementary privacy notice from NHS UK.

GPES Data for Pandemic Planning and Research (COVID-19)

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care, and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking, and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.

NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation (UKGDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under UKGDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests, and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning, and providing health, social care, and public services, identifying coronavirus trends and risks to public health, monitoring, and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security, and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared.  Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

GP Connect

It allows authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently.

It makes patient information available to all appropriate clinicians when and where they need it, leading to improvements in both care and outcomes. GP Connect can only be used to share patient information for direct care purposes, not for any other reasons such as planning or research.

It provides a suite of technical standards that system suppliers can develop and offer to their customers in their own familiar system.

Products and services can be used individually or combined to support interoperability between differing system across a variety of care settings. These products are developed and delivered by the GP Connect team in NHS England.

You can find more information about GP Connect here: GP Connect – NHS Digital

Department for Work and Pensions (DWP) eMED3 fit note data

The DWP performs a weekly anonymous extract of fit note usage data for collection, storage, transmission, and publication by NHS Digital. As data controllers, we will make you aware of the data collection and ask you about your consent preferences. This could be:

  • In person when you come in for a fit note.
  • On our practice website.
  • On our practice notice board.

If you do not consent to secondary use of GP patient identifiable data, we will be code it on your care record. If you don’t actively express dissent, implied consent is assumed.

To comply with the Department of Health’s patient objection policy, data about patients who have dissented from secondary use of their data will not be included in the extract.

Electronic submission of non-identifiable patient data to the DWP will only be sent if you have not opted out.

What data is included in the extract?

The data extracted is completely anonymous to protect patient privacy and consists of:

  • How many eMED3 fit notes are issued.
  • How many patients are recorded as ‘unfit’ or ‘maybe fit’ for work.
  • Fit note duration.
  • Gender.
  • Health condition type aggregated to a high-level diagnosis code, for example, paranoid schizophrenia would be classed as a Mental Disorder.
  • Location, including CCG areas.
  • Whether workplace adaptations were recomm

Please see links below for our individual Privacy Notices:

QSMP Practice Privacy Policy v4

QSMP Privacy Notice – Update COVID 19

QSMP Privacy Notice CQC

QSMP Privacy Notice Direct care (Emergencies)

QSMP Privacy Notice Direct Care (Routine & Referrals)

QSMP Privacy Notice National Screening Programmes

QSMP Privacy Notice NHS Digital

QSMP Privacy Notice Payments

QSMP Privacy Notice Public Health

QSMP Privacy Notice Risk Stratification

QSMP Privacy Notice Research

QSMP Privacy Notice Safeguarding

QSMP Privacy Notice Summary Care Record

QSMP Privacy Notice – Digitalisation of Medical Records

QSMP Privacy Notice National Immunisation Services

QSMP Privacy Notice – Telephone Call recordings

This website uses cookies

A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites.

Cookies allow a website to recognise a user’s device.

Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.

We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.

What can I do to manage cookies on my devices?

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit

To opt out of being tracked by Google Analytics across all websites visit

If you are concerned about cookies and would like to ask further questions please do not hesitate to write to our website developers – [email protected]

Register Your Type 1 Opt-out Preference

The data held in your GP medical records is shared with other healthcare professionals for the purposes of your individual care. It is also shared with other organisations to support ... [continue] Register Your Type 1 Opt-out Preference

Subject Access Requests

A request by a patient, or a request by a third party who has been authorised by the patient, for access under the GDPR (and DPA 2018) is called a ... [continue] Subject Access Requests

Date published: 18th October, 2014
Date last updated: 19th June, 2024