Privacy policy

Privacy Statement

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.

Here you can find additional information about OpenSAFELY.

 

eConsult  

1. Introduction

By law, all organisations using personal information or data must provide a clear description of how it is used, providing related information to ensure processing is carried out lawfully and fairly. Your GP’s main privacy notice is available on their website, or by contacting their reception.

Additional information provided below describes only the use of information when you use (for yourself, or on behalf of someone else) your GP’s online consultation service. Where there are differences depending on practice location (England, Wales, Scotland or Northern Ireland), these are specifically noted below.

Please read your GP’s main privacy notice – if you wish to use their online consultation service here, please also read the below supplementary information:

 

1a. Online consultation service for GP practices in England

Your GP Practice has engaged a specialised online consultation supplier – approved to NHS England technical standards – which has gone through stringent scrutiny, achieving all necessary requirements to provide online consultations. NHS England, on your GP’s behalf, contracts with the supplier and acts as a joint system controller with your GP. However, NHS England will not receive any personal information, so your GP remains responsible for this data, ensuring that any provided data to use this service is for online consultation purposes only.

The UK GDPR and The Data Protection Act 2018 (the data protection laws) protect individuals with regard to the processing of personal data. The organisation providing this service is eConsult Health Ltd. (eConsult), who will act as a personal data processor under the data protection laws.

When accessing the service, NHS England is a controller jointly with GPs and eConsult is a processor for GPs, managed through the joint controller relationship that NHS England established with GPs and continues to maintain.

Please note that if you access our service using your NHS login details the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

1b. Online consultation services for GP practices in Wales, Scotland or Northern Ireland

Your (or the person you’re filling the form in for’s) GP Practice has engaged a specialised online consultation supplier, which has gone through stringent scrutiny, achieving all necessary requirements to provide online consultations. The GP practice has contracted with the supplier, so acts as a system controller. They remain responsible for personal data, and will ensure that any provided data to this service is used for online consultation purposes only.

The organisation providing this service is eConsult Health Ltd (eConsult), who act as a personal data processor under the data protection laws.

2. The lawful basis for your GP’s online consultation service

The following legal bases set out in the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 allow your (or the person you’re filling forms in for’s) GP to use personal information when you use their provided online consultation service (for yourself, or on someone else’s behalf):

1. When using your (or who you’re filling the form in for’s) personal information (Personal Data):
   • Article 6 (1) (e) of the GDPR, which permits your GP practice to process necessary personal information to provide a service in the public interest
2. When using your (or who you’re filling the form in for’s) medical data or other personal data of a sensitive nature
   • Article 9(2) (h) of the GDPR, which permits your GP practice to process necessary health information for health treatment provision

3. Data processing purposes

Online consultations allow GP patients to contact the practice, without having to wait on the phone or come into the practice – especially if a patient isn’t sure whether they need a face-to-face consultation. Online consultations enable patients to use secure online systems to ask questions and report symptoms. The practice can respond and signpost patients to the right person (such as a doctor), or to appropriate service or support.

4. Personal information used

This service is online, so the GP practice needs to ensure it’s confidential and high-quality. To do this, they need to properly identify you (or the person you’re filling in forms for), accurately noting both initial requests and their responses. If they are prevented from having this essential information, they will be unable to provide a secure, confidential service.

eConsult doesn’t collect any personal data which is not needed to deliver the service to you (or to the person you are filling in the form for).

4a. GP practices in England:

GP practices use the following information to identify and deal with each request:

4b. GP practices in Wales, Scotland or Northern Ireland:

Your GP uses the following information to identify and deal with each request:

Please refer to each GP practice’s main privacy notice for any further information.

5. Personal information sharing

5a. Your GP controls your information

As mentioned earlier, your (or the person you’re filling forms in for’s) GP has engaged the specialised organisation eConsult to provide an online consultation service on their behalf – personal data will be shared with them so they can provide

this service. If you are advised to seek urgent care, your information will not be shared with other health and care providers. 

For GP practices in England, NHS England confirms they will only use personal information to provide health services.

For GP practices in Wales, Scotland and Northern Ireland, please refer to individual GP practice main privacy notice(s), relating to personal information use.

5b. The NHS app (England only)

This online consultation service is made available to patients using the NHS app, which can be downloaded from the App Store or Google Play. Provided by NHS England, the NHS app offers health services like viewing your medical record. If you are logged into the NHS app, you will also have access to your GP’s online consultation service, and any requests made will be securely sent from the NHS app to their practice system (via NHS England.) 

Whenever a GP shares personal information, they will always comply with the law.

5c. The TimeBack Service (specific GP’s only)

eConsult can provide a fast and easy way for care providers (specifically GP’s in the first instance) to summarise patient consultations using natural language processing and generative AI. eConsult is the developer of this service (called TimeBack). This part of the service uses Large Language Models (LLMs) to help a clinician to summarise a report so that they can add their professional insights without doing everything from scratch.

The AI element of the service is not intended to automate any reporting process and that the entire process is validated by the GP. What this means in practice is that a user of the service can review and change the outcome of the AI generated report to ensure that it is accurate.

if your GP is using this component of the eConsult service they will tell you during your consultation with them. The legal basis of processing will be to provide you with direct care but if you don’t wish them to use this you can ask them to take their notes manually.

Your data is processed in the UK and is only used for the purposes of transcribing and summarising the conversation.

6. Information processing and storage

Your personal data is processed and stored within the United Kingdom.

How long personal information is kept

Your (or the person you’re filling forms in for’s) GP practice sets personal information retention periods and instructs eConsult, the engaged contractor providing online consultations on their behalf, to comply with these. All consultations will be stored by eConsult in accordance with the Records Management Code of Practice for Health and Social Care 2021 so that a user can access the patient’s eConsult history and gain access to the consultations via our tool. However, eConsult would delete the data earlier than suggested by this code if they were informed that the condition of Schedule 9(3) GDPR and s. 11(1) Data Protection Act 2018 no longer applies.

 

Healthtech-1 

Patient Privacy Policy - ✅ Privacy Policy for Patients v.7.1 - Google Docs

Patients

Healthtech-1 is an automation software provider for healthcare organisations like your GP practice or local hospital. If you’re a patient, we receive information about you in two ways:

• Via healthcare organisations who use Healthtech-1 software
• If you contact us directly, for example through our email or chat platform

 

Via healthcare organisations who use Healthtech-1 software

We provide software products to healthcare organisations involved in your care. These healthcare organisations are responsible for how your information is used - in legal language, they are the “Data Controller”. When they want to use our software to complete tasks with or about you, they provide us with information and instruct us how to use it.

This means we’re acting as a “Data Processor” and this falls outside the scope of a Privacy Policy. We have a very clear agreement with your healthcare provider that sets out what we do with the data, and how we keep it safe. You can request the full agreement and more information about our role and how we protect data.

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England's Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Via direct correspondence with you

If we correspond with you directly, we’ll collect information about you. The exact information we collect about you will depend on the way you contact us.

By email or social media

• Name
• Email
• Telephone number
• Social media handles
• Anything else you share with us over the correspondence

Why: We collect this information on the basis of our legitimate interest to ensure we deal with your queries quickly and efficiently and understand how you interact with us.

 

Lexacom 

Aprobrium Limited (“We”) are committed to protecting and respecting your privacy.

This policy (together with our terms of use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting Lexacom.co.uk you are accepting and consenting to the practices described in this policy.

For the purpose of the Data Protection Act 2018 (the Act), the data controller is Aprobrium Limited of East Court, Hardwick Business Park, Banbury OX16 2AF.

Lexacom’s privacy policy can be found on their website here: https://www.lexacom.co.uk/policies/privacy-policy/

 

Connecting Care

Connecting Care is a digital care record system for sharing information in Bristol, North Somerset and South Gloucestershire. It allows instant, secure access to your health and social care records for the professionals involved in your care.

Relevant information from your digital records is shared with people who look after you. This gives them up-to-date information making your care safer and more efficient.

Mendip Vale Medical Group uses the system in the following way:

• We can access your data stored within the system

If you would like to learn more about Connecting Care and how your information is being used please visit Transparency Notice (connectingcarebnssg.co.uk) on the Connecting Care website

Data Protection Officer (DPO)

Contact details: Please email bnssg.mendipvale.scanners@nhs.net to the attention of David Clark, DPO. 

Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.

This website uses cookies

A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites.

Cookies allow a website to recognise a user’s device.

Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.

Read our cookie policy

Photo and Video Disclaimer for Marketing and Communications

Mendip Vale Medical Group reserves the right to use any photograph/video taken on the surgery grounds as well as at any sponsored event on or off campus, without the expressed written permission of those included within the photograph/video. Mendip Vale Medical Group may use the photograph/video in any publications or other marketing material produced, used or contracted by Mendip Vale Medical Group, including but not limited to: brochures books, newsletters, social media, websites, television etc. To ensure the privacy of individuals and minors, images will not be identified using full names or personal information without written approval from the photographed subject, parent or legal guardian.

Any individual who does not wish to have their image recorded for distribution should make their wishes known to the photographer/videographer and contact the Business Support Team at bnssg.mendipvale.scanners@nhs.net in writing of said intentions. Please also include a photograph of the pertaining individual, of which Mendip Vale Medical Group will only use for identification purposes and will hold in confidence. By failing to notify Mendip Vale Medical Group, in writing, of your desire to not have your photograph used, you are agreeing to release, defend, hold harmless and indemnify the Mendip Vale Medical Group from any and all claims involving the use of your picture or likeness.

Any individuals not affiliated with the Mendip Vale Medical Group may not use, copy, alter or modify photographs, graphics, videography, etc., without the written permission of an authorized Mendip Vale Medical Group employee.

Thank you for your understanding and cooperation!

Site search

Please DO NOT add any personally identifiable information – such as your name, NHS number, address or any other distinguishing detail – when using the site search function. The site search is intended to return information displayed on the website ONLY, and is not linked to our practice management system or your individual NHS records. Site search data is recorded in our analytics and cannot be deleted.

Hippo Labs Privacy Policy

As part of our practice’s efforts to care for our patients proactively, we are now using the Hippo Recaller digital tool (from Hippo Labs) to help us do this effectively. The aim of Hippo Labs' platform is to identify patients and automate the messaging relating to proactive patient care needs, resulting in better outcomes for patients and the practice. The platform facilitates secure, digital communications between healthcare practices and patients.

Using the Hippo Labs platform will involve the processing of special category data by Hippo Labs, its sub-processors, and the GP Practice as a data controller. This includes the exchange and storage of messages between patients, Hippo Labs and practice staff. The platform allows patients to respond to the practice in various ways, including via questionnaires.

Hippo Labs adheres to NHS England best practice and is approved for use by GP practices and other systems involved in patient care. There are rigorous assurance processes in place to ensure the highest standards of safety and security. Your data is safe and is shared only with your GP practice for the purposes of your direct care. Your data is securely stored and transmitted using industry best practices, and Hippo Labs only collects the data necessary to allow your GP practice to provide this care.

The practice uses the following Hippo Labs features:

• Patient identification
• SMS messaging
• WhatsApp messaging
• NHS App messaging
• Email messaging

Hippo Labs’ privacy notice can be found on their website here: Hippo Labs | Privacy Policy.

Controller Contact Details

Mendip Vale Medical Group 

Langford Surgery

Pudding Pie Lane 

Bristol 

BS40 5EL 

Data Protection Contact Details

Hippo Labs Data Protection Contact: dataprotection@hippolabs.co.uk

Purpose of the Processing

The purpose of the Hippo Labs platform is to analyse and automate patients proactive care needs and facilitate successful communication between the practice and patients, improving healthcare outcomes and operational efficiency. The platform enables secure, digital communication between healthcare practices and patients.

Lawful Basis for Processing

Under UK GDPR and DPA 2018:

• 6(1)(e): ‘...necessary for the performance of a task carried out in the public interest or in the exercise of official authority...’.
• 9(2)(h): ‘...medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems...’.

Recipient or Categories of Recipients of the Shared Data

Data may be shared with Hippo Labs and its sub-processors, which may include cloud service providers used for Hippo Labs’ own storage, communications, security, engineering, and other related services.

Rights to Object

You have the right under Article 21 of the UK GDPR to object to the processing of your personal data. To raise an objection, please contact your GP Practice. Please note, this right to object does not guarantee that your request will be granted in all circumstances, as certain legal or medical reasons may apply.

Right to Access and Correct

You have the right to access copies of your data and to correct any inaccuracies. Please note that medical records cannot be deleted unless ordered by a court of law.

Retention Period

Your data will be retained for active use during processing and then stored according to NHS policies and applicable laws.

Right to Complain

If you have concerns about how your data is handled or processed, please contact us using the details above laid out above. f you are not satisfied with our response, you have the right to raise your complaint with the Information Commissioner’s Office (ICO).

 

Heidi Privacy Policy

Heidi have developed an AVT tool which uses AI to transcribe consultations in real time to produce clinical notes. Bristol, North Somerset, and South Gloucestershire ICB (‘BNSSG ICB’) and OneCare are working together to offer a pilot of AVT to practices in this region.

The pilot aims to:

1. Support clinicians by using AVT to produce an accurate consultation summary.
2. Reduce clinician admin time spent typing up consultation notes.
3. Improve engagement with patients including a reduction in time spent looking at a screen and therefore an increase in eye contact with the patient.
4. Provide evidence of the benefits of AVT in primary care through evaluation.

Heidi’s privacy policy can be found on their website here: Privacy Policy UK | Heidi Health