Privacy

This Privacy Policy explains how Penryn Surgery collects, uses, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and NHS confidentiality obligations.

1. Who We Are

Penryn Surgery is an NHS General Practice providing primary medical services. For the purposes of data protection law, we are the Data Controller for the personal data we process.

We are committed to protecting your privacy and ensuring your personal information is used lawfully, fairly, and transparently.

Practice Contact Details

Penryn Surgery
Practice Manager: Mrs Emma Berry
Email: letters.penryn@nhs.net

Data Protection Officer (DPO)

Umar Sabat
NHS Cornwall and Isles of Scilly Integrated Care Board
Part 25, Chy Trevail
Beacon Technology Park
Dunmere Road
Bodmin
PL31 2FR

Email: Ciosicb.contactus@nhs.net
Telephone: 01726 627800

2. Personal Data We Process

We process personal data relating to patients, staff, and other individuals where necessary.

Personal data may include:

  • Name, address, date of birth, NHS number
  • Contact details (telephone, email)
  • Details of carers, next of kin, or legal representatives

Special category data may include:

  • Health and care information
  • Test results, referrals, and treatment records
  • Ethnicity, sex, and religion (where relevant to care)

3. Why We Use Your Information

Your health records are used to:

  • Provide safe and effective healthcare
  • Support continuity of care
  • Protect public health
  • Manage NHS services
  • Carry out clinical audit and service improvement

Records may be held electronically, on paper, or in a combination of formats. We use appropriate technical and organisational measures to keep your information secure.

4. Lawful Bases for Processing

We process your data under the following lawful bases:

UK GDPR Article 6

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

UK GDPR Article 9 (special category data)

  • Article 9(2)(h) – processing is necessary for medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems

Most patient data is processed without consent because it is necessary to provide NHS healthcare services.

Where we rely on consent (for example, certain research activities or optional communications), you have the right to withdraw that consent at any time.

5. Risk Stratification

The NHS uses risk stratification tools to help identify patients who may benefit from preventative care or additional support. This involves analysing de-identified data from multiple NHS sources. Only your GP practice can re-identify the data.

You have the right to opt out of your data being used for risk stratification.

6. Medicines Management

We may carry out medicines management reviews to ensure prescriptions are safe, effective, and up to date.

7. Confidentiality and Information Sharing

We respect patient confidentiality and only share information where:

  • It is necessary for your direct care
  • There is a legal obligation
  • It is in the public interest

We comply with:

  • Data Protection Act 2018
  • UK GDPR
  • Common Law Duty of Confidentiality
  • Human Rights Act 1998
  • Health and Social Care Act 2012
  • NHS Codes of Practice
  • Caldicott Principles

All staff and contractors are subject to confidentiality obligations.

8. Devon and Cornwall Care Record

Health and social care organisations across Devon and Cornwall, including Penryn Surgery, use a shared care record to support safe and effective care.

This shared system is known as the Devon and Cornwall Care Record and is supported by NHS Cornwall and Isles of Scilly Integrated Care Board (ICB).

The Devon and Cornwall Care Record allows authorised health and care professionals involved in your care to access relevant information quickly, particularly in urgent or out‑of‑hours situations.

Access is:

  • Limited to authorised staff
  • Role‑based and proportionate
  • Audited and monitored

Only information that partner organisations have agreed is necessary for care is shared.

Further information is available via the Devon and Cornwall Care Record service.

9. Who We Share Information With

In line with NHS and Cornwall and Isles of Scilly ICB arrangements, we may share your information where necessary and lawful with:

  • Other GP practices
  • NHS Trusts and Foundation Trusts
  • NHS England
  • NHS Digital (now part of NHS England)
  • Cornwall and Isles of Scilly Integrated Care Board
  • Community health services
  • Social care services
  • Ambulance services
  • Pharmacies, dentists, and opticians
  • Approved voluntary and private sector providers commissioned to support NHS services
  • Local authorities and education services
  • Police or judicial bodies where there is a legal obligation

Information sharing is always subject to:

  • A lawful basis
  • The Common Law Duty of Confidentiality
  • Data sharing agreements or contracts

10. How We Use SystmOne (Our Clinical Record System)

Penryn Surgery uses TPP SystmOne as its main electronic clinical record system. SystmOne is an NHS-approved system used by GP practices, community services, and other NHS providers to support the safe delivery of care.

What information is held in SystmOne?

SystmOne is used to securely record information such as:

  • Your personal details (name, address, NHS number)
  • Details of appointments and consultations
  • Clinical notes made by healthcare professionals
  • Test results, referrals, and correspondence
  • Prescriptions and medicines information

Why we use SystmOne

We use SystmOne to:

  • Provide you with safe and effective care
  • Share relevant information with other authorised NHS professionals involved in your care
  • Ensure continuity of care, including out-of-hours and urgent care services
  • Meet our legal and contractual obligations as an NHS GP practice

Who can access your SystmOne record?

Access to SystmOne is:

  • Restricted to authorised staff involved in your care
  • Role-based, so staff only see what they need to perform their duties
  • Logged and audited to prevent inappropriate access

Sharing information through SystmOne

Where appropriate, SystmOne supports information sharing with other NHS organisations (for example, community services or out-of-hours providers) to support your direct care. This sharing is governed by NHS and Cornwall & Isles of Scilly ICB information-sharing agreements.

If you have concerns about how your information is shared, you can discuss this with the practice.

11. Your Choices at a Glance

You have important choices about how your information is used.

  • Your direct care
    Your information is used to provide you with safe and effective healthcare. You cannot opt out of this.
  • Sharing for planning and research
    You can choose whether your confidential patient information is used for NHS planning, research, and improving services by setting a National Data Opt-Out.
  • Research participation
    If you are invited to take part in research, your consent will be requested separately.
  • Communication preferences
    You can choose how we contact you (for example by phone, text, or email).
  • Access to your records
    You have the right to see and request copies of your health records.
  • Raising concerns
    If you have questions or concerns about how your data is used, you can contact the practice or the Data Protection Officer.

12. Frequently Asked Questions (FAQs)

Can I opt out of my information being shared?

You cannot opt out of information being used for your direct care, as this is necessary to provide you with safe and effective healthcare.

However, you can choose to opt out of your confidential patient information being used for purposes beyond your individual care, such as planning, research, or improving health and care services.

This is known as the National Data Opt-Out.

What is the National Data Opt-Out?

The National Data Opt-Out allows patients to choose not to have their confidential patient information used for:

  • Research
  • Planning
  • Improving health and care services

The opt-out does not apply to:

  • Your direct care
  • Situations where data use is required by law

How do I set or change my National Data Opt-Out?

You can set or update your National Data Opt-Out choice at any time by:

  • Visiting the NHS website
  • Using the NHS App
  • Calling NHS 111

Your choice will be respected by Penryn Surgery and across the NHS.

Will opting out affect my care?

No. Opting out will not affect your individual care, treatment, or access to NHS services.

If you would like more information or have concerns about how your data is used, please contact the practice.

13. Where Your Data Is Stored

Your data is primarily processed within the UK. Where systems are hosted in the European Economic Area, appropriate UK GDPR safeguards apply.

14. How Long We Keep Your Information

We retain records in line with the NHS Records Management Code of Practice for Health and Social Care and national archival requirements.

15. Your Rights

You have the right to:

  • Be informed about how your data is used
  • Access your personal data
  • Request correction of inaccurate data
  • Request erasure (where applicable)
  • Restrict or object to certain processing
  • Data portability (where legally applicable)
  • Withdraw consent (where consent is used)

You also have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.org.uk

16. Accessing Your Records (DSARs)

You may request access to your records free of charge. We will respond within one month, subject to identity verification and any lawful exemptions.

17. Keeping Your Information Up to Date

Please inform the practice if your personal details change so we can keep our records accurate.

18. Digital Services

This notice applies to digital services including online consultations, the NHS App, email, and SMS communications. Consent will be obtained where required.

19. Cookies and Website Privacy

Our website provides further information about cookies and analytics where applicable. Cookie preferences can be managed online.

20. Data Breaches

All data breaches are investigated and, where required, reported to the ICO within 72 hours. Patients will be informed where there is a high risk to their rights and freedoms.

21. Review of This Notice

This Privacy Notice is reviewed regularly and updated when required to reflect changes in law or practice.

Date published: 20th September, 2023
Date last updated: 5th January, 2026