Privacy Notice

Privacy Notice

Tolson Care Partnership is committed to being transparent and providing accessible information to patients and the public about how we shall use personal data. This is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR). The following notice reminds you of your rights in respect of the above legislation and how GP practices who are members of Tolson Care Partnership will use your information to deliver your care and support the effective management of the local health and social care system.

This notice reflects how we use information for:

● The management of patient records;

● Communication concerning Tolson Care Partnerships activities, and your clinical, social and supported care;

● Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;

● Participation in health and social care research; and

● The management and clinical planning of services to ensure that appropriate care is in place for people today and in the future.


1. Our Organisation:

Tolson Care Partnership is the name of the Primary Care Network that includes the following GP Practices:

The Whitehouse Centre

The University Health Centre

The Waterloo Practice

Dalton Surgery

The Junction Surgery

Almondbury Surgery

Greenhead Family Doctors

Rose Medical Practice


Data Protection and Subject Access Contact:

The person responsible in each of the practices is as follows:

GP Practice Named Person Practice email address
Almondbury Surgery Gillian Ellis
Dalton Surgery Dr S Khokar
Greenhead Family Doctors Dr R Edara
Rose Medical Practice Sally Oldbury
The Junction Surgery Julie Sunderland
The University Health Centre Nicola Kelly
The Whitehouse Centre Gwyneth Ruddlesdin
Waterloo Practice Nicole Siswick

The Data Protection Officer for Huddersfield GP Practices is


2. What information do we collect and use?

We shall collect information from you directly and from other organisations engaged in the delivery of your care. This information will include:

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to, name, date of birth, full postcode, address, next of kin and NHS Number; and
  • ‘Special category data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

The practices who are members of the Tolson Care Partnership are working together to provide Extended Hours appointments to patients who are registered with a GP practice within our network. All the GP practices record all information about patients they care for within an electronic healthcare record. This may also contain information patients provide to us about their health and any treatment or care they have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

When a patient is booked into an Extended Hours appointment practices who are members of the Tolson Care Partnership are able to access the appointment diaries and elements of the medical records to enable us to contact patients if there are any amendments/changes to the service available.

3. Why do we collect this information?

Practices who are members of the Tolson Care Partnership are required to provide Extended Hours Services to patients registered with a GP Practice who is a member of their primary care network as part of the NHS England Primary Care Network DES Contract. The GP practices therefore have a statutory function to promote and provide the health service in England. To do this we need to process personal data in accordance with current data protection legislation to:

  • Provide health care and treatment, including the delivery of preventative medicine and medical diagnosis;
  • Perform tasks in the public’s interest;
  • Protect your vital interests;
  • Support the management of the health and social care system and services; and
  • Pursue our legitimate interests as a provider of medical care.

4. How do we use this information?

Your records will be used to facilitate the care you receive to ensure that you receive the best possible care, Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided.

5. Who shall we share your information with?

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • GP Practices supporting the delivery of the Extended Hours Service;
  • Your GP Practice to inform them of any care or treatment provided to you;
  • Our pathology provider (Huddersfield Royal Infirmary) to enable tests to be carried out (e.g. blood tests);
  • Other providers of health and social care that we may refer you to.

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.

Your information will not be transferred outside of the European Union.

6. From whom do we receive information?

When a patient is booked in to an Extended Hours appointment, the Tolson Care Partnership will obtain the most up to date information about you from the national electronic database of NHS patient details - The Personal Demographics Service (PDS). When a patient attends an Extended Hours appointment, clinicians providing the appointments are able to access the medical records held by your GP Practice to enable them to manage the appointment system to the best effect and to enable clinicians to see the most up to date care records and provide you with safe and effective care.

7. How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and confidentiality and we shall only use information that has been collected lawfully. Every member of staff who works for an NHS provider has a legal obligation to keep information about you confidential, either as part of their professional registration as a healthcare professional or within their contracts of employment.

Only authorised Health and Social Care professionals will be permitted to access the records held by or accessible to the GP practices within the Tolson Care Partnership. Those involved in your care with a legitimate reason to access your information (such as your consent) will be able to see the information needed to help with your treatment, which will include the records held by your GP Practice which have been shared with GP practices within the Tolson Care Partnership. In most circumstances, professionals will inform you before they access your full GP record to ensure you are happy for this to happen.

All access to confidential information is audited to protect against unauthorised or inappropriate access. We conduct annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

8. Keeping your information secure

All patient data is stored within the NHS network, so it is secure. Patient information is encrypted so that only those people authorised to view the information can do so.

The legal basis for processing

The use and sharing of personal data within the UK is governed by the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

9. The Statutory ‘Duty to Share’

All providers of health and social care services have a statutory duty placed on them by the Health and Social Care (Safety and Quality) Act 2015 requiring them to share information where this will facilitate care for an individual. This ‘duty to share’ provides a statutory gateway enabling providers of health and social care services to share information where this supports direct care. GP practices within the Tolson Care Partnership therefore rely on this statutory duty to support the sharing of, and access to, personal data when providing or facilitating the provision of healthcare services.

The Lawful Basis under the General Data Protection Regulation (GDPR)

The GDPR permits personal data to be shared where this is necessary for the performance of a public task:

Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GDPR also allows special categories of personal data such as health information to be shared for medical purposes:

Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

10. Consent and Objections

10.1 Do I need to give my consent for data sharing?

Data Protection law sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps to build trust between individuals and organisations which use personal data. However, consent is only one potential lawful basis for processing information. Therefore, GP practices within the Tolson Care Partnership may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. We shall contact you if we are required to share your information for any other purpose which is not mentioned within this notice. Where your consent is requested, this will be documented within your electronic patient record.

10.2 What will happen if I withhold my consent or raise an objection?

If you are asked for your consent and you choose to withhold this, or if you provide consent and later decide to withdraw this, your decision will be respected. If the processing of your data relies on a legal basis other than consent, you can raise an objection to this which will be considered. You can raise an objection by contacting your GP practice using the details provided in section one.

11. Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept by most providers of healthcare. GP practices within the Tolson Care Partnership use an electronic system, EMIS or SystmOne, which enables your records to be shared between the Extended Hours Service and your GP Practice.

Record sharing will be automatically set up between your GP Practice and the Extended Hours Service if you book to attend an Extended Hours appointment. You have the right to ask your GP Practice to disable this function or restrict access to specific elements of your record. PLEASE NOTE: this will mean that the information recorded by your GP will not be visible at any other care setting. You can revise and amend your preferences at any time by giving your permission to override your previous preference.

12. Your Rights

GP practices within the Tolson Care Partnership ensure the rights of individuals are respected and upheld.

You have a number of rights under Data Protection law including:

12.1 Access

Everyone has the right to access their personal data. The Data Protection Act 2018 and General Data Protection Regulations (GDPR) allow you to find out what information is held about you, including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to access all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, MHH, or another provider that has delivered your treatment and care in the past. You should be aware that some details within your health records may be exempt from disclosure, however this will be in the interests of your wellbeing or to protect the identity of a third party.

If you would like access to the information which GP practices within the Tolson Care Partnership hold about you within its own records, please submit your request in writing to the contact for your practice in the table above.

12.2 Rectification

GP practices within the Tolson Care Partnership are responsible for ensuring any information we hold and share is accurate and up to date. You should ensure you inform us, and others who may be providing you with care such as your GP Practice, of anything which may have changed (particularly your address and contact details) since your last interaction to ensure accurate records can be maintained. Should you identify that any information we hold is inaccurate you should inform us. This will enable us to amend the information we hold. You can inform any member of staff of the clinical team when attending an appointment, or contact the named person for your practice as listed above.

12.3. Erasure

Organisations are only permitted to keep information for as long as necessary. When information is no longer required it should be erased or destroyed. All information held by GP practices within the Tolson Care Partnership is retained in line with the Records Management Code of Practice for Health and Social Care 2016.

Further rights to erasure do not apply to the care records held by GP practices within the Tolson Care Partnership as these are considered a medico-legal record. If you have any questions or concerns about the content of your records you should speak to a member of the clinical staff when attending an appointment, or contact the named person for your practice as listed above.

12.4. Restrictions and Objections

You have the right to object to the way in which your data is held and used by GP practices within the Tolson Care Partnership. If your objection relates to any direct marketing which the Tolson Care Partnership is conducting, your objection will be upheld. If your objection related to any other processing activity, you should provide specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. GP practices within the Tolson Care Partnership will consider your objection and provide you with a response, either confirming that your objection has been upheld, or detailing the compelling legitimate grounds for the processing.

If you would like to register an objection to the processing of your personal data you should speak to a member of the Extended Hours service when attending an appointment, or contact the named person for your practice as listed above.

12.5 Lodging a complaint with a supervisory authority.

You have a right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO). Should you have a concern about GP practices within the Tolson Care Partnership information rights practices you should first contact your GP practice. Should you remain dissatisfied you can find details of how to contact the Information Commissioner’s Office at