Privacy Policy

Matlock and Ashover Practice Privacy Policy

Last updated: December 2025

This privacy notice explains how Matlock and Ashover Practice collect, uses, and protects your personal data when you use our website or our services.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and NHS confidentiality requirements.

 Data Controller

Matlock and Ashover Practice
Address: Far Hill, Milken Lane, Ashover S45 0BA & 8 Imperial Road, Matlock, DE4 3NL
Telephone: 01629 593240
Email: ddicb.admin.map@nhs.net

Data Protection Officer (DPO):

Paul Couldrey
Email: couldrey@me.com

This practice:

  • Uses SystmOne (TPP) as its clinical system
  • Shares patient information for direct care in line with NHS England guidance
  • Uses GP Connect to support safe and effective care across NHS services
  • Provides patients with clear information about how their data is used and shared
  • Complies with the UK GDPR, Data Protection Act 2018, and NHS confidentiality requirements
  • Retains records in line with the NHS Records Management Code of Practice

 

 

 

 

Information We Collect

a) Personal Data

We may collect and process the following personal data:

  • Name
  • Contact details (email address, telephone number)
  • Date of birth (where required)
  • NHS number (where required)
  • IP address
  • Any information you provide via online forms, accurx, or emails

b) Special Category Data

As a GP practice, we may also process special category data, including:

  • Health and medical information

3. How We Use Your Information

We use your information to:

  • Provide general practice services and medical care using the SystmOne clinical system
  • Manage appointments, prescriptions, referrals, and test results
  • Respond to enquiries submitted via our website or online consultation systems
  • Support population health management and quality improvement as required by the NHS
  • Improve our website and services
  • Comply with legal, contractual, and regulatory obligations

4. Lawful Basis for Processing

Under UK GDPR, our lawful bases include:

  • Article 6(1)(e): Performance of a task in the public interest (healthcare provision)
  • Article 6(1)(c): Legal obligation
  • Article 6(1)(a): Consent (where required)

For special category data:

  • Article 9(2)(h): Provision of health or social care

5. Use of Artificial Intelligence (AI)

We may use digital tools that include artificial intelligence (AI) or automated functionality to support administrative and clinical processes. This may include tools used for:

  • Online consultation triage and form routing
  • Supporting administrative tasks such as document handling or messaging
  • Improving efficiency and patient access to services

AI tools used by the practice:

  • Do not make automated decisions about your care without appropriate human oversight
  • Are used to support, not replace, clinical decision-making
  • Are deployed in line with NHS guidance, information governance standards, and supplier contracts

Where AI tools process personal data, this is done lawfully, securely, and only for healthcare or practice management purposes.

If you would like more information about how digital or AI-enabled tools are used by the practice, please contact us.

6. Cookies and Website Analytics

Our website may use cookies to:

  • Ensure the website functions correctly
  • Collect anonymous usage statistics

You can manage cookie preferences via your browser settings. For more information, see our Cookie Policy.

6. Sharing Your Information

We may share your information with:

  • NHS organisations involved in your direct care
  • Commissioning bodies (e.g. NHS England and Integrated Care Boards)
  • Our clinical system supplier TPP, who provide the SystmOne clinical system
  • Other GP practices and NHS services through SystmOne data sharing agreements
  • Other healthcare professionals using GP Connect, where this is necessary for your direct care
  • IT and communications providers who support our services (e.g. online consultation and messaging tools)
  • Regulators and statutory bodies where legally required

SystmOne Data Sharing

SystmOne allows GP practices and other NHS organisations to share patient records securely where there is a lawful basis and appropriate data sharing agreements in place. This sharing supports safer, more efficient care by allowing authorised clinicians to access relevant information.

We only share information:

  • Where it is necessary for your care
  • With organisations providing NHS services
  • In line with national NHS guidance and contractual requirements

 

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • Primary Care Network
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi Agency Safeguarding Hub (MASH)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

 

GP Connect

GP Connect is an NHS service that allows authorised clinicians in other NHS settings (such as hospitals, urgent care, and community services) to access relevant parts of your GP record through secure NHS systems.

GP Connect is used to:

  • View relevant information from your GP record
  • Support safe prescribing and continuity of care
  • Improve communication between healthcare providers

Access via GP Connect is strictly controlled, audited, and only available to healthcare professionals involved in your direct care.

All data sharing is carried out in accordance with UK GDPR, the Data Protection Act 2018, and NHS confidentiality obligations.

7. Data Storage and Retention

Patient records are primarily held within SystmOne, provided by TPP on behalf of the NHS.

Data is stored securely within the UK or in locations approved under UK GDPR and NHS standards.

Medical records are retained in line with the NHS Records Management Code of Practice.

8. Your Rights and Choices

You have rights under UK GDPR, including the right to:

  • Access your personal data
  • Request correction of inaccurate or incomplete data
  • Request erasure (where applicable)
  • Restrict or object to processing in certain circumstances
  • Data portability (where applicable)
  • Withdraw consent (where processing is based on consent)

Objections and Opt-Outs (SystmOne and GP Connect)

Direct Care Sharing

Most data sharing through SystmOne and GP Connect is carried out based on direct care. This means your information is shared so that NHS healthcare professionals involved in your treatment can provide safe and effective care.

Under NHS England guidance, you cannot opt out of GP Connect access where it is required for your direct care, as this sharing is considered necessary for the provision of healthcare.

However, you have the right to:

  • Ask questions about how your information is shared
  • Raise concerns about specific types of access
  • Request that certain sensitive information is reviewed or restricted where clinically appropriate

Each request will be considered on a case-by-case basis, balancing your preferences with clinical safety and legal obligations.

 

 

 

SystmOne Sharing Preferences

SystmOne allows practices to manage data sharing with other NHS organisations. In some circumstances, it may be possible to limit certain types of record sharing.

If you have concerns about SystmOne data sharing, please contact the practice to discuss your options.

National Data Opt-Out

The National Data Opt-Out allows you to opt out of your confidential patient information being used for research and planning purposes. This does not apply to information shared for your individual care, including GP Connect.

You can find out more or set your preference at: www.nhs.uk/your-nhs-data-matters

To exercise any of your rights or discuss objections, please contact us using the details above.

 

9. Complaints

If you have concerns about how we use your data, please contact our DPO first.

You also have the right to complain to the Information Commissioner’s Office (ICO):
Website:www.ico.org.uk
Telephone: 0303 123 1113

 Patient FAQs – Data Sharing, SystmOne and GP Connect

Can I opt out of GP Connect?

GP Connect is used to support your direct care by allowing authorised NHS clinicians (such as hospital doctors, pharmacists, and urgent care clinicians) to view relevant parts of your GP record.

Because GP Connect is used for direct care, you cannot opt out of GP Connect entirely. This is in line with NHS England guidance and ensures your care is safe and coordinated.

Can I opt out of SystmOne data sharing?

SystmOne allows information to be shared securely between NHS organisations involved in your care. Some sharing is essential for direct care and cannot be opted out of.

In certain circumstances, it may be possible to review or limit specific types of sharing. If you have concerns, please speak to the practice and we will discuss your options with you.

Does the National Data Opt-Out stop GP Connect?

No. The National Data Opt-Out only applies to the use of your confidential patient information for research and planning. It does not apply to information shared for your individual care, including GP Connect or SystmOne direct care sharing.

Who can see my GP record?

Only authorised healthcare professionals involved in your care can access your record. All access is:

  • Role-based
  • Secure
  • Audited

Any inappropriate access is investigated.

What if I have concerns about my data?

If you have any concerns about how your information is used or shared, please contact the practice. We are happy to explain our processes and address any worries.

 

 

 

Risk Stratification

 

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness.

 If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

 

Primary Care Network

The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces which ease the pressure of GP’s, leaving them better able to focus on patient care.

This practice is a member of Derbyshire Dales.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons, including improving the ability of practices to recruit and retain staff; to manage financial and estates pressures; to provide a wider range of services to patients and to more easily integrate with the wider health and care system.

This means the practice may share your information with other practices within the PCN to provide you with your care and treatment.

 

 

 

 

Invoice validation

If you have received treatment within the NHS, the CCG may require access to your personal information in order to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.

Information such as your name, address and date of treatment may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further Commissioning purposes.

NHS health checks

All of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. We may invite you for an appointment directly or by using a data processor who works entirely under our direction and who will contact you for this purpose only. Nobody outside the healthcare team in the practice will see confidential information about you during the invitation process and contact details only would be securely transferred to a data processor if that method was employed. You may be offered to attend your health check within the practice or at a community venue. If your health check is at a community venue all data collected will be securely transferred back into the practice system and nobody outside the healthcare team in the practice will see confidential information about you during this process.

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice.

Telephone system

Our telephone system records all telephone calls. Recordings are retained for up to three years and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training Access to these recordings is restricted to named senior staff.

Medical examiner service

Following the death of any patients of Matlock and Ashover Practice we are now obliged to inform North Derbyshire NHS Trust, Medical Examiner Service.

Medical examiner offices at acute trusts now provide independent scrutiny of non-coronial deaths occurring in acute hospitals. The role of these offices is now being extended to also cover deaths occurring in the community.

Medical examiner offices are led by medical examiners, senior doctors from a range of specialties including general practice, who provide independent scrutiny of deaths not taken at the outset for coroner investigation. They put the bereaved at the centre of processes after the death of a patient, by giving families and next of kin an opportunity to ask questions and raise concerns. Medical examiners carry out a proportionate review of medical records and liaise with doctors completing the Medical Certificate of Cause of Death (MCCD).

The Practice will share any patient with the service upon request.

Patient Communication

Because we are obliged to protect any confidential information, we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details. We may contact you using SMS texting to your mobile phone if we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your upto-date details.

 This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you give us permission to contact you via SMS if you have provided us with your mobile telephone number. Please let us know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us. Please ensure that we have your up-to-date details.

There may be occasions where authorised research facilities would like you to take part in research. Your contact details may be used to invite you to receive further information about such research opportunities

 

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Changes to This Privacy Notice

We may update this privacy notice from time to time. Any changes will be published on this website and will apply from the date of publication.

 

Page last reviewed: 16 December 2025
Page created: 10 December 2020