Privacy Notice – How We Use Your Information

Towcester Medical Centre 

Including Paulerspury Branch Surgery 

Data Protection Privacy Notice for Patients 

 

Introduction 

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations. This privacy notice applies to personal information processed by or on behalf of Towcester Medical Centre. 

This Notice Explains 

  • Who we are and how we use your personal information 
  • Information about our Data Protection Officer 
  • What kinds of personal information we hold about you and what information we use 
  • The legal grounds for processing your personal information, including when we share it with other organisations 
  • What to do if your personal information changes 
  • For how long your personal information is retained/stored by us 
  • What your rights are under Data Protection laws 

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) became law on 25th May 2018. Following the UK’s departure from the European Union, from January 1st, 2021, the UK has been subject to an Adequacy Agreement allowing data to continue to be shared with European Union Countries. All references to GDPR are now referred to as UK GDPR. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, amends certain provisions of the UK GDPR and DPA 2018, and this practice complies with all applicable requirements under this legislation. 

For the purpose of applicable data protection legislation (including UK GDPR) and the Data Protection Act 2018, the practice responsible for your personal data (the Data Controller) is Dr Andrew Odwell. 

How We Use Your Information and the Law 

Dr Andrew Odwell will be the “Data Controller” of your personal data. We collect basic personal data about you, which includes name, address, telephone number, email address, date of birth, next of kin information, NHS number etc. 

We will also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious beliefs (if required in a healthcare setting), ethnicity, sexuality etc. and we may also receive this information about you from other health providers or third parties. 

Your Rights Over Your Personal Information 

Right to be Informed 

You have the right to be informed on how we handle, process, and share your personal information; this privacy notice ensures as a practice we satisfy this right. 

Right to Access Your Personal Information 

You can request access to and/or copies of the personal data we hold about you, free of charge (subject to exemptions) within one calendar month. Such requests can be made verbally or in writing, but we do request that you provide us with adequate information to process your request, such as providing full name, address, date of birth, NHS number and details of your request. 

On processing a request there may be occasions when information may be withheld if we believe that releasing the information to you could cause serious harm or distress. Information may also be withheld if another person (i.e., third party) is identified in the record, and they do not want their information disclosed to you. 

Right to Rectification 

The correction of personal data when incorrect, out of date or incomplete will be acted upon within one calendar month of receipt of such a request. Please ensure Towcester Medical Centre has the correct contact details for you at all times. 

Right to Erasure 

Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances, for example when your personal data is no longer necessary for the purpose which it was originally collected or processed for. 

Right to Restrict Processing 

Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that you can limit the way that the practice uses your data. 

Right to Data Portability 

The right to data portability gives individuals the right to receive personal data they have provided to the Practice in a structured, commonly used, and machine-readable format. 

Right to Object to Processing 

You have the right to object to processing, however, please note if we can demonstrate compelling legitimate grounds which outweighs your interest, then processing can continue. 

Rights in Relation to Automated Decision Making 

If any of the processes we use rely on automated decision making, you do have the right to ask for a human to review any computer-generated decision at any point. 

Why We Need Your Information 

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment. NHS health records may be electronic, paper-based or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure. 

Records about you may include: 

  • Details about you, such as your address, carer or legal representative and emergency contact details 
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments 
  • Notes and reports about your health 
  • Details about your treatment and care 
  • Results of investigations such as laboratory tests, x-rays etc. 
  • Relevant information from other health professionals, relatives or those who care for you 
  • Contact details (including email address, mobile telephone number and home telephone number) 

How We Lawfully Use Your Data 

We need your personal, sensitive, and confidential data in order to provide you with healthcare services as a General Practice. Under the UK GDPR we will be lawfully using your information in accordance with: 

  • Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
  • Article 9(2)(h): Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. 

 

Systems We Use to Process Your Data 

Towcester Medical Centre uses various digital systems and technologies to provide you with safe, effective healthcare. The following section details each system and how your data is processed. All systems operate under appropriate Data Processing Agreements. 

EMIS Web (Clinical System) 

EMIS Web is our primary clinical system where your medical records are stored. This system is provided by EMIS Health and stores your data in a highly secure, third-party cloud hosted environment (Amazon Web Services). The data remains in the UK at all times and is fully encrypted both in transit and at rest. The hosted service provider does not have access to decryption keys. 

Accurx Scribe by Tandem (AI Clinical Documentation) 

We use Accurx Scribe (powered by Tandem Health) to assist clinicians in documenting consultations. This AI-powered tool: 

  • Transcribes your conversation with the clinician in real time 
  • Audio is streamed only for transcription; full audio recordings are not stored 
  • After transcription, identifying details are handled according to data protection requirements 
  • Generates a draft consultation note for clinician review 
  • The clinician reviews, edits and approves all notes before they become part of your official record 
  • Outputs are stored securely and encrypted within the UK/EU 
  • Transcripts and draft notes are typically retained for up to 30 days then deleted 
  • Identifiable patient data is not used to train AI models 

Lawful Basis: Processing of your data through Accurx Scribe is carried out under Article 6(1)(e) (public task) and Article 9(2)(h) (provision of healthcare). A Data Protection Impact Assessment (DPIA) has been completed for this processing. 

If you have concerns about AI being used during your consultation, please inform your clinician who can turn off this feature for your appointment. Your preference will be recorded in your medical record and will be respected for future appointments unless you inform us otherwise. 

Accurx Total Triage (Online Consultation System) 

Accurx Total Triage allows you to submit medical and administrative requests online. When you use this service: 

  • Your request details are securely transmitted to the practice 
  • Information is processed within the UK/EEA 
  • Data is encrypted in transit and at rest 
  • Your submissions are reviewed by clinical staff and added to your medical record where appropriate 
  • Accurx acts as a data processor under contract with the practice 

X-ON Surgery Connect (Telephone System) 

Our telephone system is provided by X-ON Surgery Connect. This system: 

  • Records all telephone calls for quality assurance and training purposes 
  • Provides a record of conversations between you and practice staff 
  • Helps protect staff and patients from potential abuse or disputes 
  • Call recordings are stored securely and retained for 3 years in line with NHS retention schedules 
  • You are entitled to request a copy of call recordings where you are the data subject 
  • May use cloud-based queue management and callback features 

NHS Mail (Secure Email) 

NHS Mail is the secure email service provided by NHS England for health and social care communications. We use NHS Mail to communicate securely with other NHS organisations about your care, send and receive referrals, test results, and clinical correspondence, and share information with other healthcare providers involved in your care. All data is processed within secure NHS infrastructure in the UK. 

Microsoft SharePoint (Document Management) 

We use Microsoft SharePoint for internal document management and collaboration. This may include storage of practice policies, procedures, and administrative documents, and limited patient-related administrative information where necessary. Data is processed by Microsoft under appropriate data processing agreements with data centres located within the UK/EEA. Access is restricted to authorised practice staff only. 

Eclipse (Medicines Optimisation) 

Eclipse is a medicines optimisation system that helps us ensure you receive safe and effective medication. The system provides alerts about potential prescribing safety issues, helps identify patients who may benefit from medication reviews, supports medicines reconciliation after hospital discharge, and uses data from your medical record to provide safety alerts. It is operated under data processing agreements with appropriate safeguards. 

Practice Index (Practice Management Resources) 

Practice Index provides management and HR resources for the practice. Any personal data processed through this system relates primarily to staff information. Patient data is not routinely processed through this system. 

Summary of Systems and Data Processing 

System  Purpose  Data Location 
EMIS Web  Clinical records system  UK (AWS) 
Accurx Scribe (Tandem)  AI clinical documentation  UK/EU 
Accurx Total Triage  Online consultations  UK/EEA 
X-ON Surgery Connect  Telephone & call recording  UK 
NHS Mail  Secure email  UK (NHS) 
Microsoft SharePoint  Document management  UK/EEA 
Eclipse  Medicines optimisation  UK 
Practice Index  Practice management  UK 

 

CCTV Privacy Notice 

Towcester Medical Centre operates Closed Circuit Television (CCTV) surveillance systems at both our Towcester and Paulerspury sites. This section explains how we use CCTV and your rights regarding this footage. 

Data Controller 

Towcester Medical Centre is the Data Controller for CCTV footage captured at both sites. Contact details are provided at the end of this notice. 

Locations Covered 

Towcester Medical Centre 

Link Way, Towcester, Northamptonshire NN12 6HH 

CCTV cameras are positioned to monitor: 

  • External areas including car park, building entrances and perimeter 
  • Reception and waiting areas 
  • Corridors and communal areas 
  • Dispensary areas (where applicable) 

Paulerspury Branch Surgery 

High Street, Paulerspury, Towcester, Northamptonshire NN12 7NA 

CCTV cameras are positioned to monitor: 

  • External areas including car park and building entrance 
  • Reception and waiting area 
  • Dispensary area 

CCTV does not monitor consultation rooms, treatment rooms, toilet facilities, or any areas where clinical examinations take place. 

Purpose of CCTV 

We use CCTV for the following purposes: 

  • To protect the health, safety and security of patients, staff and visitors 
  • To deter and detect crime, including theft, vandalism and anti-social behaviour 
  • To assist in the identification of individuals involved in incidents 
  • To support police and other authorities in the prevention and detection of crime 
  • To assist in resolving disputes and complaints 
  • To protect our premises and assets 

Legal Basis for Processing 

Our use of CCTV is based on the following legal grounds under UK GDPR: 

  • Article 6(1)(f) Legitimate Interests: We have a legitimate interest in protecting our premises, staff, patients and visitors, and in deterring and detecting crime. 
  • Article 6(1)(e) Public Task: Processing is necessary for the performance of a task carried out in the public interest, namely the provision of safe healthcare services. 

Signage 

Clear signage is displayed at both sites to inform individuals that CCTV is in operation. Signs are positioned at entrances and throughout the premises where cameras are located. 

Data Retention 

CCTV footage is retained for a maximum of 31 days unless it is required for longer in connection with an ongoing investigation, legal proceedings, or a Subject Access Request. After this period, footage is automatically overwritten or securely deleted. 

Access to CCTV Footage 

Access to CCTV footage is strictly controlled and limited to: 

  • Designated members of practice management 
  • Police and law enforcement agencies (where legally required or appropriate) 
  • Other regulatory bodies with lawful authority 
  • Individuals exercising their Subject Access Rights (in relation to footage of themselves only) 

Your Rights Regarding CCTV 

Under the UK GDPR, you have the right to: 

  • Request access: You can request a copy of CCTV footage in which you appear. Please provide the date, time, and location to help us locate the relevant footage. Requests must be made within 31 days of the recording. 
  • Request erasure: In certain circumstances, you may request that footage containing your image be deleted, although this right is limited where we have a legitimate or legal reason to retain it. 
  • Object to processing: You have the right to object to the processing of your personal data via CCTV, although we may continue processing if we have compelling legitimate grounds. 

Important: Where CCTV footage contains images of other individuals, their images will be redacted or obscured before any footage is released to protect their privacy. 

Security Measures 

We take appropriate technical and organisational measures to protect CCTV footage, including secure storage systems with restricted access, password protection, regular review of access logs, and secure deletion procedures. 

 

Risk Stratification and Population Health Management 

Risk stratification data tools are used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, analysis is undertaken, and a risk score is determined. This is then provided back to your GP in an identifiable form to enable proactive care. 

GP Connect 

The Practice uses GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. Authorised clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses, Secondary Care Trusts, and Social Care Clinicians are able to access GP records via this secure NHS digital service. 

Summary Care Records 

All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held gives registered healthcare professionals access to information to provide you with safer care. Your Summary Care Record contains basic (Core) information about allergies, medications, and any reactions you have had to medication in the past. You can choose to have a Summary Care Record with all information shared, with Core information only, or to opt-out altogether. To make changes, please inform the practice or complete the NHS England form. 

National Data Opt-Out 

You have a choice about whether your confidential patient information is used for research and planning purposes beyond your individual care. Towcester Medical Centre is compliant with the national data opt-out policy. To register your choice or find out more, visit www.nhs.uk/your-nhs-data-matters. 

Who We Share Your Data With 

We may share your information, subject to strict agreements on how it will be used, with the following organisations: 

  • NHS Trusts/Foundation Trusts 
  • Other GPs and Primary Care Networks 
  • NHS Commissioning Support Units 
  • Independent Contractors (dentists, opticians, pharmacists) 
  • Ambulance Trusts 
  • Integrated Care Boards 
  • Social Care Services 
  • NHS England 
  • Multi Agency Safeguarding Hub (MASH) 
  • Local Authorities 
  • Police & Judicial Services (where legally required) 
  • Data processors acting on our behalf (as listed in this notice) 

Primary Care Network 

Towcester Medical Centre is a member of Brackley & Towcester Primary Care Network (PCN). This means we work closely with the following local practices for the purpose of direct patient care: 

  • Brook Health Centre 
  • Brackley Medical Centre 
  • Springfield Surgery 

Staff from these practices will only access your information if it is to support your healthcare needs. 

Sharing Your Information Without Consent 

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example: 

  • Where there is a serious risk of harm or abuse to you or other people 
  • Safeguarding matters and investigations 
  • Where a serious crime is being investigated or could be prevented 
  • Notification of new births 
  • Infectious diseases that may endanger the safety of others 
  • Where a formal court order has been issued 
  • Where there is a legal requirement (e.g., Road Traffic Offences) 

How Long We Store Your Information 

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice 2021. GP records are typically retained for 10 years after death or after the patient has permanently left the UK. 

How We Maintain Confidentiality 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018, UK GDPR, Human Rights Act 1998, Common Law Duty of Confidentiality, Health and Social Care Act 2012, and NHS Codes of Confidentiality, Information Security and Records Management. 

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. 

 

Contact Information 

Practice Details 

Towcester Medical Centre 

Link Way, Towcester, Northamptonshire NN12 6HH 

Telephone: 01327 359953 

Website: www.towcestermedicalcentre.co.uk 

Paulerspury Branch Surgery 

High Street, Paulerspury, Towcester, Northamptonshire NN12 7NA 

Data Protection Contacts 

IG Lead / Caldicott Guardian: Dr Andrew Odwell 

Data Protection Officer: MLCSU – 01782 234567 

Complaints 

If you have concerns about how your information is managed, please contact the Practice Manager in the first instance. We will acknowledge any data protection complaint within 30 days and respond without undue delay, taking appropriate steps to address your concerns. If you remain unhappy following a review, you have the right to lodge a complaint with the Information Commissioner’s Office: 

Information Commissioner’s Office 

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 

Telephone: 0303 123 1113 

Website: www.ico.org.uk 

 

Document Version: November 2025 

Review Date: November 2026 

Approved by: Dr Andrew Odwell