Privacy Notice

Roseland Surgeries – Privacy Notice

  1. Introduction

This Privacy Notice explains how Roseland Surgeries collects, uses, and protects your personal information. We are committed to safeguarding your data and ensuring transparency in how it is handled. Roseland Surgeries is the data controller for the personal data we process in relation to your healthcare.

  1. What Information We Collect

We may collect and process the following types of information:

  • Personal details: name, date of birth, address, contact information
  • Health records: medical history, test results, prescriptions, referrals
  • Administrative data: NHS number, appointment details
  • Digital data: use of our website or online services (IP address, cookies)
  • For children and young people, we process data in line with NHS guidance and parental rights.
  1. Why We Collect Your Information

We use your information to:

  • Provide safe and effective medical care
  • Manage appointments, prescriptions, and referrals
  • Communicate with you about your health and treatment
  • Fulfil legal and regulatory obligations (e.g., reporting to NHS bodies)
  • Improve our services and patient experience
  1. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis to process your personal data.

For GP surgeries, these typically include:

  • Provision of healthcare: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (providing NHS healthcare).
  • Legal obligation: complying with laws and regulations, such as reporting notifiable diseases.
  • Vital interests: processing necessary to protect someone’s life (e.g., in emergencies).
  • Consent: in limited circumstances, where you have explicitly agreed (e.g., participation in certain research projects). Where consent is the lawful basis, you may withdraw your consent at any time.

Special category data (such as health information) is processed under Article 9(2)(h) of UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, or treatment.”

  1. Sharing Your Information

We may share your information with:

  • NHS organisations (hospitals, specialists, pharmacies) for your care
  • Service providers supporting our IT systems and administration
  • Regulatory bodies when required by law
  • Emergency services if necessary to protect your health or safety

We will never sell your personal information.

If data is transferred outside the UK (for example, by IT providers), we ensure appropriate safeguards such as UK-approved standard contractual clauses.

  1. How Long We Keep Your Information

Your medical records are retained in line with NHS retention schedules and legal requirements. Non-clinical information is kept only as long as necessary.

  1. Your Rights

Under UK GDPR, you have the right to:

  • Access the information we hold about you
  • Request corrections if your data is inaccurate
  • Request deletion of certain information (subject to legal requirements)
  • Restrict or object to certain uses of your data
  • Request a copy of your data in a portable format
  • You also have the right not to be subject to decisions based solely on automated processing, including profiling, unless legally permitted
  1. OpenSAFELY Data Analytics Service

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes. Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym. Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals. Patients who do not wish for their data to be used as part of this process can register type 1 opt out with their GP.

Find additional information about OpenSAFELY.

  1. Security

We use secure systems and strict access controls to protect your information from unauthorized access, loss, or misuse.

  1. Updates to This Notice

We may update this Privacy Notice from time to time. The latest version will always be available at reception and on our website.

  1. Contact Us

If you have questions or concerns about how your information is used, please contact: email: letters.portscatho@nhs.net, phone: 01872 580345, or speak directly to our Practice Manager.

  1. Data Protection Officer (DPO)

Umar Sabat is our Data Protection Officer. The DPO oversees compliance with data protection laws across GP surgeries in Cornwall, and can be contacted by email at: ciosicb.dpo@nhs.net

  1. Complaints

If you remain concerned after contacting us, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection.

You can contact the ICO at:

  • 0303 123 1113
  • ico.org.uk
  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You may also raise concerns with NHS England or the Cornwall Integrated Care Board before escalating to the ICO. For more information on this process, please refer to our Complaints Policy.

Last reviewed: 28/11/2025