We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
Shoreditch Park Surgery
Privacy Notice
1. Who We Are
Shoreditch Park Surgery is a National Health Service (NHS) GP practice. We are the Data Controller for the personal information we hold about you, which means we decide how and why your data is used.
Our contact details
Shoreditch Park Surgery
10 Rushton Street
London
N1 5DR
Telephone: 020 7739 8525
Website: www.shoreditchparksurgery.com
Data Protection Officer (DPO)
Our Data Protection Officer is responsible for overseeing how we handle your personal data and ensuring we comply with data protection law.
DPO: Radha Muthuswamy
Email: nel.gpdpoig@nhs.net
You can also write to the DPO at the practice address above.
2. What Personal Data We Collect
We collect and hold the following types of personal information about you:
Personal identification data
- Full name, date of birth, gender and NHS number
- Home address, telephone numbers and email address
- Next of kin and emergency contact details
- Carer or guardian details (where relevant)
Health and clinical data
- Medical history, diagnoses and clinical notes
- Medications, prescriptions and allergies
- Results of investigations such as blood tests, X-rays and scans
- Referral letters and correspondence from hospitals and other healthcare providers
- Records of appointments, clinic visits and home visits
- Mental health information
- Lifestyle information (such as smoking status, alcohol use and weight)
- Childhood immunisation records and maternity information
Administrative data
- Records of telephone calls made to the practice (calls are recorded for training and monitoring purposes)
- Complaints and feedback records
- Information provided when registering with the practice
3. Where We Get Your Information From
We receive information about you from a number of sources:
- Directly from you, when you register with us, book appointments, attend consultations or contact us
- Your previous GP practice, when your records are transferred to us
- NHS hospitals, clinics and specialist services that have treated you
- NHS 111 and out-of-hours services
- Pharmacies and community services
- Social care and local authority services
- Screening programmes run by NHS England
- Family members or carers, where you or they have provided this information on your behalf
- Other health and care professionals involved in your care
4. Why We Use Your Information and What We Do With It
4.1 Providing you with direct care
The primary reason we hold your information is to provide you with safe, effective healthcare. This includes:
- Booking and managing your appointments
- Providing medical treatment, advice and prescriptions
- Referring you to specialists, hospitals or other services
- Communicating test results and clinical information to you
- Sharing relevant information with other healthcare professionals involved in your care (for example, hospitals, pharmacies and community nurses)
We use the GP Connect service to allow other NHS clinical staff treating you — such as those at GP federation services, emergency departments, minor injury units or out-of-hours services — to access your GP record so they can provide you with safe care.
4.2 Training and education
Shoreditch Park Surgery is a training practice. This means that GP registrars (qualified doctors training to become GPs) and, on occasion, medical students may be involved in your care. They work under clinical supervision. You may be asked if you are happy for a trainee to be present during your appointment; you can always say no, and this will not affect the care you receive.
On occasion, clinical consultations may be recorded for educational purposes. You will always be asked for your consent before any recording takes place.
4.3 Safeguarding
We have a legal duty to share information — without your consent if necessary — where we believe there is a risk of serious harm to you or others, or to protect a child or vulnerable adult. This includes sharing with the London Borough of Hackney Children's and Adults' safeguarding teams, and the police where required by law.
4.4 National screening programmes
We share information with NHS England for national screening programmes, which screen for conditions such as bowel cancer, breast cancer, cervical cancer, aortic aneurysms and diabetic retinopathy. This allows eligible patients to be invited to participate in these programmes.
4.5 Risk stratification
We may use your information, alongside that of other patients, to identify patients who may be at risk of certain conditions or unplanned hospital admissions. This allows us to offer targeted support or preventative care. This has been approved by the Secretary of State. You may opt out of this — please speak to the practice.
4.6 Invoice validation and payment
We use your NHS number to check that the Integrated Care Board (ICB) is responsible for funding your treatment, and to ensure that organisations providing your care are paid correctly. This is underpinned by Section 251 of the NHS Act 2006.
4.7 Clinical audit and service planning
Your information may be used by our Integrated Care Board (North East London ICB) for clinical audit, to monitor the quality of services for patients with long-term conditions. Where information is used for statistical purposes, strict measures are taken to ensure individual patients cannot be identified.
4.8 Medical research
Sometimes your information may be requested for medical research purposes. We will always ask for your permission before sharing identifiable information for research. Where research uses pseudonymised or anonymised data, your consent may not be required.
Shoreditch Park Surgery participates in the OpenSAFELY service, a Trusted Research Environment directed by NHS England. Researchers approved by NHS England may run queries on pseudonymised data. Identifiers are removed so individual patients cannot be identified.
4.9 Legal and statutory obligations
We are required by law to share certain information without your consent in some circumstances. These include:
- Notification of certain infectious diseases to Public Health England / UKHSA
- Sharing information with the Care Quality Commission (CQC) for inspection purposes
- Sharing information with the courts or police where required by a court order or legislation
- Sharing data with NHS England under the Health and Social Care Act 2015 for specific purposes set out in law
4.10 Individual Funding Requests
If a clinician makes a request on your behalf for specialist treatment not routinely commissioned by the ICB, we will share the relevant information needed to assess that request, with your consent.
5. Our Lawful Basis for Processing Your Information
Data protection law requires us to have a legal basis for using your personal data. We rely on the following:
For general personal data (UK GDPR Article 6)
- Article 6(1)(e) — Public task: processing is necessary for the performance of a task in the public interest, namely the provision of NHS healthcare
For special category health data (UK GDPR Article 9)
- Article 9(2)(h) — Healthcare purposes: processing is necessary for the provision of health or social care treatment
- Article 9(2)(i) — Public health: processing is necessary for reasons of public interest in the area of public health
- Article 9(2)(j) — Research and statistics: processing is necessary for scientific or historical research or statistical purposes
Where we rely on your consent — for example, for research purposes or certain data sharing — you have the right to withdraw that consent at any time. Please contact the practice to do so. Withdrawing consent will not affect the lawfulness of any processing carried out before you withdrew it.
All staff are subject to the Common Law Duty of Confidentiality and the NHS Digital Code of Practice on Confidential Information. Information provided in confidence will only be used for the purposes for which it was given, unless there are other grounds to use it as set out above.
6. Who We Share Your Information With
We may share your information with the following organisations, where there is an appropriate legal basis to do so:
NHS and health organisations
- NHS hospitals and specialist services (for referrals and direct care)
- NHS 111 and out-of-hours providers
- Community nursing, physiotherapy and other allied health services
- North East London Integrated Care Board (NEL ICB) — for commissioning, clinical audit and performance monitoring
- NHS England — for national data collections, screening programmes, and statutory purposes
- GP Connect — to allow authorised NHS clinical staff to access your record for direct care
- OpenSAFELY — for pseudonymised research, directed by NHS England
Social care and safeguarding
- London Borough of Hackney — Children's Services and Adults' Social Care, where there are safeguarding concerns or care needs
- Local safeguarding partnerships, where required
Other organisations
- Pharmacies — for the processing and dispensing of prescriptions
- Health visitors and school nurses — for childhood immunisations and new baby checks
- NHS Diabetic Eye Screening Programme and other screening services
- NHS National Diabetes Audit and similar national clinical audits (using anonymised or pseudonymised data)
- Legal and regulatory bodies — such as the courts, police, CQC or NHS Resolution — where required by law or court order
- Indemnity and insurance providers — in the event of a complaint or legal claim
We do not sell your personal data to any third party. We do not share your information for commercial marketing purposes.
7. How Long We Keep Your Information
We retain your records for the periods specified by NHS England's Records Management Code of Practice for Health and Social Care 2021. In most cases, GP patient records are retained for a minimum of 10 years after your last contact with the practice, or for longer where clinically necessary.
When records are no longer needed, they are disposed of securely in accordance with NHS guidelines. Paper records are destroyed using confidential waste procedures. Electronic records are deleted or anonymised using approved methods. We maintain a retention schedule in our Information Asset Register.
Further guidance on secure document destruction is available from the ICO: ico.org.uk/for-organisations/advice-for-small-organisations/information-security/data-storage-advice/practical-methods-for-destroying-documents-that-are-no-longer-needed/
8. Your Rights
Under UK data protection law, you have the following rights:
- Right of access — you can request a copy of the personal data we hold about you (known as a Subject Access Request)
- Right to rectification — you can ask us to correct inaccurate or incomplete information
- Right to erasure — in certain circumstances, you can ask us to delete your data
- Right to restriction — you can ask us to restrict how we use your data in certain circumstances
- Right to data portability — in some cases you can ask for your data in a machine-readable format
- Right to object — you can object to us processing your data where we rely on public task or legitimate interests
- Rights related to automated decision-making — you have the right not to be subject to solely automated decisions that significantly affect you
To exercise any of these rights, please contact the practice in writing or by telephone. We will respond within one calendar month.
Please note that some of these rights do not apply in all circumstances — for example, the right to erasure does not override our legal obligation to maintain medical records.
9. How to Opt Out of Data Sharing
Type 1 Opt-Out (practice-level)
You can ask us not to share your confidential patient information outside this practice for purposes other than your direct care. To register a Type 1 Opt-Out, please contact us and ask to complete the appropriate form. Please note this does not apply to sharing required by law.
National Data Opt-Out
You can choose to stop your confidential patient information being used by other NHS and social care organisations for research and planning purposes. This is separate from your direct care and does not affect the treatment you receive.
You can register your National Data Opt-Out at www.nhs.uk/your-nhs-data-matters or by calling 0300 303 5678.
The national data opt-out does not apply where you have given explicit consent for a specific purpose, or where the sharing is required by law.
10. How to Raise a Concern or Complain
If you have any concerns about how we use your personal data, please contact us in the first instance:
Practice Manager
Shoreditch Park Surgery
10 Rushton Street, London, N1 5DR
Tel: 020 7739 8525
You may also contact our Data Protection Officer:
Radha Muthuswamy — nel.gpdpoig@nhs.net
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator:
ICO website: www.ico.org.uk
ICO helpline: 0303 123 1113
ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. Our Website and Cookies
Our website (www.shoreditchparksurgery.com) may use cookies — small data files placed on your device — to help the website function correctly. We only share website data with organisations that provide services to the NHS. You can manage your cookie preferences when you visit our website.
Our website is hosted and managed in accordance with NHS data security standards.
12. Changes to This Privacy Notice
We keep this privacy notice under regular review and will update it when our practices change or when required by law. The current version will always be available on our website and in the practice.
This notice was last reviewed in May 2026.
Shoreditch Park Surgery is registered with the Information Commissioner’s Office (ICO) as a Data Controller.
This privacy notice has been prepared in accordance with UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and NHS England guidance.