Privacy Statement

Bay Medical Group aims to ensure the highest standard of medical care for our patients. To do this we keep records about you, your health and the care we provided or plan to provide to you.

This privacy/fair processing notice explains why GP Practice collects information about you and how that information is used. It does not provide exhaustive details of all aspects of the collection and use of personal information by the Bay Medical Group. However, we are happy to provide any additional information or explanation needed. If you wish to request further information please write to Janet Taylor, Administration and IMT Manager, Heysham Primary Care Centre, Middleton Way, Heysham, LA3 2LY).

How We Use Your Information

In order to provide your care, we need to collect and keep information about you and your health on our records. Your records are used to:

  • Provide a basis for all health decisions made by care professionals with and for you;
  • Make sure your care is safe and effective; 
  • Work effectively with others providing you with care.
  • We also may use, or share, your information for the following purposes:
  • Looking after the health of the general public;
  • Making sure our services can meet patient needs in the future;
  • Auditing accounts; 
  • Preparing statistics on NHS Performance and activity (where steps will be taken to ensure you cannot be identified); 
  • Investigating concerns, complaints or legal claims; 
  • Helping staff to review the care they provide to make sure it is of the highest possible standards; 
  • Training and educating staff; 
  • Research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to provide consent);

Disclosure of Information to Other Health and Social Professionals

We work with a number of other NHS and Partner agencies to provide healthcare services to you. Below is a list of organisations that we may share your information with:

Our partner organisations

  • Other NHS hospitals 
  • Relevant GP Practices 
  • Dentists, opticians and pharmacists 
  • Private Sector Providers (private hospitals, care/nursing homes, hospices, contractors providing services to the NHS). 
  • Voluntary Sector Providers who are directly involved in your care; 
  • Ambulance Trusts; 
  • Specialist Trusts; 
  • The Health & Social Care Information Centre (HSCIC); 
  • Clinical Commissioning Groups; 
  • NHS 111; 
  • Out of hours medicals services/centres; 
  • NHS England; 
  • Local Authorities; 
  • Other ‘data processors’ which you will be informed of

We may also share your information, with your consent, and subject to strict sharing protocols about how it will be used, with:

  • Local authority departments, including social care and health, (formerly social services), education and housing and public health; 
  • Police and fire services.

Computer System

This Practice operates a Clinical Computer System on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

To provide around the clock safe care, unless you have otherwise asked us not to, we will make information available to trusted organisations. Wherever possible, their staff will ask your consent before your information is viewed.

We consider patient consent as being a key factor in dealing with your health information.

Risk Stratification

Risk Stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re) admission and identifying a need for preventative intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through analysis of your de-identified information using software managed by Lancashire and South Cumbria Clinical Services Support Unit commissioned by Morecambe Bay Clinical Commissioning Group (MB CCG) and is only provided back to your GP as a data controller in an identifiable form. Risk stratification allows your GP to focus on preventing ill health and not just treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Research and Development

Bay Medical Group contributes to the Clinical Practice Research Datalink (CPRD)

Information in patient records is important for medical research to develop new treatments and test the safety of medicines. This practice supports medical research by sending some of this information from patient records to CPRD.

CPRD is a government organisation that provides anonymised patient data for research to improve patient and public health. You cannot be identified from the information sent to CPRD.

If you do not want anonymised information from your patient record to be used in research you can opt out by speaking to one of our Doctors, Nurses or Patient Advisors and ask them to let our Administration & IM&T Manager know.

For more information about how your data is used please visit:

Medicines Management

The Practice may conduct Medicines Management Reviews of medication prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is mainly carried out in the Practice however there are times when it may also be supported by MB CCG.

Shared Care Records

To support your care, and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems. The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.

Gathering Patient Feedback/Patient Surveys

As part of the NHS Constitution, the NHS actively encourages feedback from public, patients and staff and welcomes it use to improve services. Bay Medical Group uses the NHS Friends and Family’s Tests (FFT) to collect feedback from patients about their experiences when accessing services so we may review the care provided and inform development of high quality standards. The FFT is managed solely by the Practice. Bay Medical Group also runs surveys from time to time to gather feedback from patients on proposed changes to services and on the introduction of new services, again these are all managed in-house by Bay Medical Group.

Lawful Basis for processing your data

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in Bay Medical Group and in support of direct care elsewhere is supported under the GDPR Special Category of Data concerning health and under the following Articles 6 (lawful basis) and 9 (conditions):

Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject."

Article 6(1)(d) "processing is necessary to protect the vital interests of the data subject or of another natural person"

Article 6(1)(e) …necessary for the performance of a task carried out in the public interest or in the exercise of official authority…

Article 9(2)(b) ‘ necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of protection law in so far as it is authorised by Union or Member State law..’

Article 9(2)(c) "processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent"

Article 9(2)(h) "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;"

Article 9(20(b)…‘necessary for social protection law

For safeguarding specifically the sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Articles 6 (lawful basis) and 9 (conditions) also apply:

For consented processing;

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For unconsented processing;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

We will consider your rights established under UK case law collectively known as the "Common Law Duty of Confidentiality"*

How we keep your information confidential and secure

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the:

  • Data Protection Act 1988; 
  • Article 8 of the Human Rights Act 1998; 
  • The Common Law Duty of Confidentiality; 
  • Health and Social Care Act 2012; 
  • The NHS Codes of Confidentiality, Information Security and Records Management; 
  • Information: To Share or not to Share Review

Everyone working in, or for, the NHS must use personal information in a secure and confidential way.

We will only ever use or pass on your information if there is a genuine need to do so. We will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.

To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by fax, unless we are sure we are talking to you. This means we will not disclose information to your family, friends, and colleagues about any medical matters at all, unless we know that we have your consent to do so.

Anyone who receives information from us is also under a legal duty to keep it confidential and secure

All persons in the Practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.

Please be aware that your information will be accessed by non-clinical Practice staff in order to perform tasks enabling the functioning of the Practice. These are, but not limited to:

  • Typing referrals letters to hospital consultants or allied health professionals; 
  • Opening letters from hospitals and consultants; 
  • Scanning and coding of clinical letters, radiology reports and any other documents not available in electronic format; 
  • Managing medications requests & changes and producing repeat prescriptions; 
  • Photocopying or printing documents for referral to consultants; 
  • Handling, printing, photocopying and postage of medico legal and life insurance reports and of associated documents.

Rights of Access to your Health Information

Under GDPR you have the right to find out what information about you is held on computer and in manual records. This is known as ‘subject access rights’ (SARs) and applies to;

  • Confirmation that your data is being processed; 
  • Access to the personal information held about you; 
  • Access to other supplementary information (such as this privacy notice).  

If you want to see the information held about you that the Practice holds:

  • We ask that when making a SAR please mark it for the attention of the Administration and IM&T Manager, Janet Taylor.
  • Depending on the SAR, the complexity and number of requests made we may need to charge a reasonable fee to provide the information held about you; 
  • We are required to respond to you within one month, if your SAR may take longer we will explain the reasons to you. 
  • You will need to give adequate information (for example full name, address, date of birth, NHS number etc.); 
  • You will be required to provide ID before any information is released to you.

Who else may ask to access your information?

  • The law courts can insist that we disclose medical records to them; 
  • Solicitors often ask for medical reports. These will always be accompanied by your signed consent for us to disclose information. We will not normally release details about other people that are contained in your records (e.g. wife, children, parent etc.) unless we also have their consent; 
  • Limited information is shared with Public Health England to help organise national programmes for Public Health such as childhood immunisations; 
  • Social Services. The Benefits Agency and others may require medical reports on you from time to time. These will often be accompanied by your signed consent to disclose information. Failure to co-operate with these agencies can lead to loss of benefit or other support. However, if we have not received your signed consent we will not normally disclose information about you; 
  • Life Insurance Companies frequently ask for medical reports on prospective clients. These are always accompanied by your signed consent form. We must disclose all relevant medical conditions unless you ask us not to do so. In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them.

You have the right, should you request it, to see reports to insurance companies or employers before they are sent.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is serious risk of harm or abuse to you or other people; 
  • Where a serious crime, such as assault, is being investigated or where it could be prevented; 
  • Notification of new births; 
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS); 
  • Where a formal court order has been issued; 
  • Where there is legal requirement, for example if you have committed a Road Traffic Offence.

Bay Medical Group is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Information you supply using any electronic form(s) on this website will only be used for the purpose(s) stated on the from;

Changes of Details

It is important that you tell the person treating you if any of your details such as your name or address or telephone number (including mobile) have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.


The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The Practice is registered with the Information Commissioners Office (ICO).

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is Bay Medical Group.

Who is the Data Protection Officer?

The Data Protection Officer (DPO) for Bay Medical Group is Dr Andy Foster.

Complaints / Concerns

If you have any concerns about how we use or share your information, or you do not wish to share your information, then please contact our Administration & IM&T Manager, Janet Taylor who will be able to assist you.

If you are still unhappy following a review by the Practice you can complain to the Information Commissioners Office (ICO). , telephone: 0303 123 1113 (local rate) or 01625 545 745.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice will be reviewed again before the end of November 2018.