Privacy Policy & Freedom of Information Act

Covid-19 and your information - Privacy Notice for The Riverside Practice - Updated on 8th April 2020

Supplementary privacy note on Covid-19 for Patients and Service Users

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of

protecting public health, providing healthcare services to the public and monitoring and

managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.  

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Privacy Notice for The Riverside Practice

How we use your information to provide you with healthcare - CURRENTLY SUSPENDED superceded by Covid-19 Privacy Notice and your information

  • This practice keeps medical records confidential and complies with the General Data Protection Regulation and UK data protection legislation.
  • We hold your medical record so that we can provide you with safe care and treatment.
  • We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
  • We will share relevant information from your medical record with other health or social care staff organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.
  • We use a medical record system called SystmOne. Other health and social care organisations, for example GP Out of Hours services and community services, who also use this system may have the ability to view your GP medical record when they are providing care to you. You may be asked if you are happy for your record to be viewed, or in some circumstances you may be sent a verification code to allow services caring for you to view your record. You can choose not to allow other organisations to be able to view your GP medical record.
  • Healthcare staff working in A&E and out of hours care may also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This information may be obtained from your Summary Care Record or from SystmOne. For more information see

You have the right to request to have any mistakes in your medical record corrected.

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

 Identifying patients who might be at risk of certain diseases

  • Your medical records may be searched by approved computer programmes so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
  • This means we can offer patients additional care or support as early as possible.
  • This process may involve linking information from your GP record with information from other health or social care services you have used.


Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.

  •  These circumstances are rare.
  •  We do not need your consent or agreement to share information in these circumstances, as we are required to do this.
  •  Please see local policies for more information:

We are required by law to provide you with the following information about how we handle your information to provide you with healthcare.

Purpose of the processing

  • To provide direct health or social care to individual patients.
  • For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
  • To check and review the quality of care. This is called audit and clinical governance.

Lawful basis for processing

  • These purposes are supported under the following sections of the General Data Protection Regulation
    • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
    •  Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis,  the provision of health or social care or treatment or the management of health or social care systems and services...”

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

 Recipient or categories of recipients of the processed data

The data will be shared with:

  • healthcare professionals and staff in this surgery;
  • local hospitals;
  • out of hours services;
  • diagnostic and treatment centres;
  • screening services;
  • or other organisations involved in the provision of direct care to individual patients.
  • Organisations who help us manage our data for specific purposes, and under formal agreement, include: 
  • Serco-ASP who provide our End of Life Care Dashboard for clinicians caring for patients who are terminally ill. For more information:
  • Cambridgeshire & Peterborough NHS Foundation Trust who help identify patients who are frail and may require additional care services. For more information:
  • ICS Health and Wellbeing who send letters to patients on our behalf, inviting patients to attend a diabetes prevention service where we have identified them as being at risk of developing diabetes. For more information:
  • Health Intelligence who send letters inviting patients to attend for diabetic eye screening. For more information:
  • Primary Care Support England (PCSE) who nationally co-ordinate the movement of medical records. For more information:
  • NHS Prescription Services who nationally handle all prescription information: For more information: Right to object
  • You have the right to request to object to information being shared between organisations who are providing you with direct care. 
  • This may affect the care you receive.
  • You are not able to object to your name, address and other demographic information being sent to, and held by, NHS Digital.
  • This is necessary if you wish to be registered to receive NHS care.
  • You are not able to object when information is legitimately shared for safeguarding reasons. 
  • In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. 
  • The information will be shared with the local safeguarding service(s).

Data we get from other organisations

  • We receive information about your health from other organisations who are involved in providing you with health and social care.
  • For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is updated when you receive care from other organisations.

How your information is used for medical research and to measure the quality of care

Medical research using population-based information

We share information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best
  • we will also use your medical records to carry out research within the practice.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines; 
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
  • We share information with the following medical research organisation with your explicit consent or when the law allows:  The National Institute for Health Research, CRN Eastern. For more information
  • You have the right to object to your identifiable information being used or shared for medical research purposes.

Medical research trials that individual patients may agree to take part in

  • If the practice takes part in a medical research trial, individual patients may be invited to be part of the trial. In order to take part, patients will be asked to consent to their data being used and shared for the particular research trial.

Checking the quality of care – national clinical audits

This practice contributes to national clinical audits so that healthcare can be checked and reviewed.

  • Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
  • The results of the checks or audits can show where hospitals are doing well and where they need to improve.
  • The results of the checks or audits are used to recommend improvements to patient care.
  • Data is sent to NHS Digital which is a national body with legal responsibilities to collect data.
  • The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.
  •  We will only share your information for national clinical audits or checking purposes when the law allows.
  •  For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: or phone 020 7997 7370.
  •  You have the right to object to your identifiable information being shared for national clinical audits.

We are required by law to provide you with the following information about how we handle your information for research.

Purpose of the processing

  • Medical research, and to check the quality of care which is given to patients (this is called national clinical audit).

 Lawful basis for processing

The following sections of the General Data Protection Regulation mean that we can use medical records for research and to check the quality of care (national clinical audits)

  • Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

  • Article 9(2)(a) – ‘the data subject has given explicit consent…’ (where an individual has agreed to take part in a specific research trial)


  • Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. (where data is used for medical research using population based information)

To check the quality of care (clinical audit):

  • Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

  • For medical research the data will be shared with The National Institute for Health Research, CRN Eastern. For more information
  •  For national clinical audits which check the quality of care the data will be shared with NHS Digital.

 Rights to object and the national data opt-out

  • Most of the time, anonymised data is used for research and planning so that you cannot be identified.
  • From 25th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning.
  • To find out more or to register your choice under the national data opt-out, please visit You can change your mind about your choice at any time.

How your information is shared so this practice can meet legal requirements

The law requires the practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.

We must also share your information if a court of law orders us to do so.

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  •  It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  •  This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  •  More information about NHS Digital and how it uses information can be found at:  
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here:

 Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  •  For more information about the CQC see:

 Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England.
  •  For more information about Public Health England and disease reporting see:

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Purpose of the processing

  • Compliance with legal obligations or court order.

Lawful basis for processing

 The following sections of the General Data Protection Regulation mean that we can share information when the law tells us to:

  • Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
  • Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

 Recipient or categories of recipients of the processed data

  • The data will be shared with NHS Digital.
  • The data will be shared with the Care Quality Commission.
  • The data will be shared with our local health protection team or Public Health England.
  • The data will be shared with the court if ordered.

Rights to object and the national data opt-out

  • There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.

NHS Digital

NHS Digital sharing with the Home Office

  • There is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed an immigration offence.

Public health

  • Legally information must be shared under public health legislation. This means that you are unable to object.

Care Quality Commission

  • Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.

Court order

  • Your information must be shared if it ordered by a court. This means that you are unable to object.

 National screening programmes

 The NHS provides national screening programmes so that certain diseases can be detected at an early stage.

  •  These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  •  The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
  • More information can be found at:

We are required by law to provide you with the following information about how we handle your information in relation to our legal obligations to share data.

Purpose of the processing

  • The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
  • The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.

Lawful basis for processing

The following sections of the General Data Protection Regulation allow us to contact patients for screening:

  • Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller...’
  • Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

  • The data will be shared with NHS Digital, hospital laboratory services, local breast screening units, and Health Intelligence who provide diabetic eye screening.
  • The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence, commissioned by NHS England. For further information:

Rights to object

 Data we get from other organisations

  • We receive information about your screening test results from other organisations who are involved in providing these services. 
  • This means your GP medical record is updated with screening results.

 Data we hold about you

We hold data about you in electronic and paper records. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

 The type of data that we hold about you may include the following:

  • Details about you, such as your address and next of kin;
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health;
  • Details about your treatment and care;
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you.
  • Your medical record is held in a computer system called SystmOne. This system is provided to us under a National contract. Your data is held and managed in secure data centres by TPP. For more information:

SMS and Email

  • We will hold your mobile phone number and email address where you have provided these to us.
  • We may use these to send you text messages or emails about your care, for example, messages about appointments, test results, or inviting you to attend for a clinic.
  • You have the right to provide your mobile number for calls only. If you do not wish to receive text messages from us, please speak to the practice so we can add this to your record to prevent text messages being sent to you.
  • You have to right to have your email address or mobile phone number removed from your GP record.
  • We will only use the email address or mobile phone number for direct medical care purposes, unless you have provided us with your explicit consent to email you for other purposes as well, for example, for us to send you surgery newsletters, details from patient participation group meetings, or details about new services.
  •  If you provide your consent for us to send you information other than for your direct care, you can remove this consent at any time.

Right to access and correct

  • You have the right to access the data we hold about you, and request to have any errors or mistakes corrected.
  • Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website under Privacy and GDPR.
  • We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

  Retention period

Right to complain

  • If you have concerns about the way we manage your data. Please contact: The Practice Manager, Riverside Practice, 23 Marylebone Road, March, Cambs. PE15 8BG
  • You have the right to seek independent advice about data protection, as well as the right to complain, by contacting the Information Commissioner’s Office. or call the helpline 0303 123 1113

Data Controller contact details

Riverside Practice

23 Marylebone Road



PE15 8BG

Data Protection Registration Number


Data Protection Officer

Data Protection Officer

Cambridge and Peterborough CCG

Lockton House

Clarendon Road



 Email address:

Date last reviewed or updated

  • 14th May 2019

Freedom of Information Publication Scheme

This Publication Scheme provides a guide to the information made available by the general practitioners and staff of The Riverside Practice, as required by the Freedom of Information (FOI) Act 2000.

It has been adapted from the model Publication Scheme for General Practitioners, developed by the British Medical Association and the NHS Freedom of Information Project Board 2003, and in partnership with the Cambridgeshire LMC.

Most of the information we are now required to publish has been available for several years in our Practice Leaflet. For this reason, this publication scheme will often refer you to our Practice Leaflet; copies are available from reception and from the practice website.

Part 1 - Introduction

Your rights to information

  • The Freedom of Information Act 2000 recognises that members of the public have the right to know how public services are organised and run, how much they cost and how decisions are made. From 1 January 2005, the FOI Act will oblige General Practices to respond to requests about information that it holds. These rights are subject to exemptions that will have to be taken into consideration before deciding what information can be released. In addition to accessing the information identified in the Publication Scheme, you are entitled to request information about The Riverside Practice under the NHS Openness Code 1995.
  • This document sets out where this information is available. The publications are all free unless otherwise indicated. Where information is provided at a cost, the charges will be available via the Practice Manager.
  • Under the Data Protection Act 1998, you are also entitled to access your clinical records or any other personal information held about you. For this, please contact the Practice Manager.


If you have any comments about the operation of the Publication Scheme, or how we have dealt with your request for information from the Scheme, please contact the Practice Manager.

Part II – Classes of Information

All information at The Riverside Practice is held, retained and destroyed in accordance with NHS guidelines.

Our commitment to publish information excludes any information that can be legitimately withheld under the exemptions set out in the NHS Openness Code or Freedom of Information Act 2000. Where individual Classes are subject to exemptions, the main reasons are the protection of commercial interests and the protection of confidential personal information under the Data Protection Act 1998. This applies to all Classes within the Publication Scheme.

The information on this Scheme is grouped into the following 7 broad categories:

Class 1 Information

Details of the practice, organisational structures, key personnel and how we fit into the NHS

Information in this class is contained in the Practice Leaflet available from Reception

Class 2 Information

The range of services we provide under contract to the NHS

Information in this class is contained in the Practice Leaflet available from Reception

Class 3 Information

Funding details and charging policies

Information in this class is available from the Practice Manager on application, though some frequently used charges are displayed in the waiting room

Class 4 Information

Regular publications and information for the public

The Practice Leaflet, and information leaflets relating to the clinical services and health services that we provide for our patients, and our range of regular publications, are freely available at the surgery in the reception and waiting areas. Alternatively, please contact the Practice Manager. Publications are free of charge unless otherwise indicated.

Class 5 Information

Policies, procedures and contacts for complaints

This practice follows the NHS complaints procedure and follows a strict protocol when dealing with all complaints. The procedure is available by request from the Practice Manager, who is the first point of contact if you wish to comment on any aspect of the practices’ service.

Class 6 Information

General policies and procedures in use within the practice.

Our policies and procedures include (but are not restricted to) complaints, confidentiality, data protection, prescribing, zero tolerance and health and safety. Information in this class is available from the Practice Manager on application.

Class 7 Information

This publication scheme

Changes in our practice arrangements are always detailed through the Practice Leaflet.  Enquiries about any of the information we publish, or arrangements generally, should be made to the Practice Manager.

Privacy Notice for Job Applicants

In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform you, as prospective employees of our Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.


Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

  1. processing is fair, lawful and transparent
  2. data is collected for specific, explicit, and legitimate purposes
  3. data collected is adequate, relevant and limited to what is necessary for the purposes of processing
  4. data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
  5. data is not kept for longer than is necessary for its given purpose
  6. data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
  7. we comply with the relevant GDPR procedures for international transferring of personal data


We keep several categories of personal data on our prospective employees in order to carry out effective and efficient processes. We keep this data in recruitment files relating to each vacancy and we also hold the data within our computer systems, for example, recruitment logs.

Specifically, we hold the following types of data:

  1. personal details such as name, address, phone numbers;
  2. name and contact details of your next of kin;
  3. your photograph;
  4. your gender, marital status, information of any disability you have or other medical information;
  5. right to work documentation;
  6. information on your race and religion for equality monitoring purposes;
  7. information gathered via the recruitment process such as that entered into an application form or included in a CV cover letter;
  8. references from former employers;
  9. details on your education and employment history etc;
  10. driving licence;
  11. criminal convictions.


You provide several pieces of data to us directly during the recruitment exercise.

In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.


The law on data protection allows us to process your data for certain reasons only.

The information below categorises the types of data processing we undertake and the lawful basis we rely on.

 Activity requiring your data

 Lawful basis

 Carrying out checks in relation to your right to work in the UK

 Legal obligation

 Carrying out DBS checks on employees (upon offer of employment) who carry out   a CQC regulated activity (usually clinical employees)

 Legal obligation

 Making reasonable adjustments for disabled employees

 Legal obligation

 Making recruitment decisions in relation to both initial and subsequent employment   e.g. promotion

 Our legitimate interests

 Making decisions about salary and other benefits

 Our legitimate interests

 Making decisions about contractual benefits to provide to you

 Our legitimate interests

 Assessing training needs

 Our legitimate interests

 Dealing with legal claims made against us

 Our legitimate interests

 Preventing fraud

 Our legitimate interests


Special categories of data are data relating to your:

  1. health
  2. race
  3. ethnic origin
  4. political opinion
  5. religion
  6. sexual orientation
  7. trade union membership
  8. genetic and biometric data.

 We carry out processing activities using special category data:

  1. for the purposes of equal opportunities monitoring
  2. to determine reasonable adjustments

 Most commonly, we will process special categories of data when the following applies:

  1. you have given explicit consent to the processing
  2. we must process the data in order to carry out our legal obligations
  3. we must process data for reasons of substantial public interest
  4. you have already made the data public.


Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment, or administer contractual benefits.


We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the lawful basis of Legal Obligation to process this data.


Employees within our company who have responsibility for recruitment will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processed in line with GDPR. 

We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

We do not share your data with bodies outside of the European Economic Area.


We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.


We only keep your data for as long as we need it for.

If your application is not successful and we have not sought consent or you have not provided consent upon our request to keep your data for the purpose of future suitable job vacancies, we will keep your data for 12 months once the recruitment exercise ends.

If we have sought your consent to keep your data on file for future job vacancies, and you have provided consent, we will keep your data for 18 months once the recruitment exercise ends. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.

Where you have provided consent to the use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data and there will be no consequences of withdrawing consent.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you.


Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. We will make some decisions about you based on automated decision making (where a decision is taken about you using an electronic system without human involvement).

Example: Application through an online job site.  Should job role require Administration experience, a filter question may be asked if you have Administration experience. If you answer no, your application would not proceed any further if you answer yes, your application would proceed for further screening.


You have the following rights in relation to the personal data we hold on you:

  1. the right to be informed about the data we hold on you and what we do with it;
  2. the right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
  3. the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
  4. the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
  5. the right to restrict the processing of the data;
  6. the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
  7. the right to object to the inclusion of any information;
  8. the right to regulate any automated decision-making and profiling of personal data.

In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate or legal reason for doing so.

If you wish to exercise any of the rights explained above, please contact the Practice Manager


If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.


Our Data Protection Officer is:

Data Protection Officer, Cambridgeshire and Peterborough CCG, Lockton House, Clarendon Road, Cambridge, CB2 8FH.

Email address: