Privacy Policy

COVID-19 Privacy Notice

COVID-19 Privacy Notice.docx

Your Information

This privacy notice entails all the information you, as a service user or data subject need to know about what we do with the patient data we collect and process in order to run our service.

This privacy notice applies to all your personal information processed by or on behalf of the practice.

EBPCOOH (East Berkshire Primary Care Out of Hours Service) is a data processor on behalf of NHS England and the local NHS authorities, who are our data controllers.

EBPCOOH is the organisation that runs your registered GP practice therefore we are the data controller for any personal data that we hold about you at the surgery.

Why we collect your data

Healthcare professionals who provide you with care are required by law to maintain records about your health and any treatment you have received within any NHS organisation.

When a “patient” (service user) uses our service, we are required to process and store data in order to provide the necessary amount of care.

The data we process falls within your vital interest within article six of the GDPR and the data we retain falls within the lawful obligation as stated in article 6 of the GDPR. (

In order to provide medical health care as provisioned by NHS England and local authorities, we request patient’s data in order for us to process each patient to ensure they receive the care they need. The Data EBPCOOH collects on each patient is necessary as without it EBPCOOH would not:

  • Be aware that the correct patient is receiving care
  • Be able to contact or visit a patient that is in need of care
  • Be able to refer patients if necessary
  • Be able to view patients’ previous medical history and notes
  • Be unable to update patients’ medical history and notes

All of the above come under our necessary right to process due to vital interest of our service users.

Details we collect

This GP practice will hold the following information about you:

  • Contact details and next of kin
  • Any contact the surgery has had with you regarding appointments
  • Notes about your health
  • Details about your treatment and care
  • Results from investigations such as test results
  • Relevant information from other healthcare professionals

Keeping your information safe

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Information provided in confidence will only be shared with others involved in your care where there is a genuine need for it and consent has been given unless there are exceptional circumstances (such as serious risk to yourself or others) or where the law requires it.

All website data is stored in encrypted databases hosted on UK based servers and any data from online forms is collected and transferred over a secure network.


EBPCOOH uses EMIS software to process and store patient data, as well as receive data from the 111 service and transfer data to other healthcare services where necessary.

For details on EMIS’s privacy notice and how they store and process data, please refer to:

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Legislation
  • General Data Protection Regulation
  • Human Rights Act
  • Common Law Duty of Confidentiality
  • NHS Codes of Confidentiality and Information Security
  • Health and Social Care Act 2015
  • All applicable legislation

Data Retention

EBPCOOH are governed by NHS England guidelines – and currently store patient data indefinitely. We have a legal obligation to store patient data for at least 30 years. Currently, EBPCOOH find it necessary to store patient data indefinitely to serve the legal and vital interests and obligations that are connected with healthcare.

Personal data submitted via the online forms on the surgery website is held for a maximum of 12 months after which time it is automatically deleted. Customers can also delete records manually at any time.

Who are our partner organisations

We may have to share your information with our partner organisations subject to strict agreements. The following examples are the types of organisations we are likely to share information with:

  • NHS specialist hospitals
  • Private and voluntary sector providers
  • Ambulance trusts
  • Independent contractors such as dentists
  • Clinical commissioning groups
  • Social care services and local authorities
  • Education services
  • Police, fire and rescue services
  • Other data processors e.g. diabetes UK
  • Other healthcare service providers 

Your right to withdraw consent

Patients who attend our services may be asked whether they want to give consent for us to contact them.

You have the right to withdraw consent at any time if you do not want your data used for any purpose beyond providing your care. Please be aware in some circumstances we may still be legally required to disclose your data.

Access to personal information

You have the right under the Data Protection Act 2018 to see or have a copy of the data we hold about you- this is known as a subject access request. If you would like to access a copy of your information, please contact the practice manager 03000 24 0001. If you want access to your data, you must make this request in writing. 

In certain situations, you have the right to erasure- this is the right to ‘erase’ your personal data.

How the Practice Completes your Subject Access Requests

  1. All notification requests received to be given to the Medical Secretary.
  2. Medical Secretary to update Spreadsheet with information and scan document and save to patient in EMIS (Consent to be scanned separately).
  3. Medical Secretary to Task eMR Administrator to summarise notes.
  4. eMR Administrator to complete redaction process and submit to Admin GP for that day by sending a task on EMIS giving a Due By Date.
  5. All handwritten & administration documents that require redaction will be done manually. Please do not include them in the report. These will be emailed to the patient separately by the Medical Secretary once the report has been completed.
  6. If eMR Administrator is off work Medical Secretary is to task Summarising Team to summarise notes. Once notes are summarised Medical Secretary to complete redaction process.
  7. GP to review and complete.
  8. Medical Secretary to check daily and save a copy of the redacted information to Patient’s notes.
  9. Medical Secretary to contact patient to collect SARS/ Insurance report.
  10. Medical Secretary to update spreadsheet and consultation on EMIS to say completed & sent.

N.B If Medical Secretary is off work the eMR Administrator to deputise above process.

Changes to personal information

It is important that you inform us of any changes to your personal information- such as if your name or contact details change so that our records are kept up to date.


Should you have any concerns about the services we provide or how your data is managed please contact the practice manager.

For independent advice about data protection, privacy and data sharing issues please contact:

The Information Commissioner's Office 

Wycliffe House

Water Lane




Phone: 0303 123 1113     Website:

If you have any concerns regarding the usage of our website, or what our website requires from you in order for you to view – please email our Information Governance Team who can assist you with additional information or guidance:

Patient surveys

You may be asked your preferred method of contact to fill out a patient satisfaction survey.

The survey itself is anonymised and does not ask for any personal identifiable data.

The surveys are only sent if necessary explicit consent has been given by a service user for us to contact them.

EBPCOOH uses a third-party company named Text Local ( to send out survey links. Text local stores service user’s mobile telephone numbers in their secure UK based database centre. EBPCOOH controls the deletion of this data and all numbers are deleted monthly. EBPCOOH holds these numbers as records for a month to avoid any needless duplicated texts to service users.

You can view Text Local’s privacy policy here:

Call Recordings

When service users ring our services directly, or when our service users receive a telephone call from one of our clinicians, these calls are recorded.

EBPCOOH uses a telephony company named Content Guru (

Content Guru stores our call recordings on their system for 30 days. Content Guru’s data storage uses a cloud-based system that never leaves the UK.

Within these 30 days, one dedicated EBPCOOH employee has administrative rights to listen and download records, should it be necessary. The system tracks all user’s activity. Access is securely restricted and requires a username, pass code, password and RSA token secure log on number to access.

Once the 30 days expires, all EBPCOOH’s telephone records are downloaded onto EBPCOOH’s internal hard drive, securely locked in our IT room. This room is only accessible to senior management and the IT manager. The PC to gain access to the hard drive is securely locked and requires password authentication to access which is restricted to one dedicated user within the organisation.

EBPCOOH retains call recordings for a minimum of 25 years as per NHS Guidelines, but no more than 30 years.

A signed copy of Content Guru’s addendum to contract with EBPCOOH that explains in detail their compliance is available upon request. Please email for a copy.

This Website

We are committed to protecting your privacy. You can access our website without giving us any information about yourself. However, you may choose to provide us with your personal information by completing an online form. By completing a form with your personal information, you consent to our use of the information as set out in this privacy policy.

What is a cookie?

A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns.

For more information about cookies, including how to view the cookies that have been set and how to manage or delete them, please visit

What is an IP Address?

IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number used by computers on the network to identify your computer. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you.

Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about other sites which you have visited, and we do not view, track or store this information.

Links to other websites

Please be aware that our site may link to other websites which may be accessed through our site. If you follow a link to any of these websites, please note that they will have their own cookies and privacy policies.

We do not accept any responsibility or liability for the privacy and security practices of such third-party websites and your use of such website is entirely at your own risk.