GDPR & Privacy Policy

Privacy Policy

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

This privacy notice applies to personal information processed by or on behalf of the practice.

This Notice explains

  • Who we are, how we use your information and our Data Protection Officer
  • What kinds of personal information about you do we process?
  • What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • What should you do if your personal information changes?
  • For how long your personal information is retained by us?
  • What are your rights under data protection laws?

The General Data Protection Regulation (GDPR) was incorporated into the UK's Data Protection Act on 25th May 2018. This is a single EU-wide regulation on the protection of confidential and sensitive information.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 (currently in Bill format before Parliament) the practice responsible for your personal data.

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

Please find full versions of the notices below:


Practice Policy - SystemOne

Children Privacy Notice


If you require these in a different format, please contact the practice. 

COVID-19 Privacy Notice

As we move away from the initial response to COVID-19 the health and social care system will need to continue to take action to manage and mitigate the spread and impact of the outbreak. This includes ensuring that approved researchers can continue to securely access pseudonymised data held by GP IT systems to assist the health and care service’s response to COVID-19 by, for example:

  • Recognising trends in COVID-19 diseases and identifying risks it poses
  • Controlling and preventing the spread of COVID-19
  • Monitoring and managing outbreaks

The OpenSAFELY COVID-19 research service provides a secure analytics service that supports COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.  

Under the COVID-19 Public Health Directions 2020 NHS England has been directed by the Secretary of State for Health and Social Care to establish and operate the OpenSAFELY service.  While each GP practice remains the data controller of its own patient data, they are required under the provisions of s259 of the Health and Social Care Act 2012 to provide access to de-identified (pseudonymised) patient data through the OpenSAFELY service. 

The service enables individuals (academics, analysts and data scientists) approved by NHS England to run queries on pseudonymised GP and NHS England patient data which is held within the GP system suppliers’ data environments.  Controls are in place to ensure that individuals only have access to aggregated outputs from the service (i.e. they cannot access information that either directly or indirectly identifies individuals).

Purpose of this Notice

OpenSAFELY service is used to analyse de-identified (pseudonymised) data within the EMIS and TPP boundaries, to support COVID-19 related research.
This is a continuation of a service which is supported by the BMA which has been operating since 2020. The permanent legal basis (the COVID-19 Direction) above allows the practice to provide this data to NHSE as an ongoing service. 

The OpenSAFELY service is a Trusted Research Environment (TRE) established within the secure environment of EMIS and TPP. Researchers write their analysis code away from the patient data; the code is run automatically on de-identified (pseudonymised) patient data; and only the aggregated outputs (now anonymous) are shared with researchers to be used, for example, in journal publications, reports or presentations. 

These controls keep patient data secure inside EMIS and TPP and confidential from researchers. The use of TREs and the data processing principles which OpenSAFELY represents is supported by the RCGP.

To date, this service has supported a range of important COVID-19 related research, including one of the world’s first and largest studies to identify the clinical factors associated with COVID-19 related death, which informed the national COVID-19 vaccination strategy and Green Book guidance. Other studies have also informed COVID-19 related NICE guidance and decisions made by SAGE. 

All NHS England approved research studies are published online, including sharing the exact analysis code each study used to analyse the patient data, by whom and when such code was run. In future, NHSE will also publish approvals on our data release register.

During the pandemic, and in the recovery phase, de-identified data has been crucial in helping to save lives. It has supported research into COVID-19 and the ways that it has affected our lives, our health, and to identify effective medicines and treatments.

Research has helped to identify new treatments for COVID-19 and to understand how we can keep our communities safe. Data has helped us to prioritise the right care to the most vulnerable in our society and to develop vaccines to protect against COVID-19.

If you have any questions, please contact us at

Recording of processing

A record will be kept by Parliament Street Medical Practice of all data processed under this Notice.

Sending Public Health Messages

Data protection and electronic communication laws will not stop Parliament Street Medical Practice from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

Digital Consultations

It may also be necessary, where the latest technology allows Parliament Street Medical Practice to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. All references to NHS Digital now, or in the future, relate to NHS England.

Patients Know Best (PKB))

Parliament Street Medical Centre shared your demographic data (including name, age, gender, date of birth, NHS number and address) with Patients Know Best (PKB) so PKB could create a dormant patient account for each person registered at this practice. The data in these accounts will not be accessed or processed unless you choose to activate your PKB account. Activating the account will create a patient held record which you can choose to share with health and care teams. This data sharing was done through article 6 (1)(e) and 9(2)(h) of UK GPDR 2018.

PKB are registered with the Information Commissioner’s Office (ICO), which regulates data protection in the UK, and their registration number is Z2704931. PKB cannot see your demographic data or any health information in your PKB account, including your patient held record.  Your information is kept encrypted on secure servers and can only be seen by yourself, health care teams chosen by you or those with a lawful basis. 

PKB will retain your data for 8 years after either the date your dormant account was created or the date you last accessed your activated account; whichever date is more recent. You can email if you wish your PKB information to be deleted before that point, this does not mean that your GP record held by Parliament Street Medical Centre will be deleted.