We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.
1. Introduction
Bourne Health is committed to protecting the privacy and confidentiality of personal information. This Privacy Policy explains how we collect, use, store and share personal data, including patient and staff information, and outlines your rights under data protection law.
This policy applies to information collected through:
- The Bourne Health Surgery websites
- Registration and provision of NHS healthcare services
- Communications with patients, carers, staff and suppliers
- Research
We aim to be transparent about how we use data and to meet our obligations under:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Human Rights Act 1998 — NHS Confidentiality Code of Practice
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
2. Who we are (data controller)
Bourne Health is the Data Controller for the personal data we process.
- Organisation name: Bourne Health
- Address: Keston Medical Practice, Purley War Memorial Hospital, 856 Brighton Road, Purley, CR8 2YL
- Telephone: 02086608292
- Email: admin@bournehealth.co.uk
2.1 Data protection officer (DPO)
We have appointed a Data Protection Officer to oversee data protection compliance.
DPO Contact Details:
- Email: umar.sabat@ig-health.co.uk
- Secure Email: Umar.sabat2@nhs.net
- Address: Umar Sabat | Managing Director, IG-Health
- Mobile: 07894 826 037
- IG Health website
3. What information do we collect?
3.1 Personal data
We may collect and process the following personal information:
- Name, previous names
- Date of birth
- Address and postcode
- Telephone numbers and email address
- NHS number
- Emergency contact details
- Next of kin or carer details
- Photographic identity (photo ID)
3.2 Special category data
As an NHS healthcare provider, we collect and process health information, including:
- Medical history and diagnoses
- Consultation notes
- Test results and investigations
- Prescriptions and medications
- Referrals and correspondence with other healthcare providers
- Care plans and treatment outcomes
- Data concerning physical or mental health
- Data revealing racial or ethnic origin
- Data concerning a person's sex life or sexual orientation
- Genetic data and biometric data (where used for identification purposes)
- Data revealing religious or philosophical beliefs
- Data relating to criminal or suspected criminal offences
- Financial information to process transactions e.g. private reports
3.3 Administrative and operational data
- Appointment records
- Complaints and feedback
- Communication records (emails, letters, phone calls)
- Safeguarding information
3.4 Website and technical data
When you visit our website, we may automatically collect IP address, browser type and version, operating system, and pages visited and time spent on pages. This data is used for website functionality, security and analytics.
4. How we collect information
We collect information in the following ways:
- When you register as a patient
- During consultations and treatment
- Through referrals from other NHS organisation
- From third parties involved in your care — from other health and care organisations or from family members or carers to support your care
- Through use of our website, online forms or patient systems
- When you have provided information to seek care — used directly for your care and to manage the services we provide
- When you have sought funding for continuing health care or personal health budget support
- When you have applied for a job with us or work for us
- When you have signed up to our newsletter or patient participation group
5. How we use your information
5.1 Direct care purposes
Your information is primarily used to:
- Provide safe and effective healthcare
- Diagnose and treat illness
- Coordinate care with other healthcare professionals, e.g. hospitals, community care teams, and care homes
- Maintain accurate clinical records
5.2 Administrative and operational purposes
- Managing appointments and recalls
- Quality assurance and clinical audit
- Responding to complaints and concerns
- Training and supervision of staff
- Scheduling and managing appointments
- Processing payments and managing financial transactions
- Issuing and managing medication prescriptions
- Analysing data to enhance the quality of healthcare services
5.3 Secondary uses (where lawful)
We may use or share information for purposes beyond direct care, such as NHS planning and commissioning, public health and disease surveillance, and research and statistical analysis (with safeguards). Where required, data will be anonymised or pseudonymised.
5.4 Website and communication purposes
- Responding to website enquiries
- Improving website performance
- Managing cookies and user preferences
6. Lawful basis for processing personal data
Bourne Health processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the common law duty of confidentiality.
The lawful bases we rely on depend on the purpose for which the data is used.
6.1 Lawful basis under article 6 (UK GDPR)
We process personal data under one or more of the following lawful bases:
- Article 6(1)(e) - Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, including the provision of NHS healthcare services.
- Article 6(1)(c) - Legal obligation: Processing is necessary to comply with legal or statutory obligations, such as safeguarding duties, public health reporting, or responding to court orders.
- Article 6(1)(b) - Contract: Processing is necessary for the performance of a contract, for example where services are provided on a private basis or in relation to employment.
- Article 6(1)(f) - Legitimate interests: Processing is necessary for legitimate interests pursued by Bourne Health or a third party, such as fraud prevention or debt recovery, provided these interests are not overridden by individual rights.
- Article 6(1)(a) - Consent: Where required, we rely on consent. Consent will be freely given, specific, informed, and unambiguous, and can be withdrawn at any time.
6.2 Special category data (article 9 UK GDPR)
As an NHS healthcare provider, Bourne Health routinely processes special category data, including health information.
We rely on the following Article 9 conditions:
- Article 9(2)(h): Processing is necessary for the provision and management of health or social care services and systems.
- Article 9(2)(i): Processing is necessary for reasons of public interest in the area of public health.
- Article 9(2)(j): Processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes, with appropriate safeguards in place.
- Article 9(2)(b): Processing is necessary for employment, social security, or social protection purposes, where authorised by law.
- Article 9(2)(f): Processing is necessary for the establishment, exercise, or defence of legal claims.
6.3 Common law duty of confidentiality
In addition to UK GDPR, we comply with the common law duty of confidentiality.
We only use or share confidential patient information where one or more of the following applies:
- You have given explicit or implied consent for the purpose of your direct care.
- There is a legal requirement or statutory obligation to share the information.
- Disclosure is justified in the public interest, for example to protect individuals from serious harm or to support the prevention or detection of serious crime.
- Approval has been granted under Section 251 of the NHS Act 2006 following review by the Confidentiality Advisory Group (CAG), where consent is not practicable.
Any decision to share information without consent is made on a case-by-case basis, proportionately, and in line with professional and legal guidance.
7. Sharing your information
7.1 Sharing for direct care
We may share your information with NHS hospitals and clinics, community health services, pharmacies, and social care providers. This ensures continuity and safety of your care.
7.2 Other organisations
We may also share information with NHS England and Integrated Care Boards (ICBs), commissioning and regulatory bodies, and IT system suppliers and data processors. All third parties are required to protect your data and use it only for agreed purposes.
7.3 Legal and statutory disclosures
In some circumstances, we are legally obliged to share information. This includes:
- When required by NHS England to develop national IT and data services
- When registering births and deaths
- When reporting some infectious diseases (public health reporting)
- When a court orders us to do so
- Where a public inquiry requires the information
We will also share information if the public good outweighs your right to confidentiality. This could include where a serious crime has been committed, where there are serious risks to the public or staff, or to protect children or vulnerable adults (safeguarding).
We never share your personal information with marketing or advertising companies. Your data is kept securely in the UK and is not shared outside the UK.
8. Data security
Bourne Health implements robust data security measures to protect personal information, including:
- Access Controls: Limiting access to personal data based on job responsibilities and roles
- Encryption: Using encryption technologies to secure data during transmission and storage
- Firewalls and Antivirus: Implementing solutions to protect against unauthorised access and malware
- Staff Training: Providing regular training on data protection, privacy, and security practices
- Regular Audits: Conducting regular audits and assessments of data security measures
Only authorised staff can access personal data, and only where necessary. Bourne Health maintains comprehensive Records of Processing Activities (ROPA) to ensure compliance with Article 30 of the UK GDPR.
9. Data retention
We retain personal data in line with the NHS Records Management Code of Practice 2021. We will then dispose of information as recommended by our Records Management Code.
9.1 Retention periods
- GP medical records are kept in line with the law and national guidance. Further information is available on the NHS England website
- Administrative records are retained only as long as necessary for operational and legal purposes
9.2 Secure disposal
When information is no longer required, it is securely destroyed, deleted or anonymised in line with NHS and industry standards. Our data is hosted in the UK. We do not transfer your personal data to any countries outside the UK.
10. Your rights
You have the following rights under UK data protection law:
- Right to access your personal data (Subject Access Request) — see 10.1
- Right to rectification of inaccurate information — see 10.1
- Right to erasure (in limited circumstances) — see 10.1
- Right to restrict processing of your personal information in certain circumstances
- Right to data portability: to ask that we transfer your personal information to another organisation or to you
- Right to complain to the Information Commissioner's Office via their website or call 0303 123 1113
Right to object
- You have the right to object to the processing of your personal information in certain circumstances
- You have the right to object to information being shared between those providing you with direct care, this may affect the care you receive
- You are not able to object to your name, address and other demographic information being sent to NHS England, as this is necessary if you wish to be registered to receive NHS care
- You are not able to object when information is legitimately shared for safeguarding reasons or when the public interest outweighs your right to confidentiality
- National Data Opt-out [England only]: you can opt out of confidential information being used for purposes beyond your individual care via the NHS website
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
10.1 Subject access requests (SARs)
You have a right to request access to your data. Requests should be made in writing and we aim to respond within one calendar month, in line with UK GDPR requirements. Proof of identity may be required before information is released.
You have the right to correct personal information which is inaccurate or a mistake. Requests can be made by filling out the request form on the surgery website or by contacting Bourne Health or the DPO.
11. Consent, national data opt-out and information sharing choices
11.1 Consent
Where we rely on consent to process personal data, you may withdraw that consent at any time. Withdrawal will not affect processing already carried out lawfully.
11.2 NHS national data opt-out
You may choose to opt out of your confidential patient information being used for purposes beyond your individual care, such as research and planning. Further information and how to opt out is available on the NHS website
11.3 Information sharing preferences
We will respect your preferences wherever possible, unless there is a legal or safeguarding requirement to share information. Where consent is required, you may withdraw it at any time.
12. Children and young people
Bourne Health recognises the importance of protecting the personal data of children and young people.
12.1 How we use children's data
We collect and use personal and health information relating to children and young people in order to:
- Provide safe and appropriate healthcare services
- Maintain accurate clinical records
- Meet safeguarding and statutory responsibilities
Children's information is handled with the same level of confidentiality and security as adult records, in line with NHS and legal requirements.
12.2 Consent and capacity
Where a child is considered capable of understanding and making decisions about their care (often referred to as Gillick competence), we will respect their right to confidentiality and involve them directly in decisions about their information. Where a child is not able to make these decisions independently, we will usually involve a person with parental responsibility, unless it is not in the child’s best interests or there are safeguarding concerns.
12.3 Safeguarding
We may share information about children and young people without consent where this is necessary to protect a child from harm, comply with safeguarding legislation and guidance, or work with safeguarding partners such as social care or the police. Such sharing is carried out in line with the NHS Safeguarding Policies, the Children Act, and the Working Together to Safeguard Children guidance.
13. Cookies
Our website uses cookies and similar technologies to improve functionality, security, and user experience, and to help us understand how the website is used. Cookies are small text files stored on your device when you visit a website.
13.1 Types of cookies we use
We use the following categories of cookies:
- Strictly necessary cookies: These cookies are essential for the website to function correctly and cannot be switched off. They enable core functionality such as page navigation and access to secure areas of the website.
- Analytics and performance cookies: These cookies help us understand how visitors interact with our website by collecting information anonymously, such as pages visited and time spent on the site. This information helps us improve website performance and usability.
We do not use cookies for advertising or marketing purposes.
13.2 Cookie consent
Where required by law, we will seek your consent before placing non-essential cookies (such as analytics cookies) on your device.
You can manage or withdraw your cookie preferences at any time by:
- Using the cookie settings on our website (where available), or
- Adjusting your browser settings to refuse or delete cookies.
Please note that disabling cookies may affect the functionality of the website.
14. Care quality commission (CQC) and regulatory compliance
Bourne Health is registered with the Care Quality Commission (CQC) and complies with the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.
14.1 Meeting the CQC fundamental standards
Our approach to information governance supports the CQC Fundamental Standards, including:
- Person-centred care: Information is used appropriately to support individual needs and preferences
- Safety: Personal data is protected to reduce the risk of harm
- Dignity and respect: Confidentiality is maintained at all times
- Good governance: Clear systems and processes for managing information
14.2 Key lines of enquiry (KLOEs)
We ensure our data protection practices align with the CQC KLOEs:
- Safe: Secure systems, access controls, and safeguarding processes
- Effective: Accurate and complete records to support high-quality care
- Caring: Respect for confidentiality and privacy
- Responsive: Information supports continuity and coordination of care
- Well-led: Strong leadership and accountability for information governance
14.3 Staff training and confidentiality
All staff receive mandatory training in data protection, confidentiality and safeguarding, are bound by confidentiality clauses in their contracts, and access information strictly on a need-to-know basis. Regular audits and reviews ensure ongoing compliance.
14.4 Caldicott principles
Bourne Health follows the Caldicott Principles, which ensure that:
- Information is used only when necessary
- The minimum necessary information is used
- Access is on a strict need-to-know basis
- Everyone understands their responsibilities
- Information is shared appropriately and lawfully
- The duty to share information can be as important as the duty to protect confidentiality
15. Complaints and concerns
If you have concerns about how your data is used, please contact us first through the surgery website.
If you are not satisfied, you have the right to complain to: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or visit the ICO website
16. Changes to this privacy policy
This policy is reviewed annually and may be updated to reflect changes in law or practice. The latest version will always be available on our website.
17. Contact details
For questions about this policy or your personal data, please contact the surgery in the first instance.
Bourne Health
- Address: Keston Medical Practice, Purley War Memorial Hospital, 856 Brighton Road, Purley, CR8 2YL
- Telephone: 02086608292
- Email: admin@bournehealth.co.uk
Providing NHS Services
Parkway Health Centre
Parkway Health Centre
Parkway
New Addington
Croydon
CR0 0JA
FIELDWAY MEDICAL CENTRE
Fieldway Medical Centre
15A Danebury
New Addington
Croydon
CR0 9EU
NEW ADDINGTON COMMUNITY DIAGNOSTICS CENTRE
New Addington Community Diagnostics Centre
88 Central Parade
New Addington
Croydon
CR0 0JB