Privacy Policy

Document Type:

Policy & Procedure

Current Status:




Reviewed by:

J Naylor

Latest review date:

Apr 2022

Document Owner:

Lee Busher

This version approved:


Approved by


Next review due:

Sept 2023

Original publication date

Sept 2017

Applies to:

All Staff & Public


This Privacy Policy outlines the manner in which Southern Hampshire Primary Care Alliance Limited (SHPCA) collects, uses, maintains, discloses information collected from, and the legal rights of, data subjects each a “User” of: 

  1. the website (“Site”) or; 
  2. services offered by SHPCA or; 
  3. employment matters (employees) by SHPCA or;
  4. in relation to duties SHPCA holds under the Companies Act (2006).

SHPCA is registered with the Information Commissioner’s Office: ZA292145.

  1. 1.Using Our Website

Personal identification information

We may collect personal identification information from Users in a variety of ways. This is including, but not limited to, when Users visit or register on the site, subscribe, fill out a form. As well as in connection with other activities, services, features or resources available on our Site. Users may be asked for their, name, email address, mailing address, phone number. Users may visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can refuse to supply personal identification information, except that it may prevent them from engaging in certain Site related activities.

Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, type of computer and technical information about Users means of connection to our Site, such as the operating system, Internet Service Provider(s) used and other non-personal information.

Web browser cookies

Our Site may use “cookies” to enhance User experience. A User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. The User may choose to set their web browser to refuse cookies or to alert you when cookies are being sent. If they do so, some parts of the Site may not function properly.

What are Cookies? 

Cookies are small text files that are placed on your computer or other devices by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

What do we use Cookies for? 

We plan to use Google Analytics software on this site to collect information about how visitors use our website and how we can improve it. The information collected is anonymous and includes pages visited on our website; how much time is spent on each page and where visitors have come to the website from.

Your Consent 

By continuing to use our website, you give us your consent to use cookies for the analytical purposes above.

How do I change my Cookie settings? 

Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to change your settings or how to delete cookies that are already on your computer, visit the websites below. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site. or 

How we use collected information

SHPCA may collect and use Users personal information for the following purposes:

To improve customer service, personalise user experience, improve our Site, run a promotion, contest, survey or other Site feature i.e. to send Users information they agreed to receive about topics we think will be of interest to them.

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures. This is to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.

Sharing your personal information

We do not sell, trade, or rent Users personal identification information to others. SHPCA may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third-party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. SHPCA may share your information with these third parties for those limited purposes, provided that you have given us your permission.

Third-party websites

Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.

Your acceptance of these terms

By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.

  1. 2.Using Our Patient Health Services

We are contracted to provide patient services including Specialist Community Clinical Services, Urgent Care Centres (UCC), Phlebotomy and Out-of-Hours Primary Care Services (the Integrated Primary Care Service – IPCAS). In order to provide patient care, we may need to collect and process personal information. We do this with your consent, using the minimal information needed and within the parameters of specific data sharing agreements we hold with organisations (the Data Controllers) who are responsible for your holding and maintaining your medical record, for example, your GP Practice. 

Personal identification information

In the safe and lawful operation of patient services we require access to accurate and up to date personal identification information which includes a patient’s name, address, telephone number, NHS number and health information and wherever possible this will be processed to your GP patient record. Information will be collected from: –

  • People who use our services or request a service from us 
  • Patient records accessed/required for the purposes of safe operation of SHPCA’s patient services. 
  • Complaints information

Before we book an appointment with one of our services, your consent is required. You have the right to withhold your consent, however in these circumstances, for reasons of patient safety we will be unable to provide the service to you. Your entitlement to health services through your GP practice is not affected.

Where your GP patient record is not available, other secure systems may be used to provide safe specialist care to record health information including ECGs, this may be shared with a specialist consultant; any hard copy information e.g. cardiograms will be securely disposed of.

  1. 3.Working for SHPCA

Applying to work for us

When you apply to work for us, we will use your personal data to process your application and to monitor recruitment statistics. Where we need to disclose information to a third party, e.g. where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure & Barring Service, we will not do so without informing you beforehand unless the disclosure is required by law.

During employment with us, accurate and up to date personal information will be collected so that we meet our statutory function, legal and contractual obligations, and to ensure you are kept informed. This will be collected and stored electronically within our secure HR system and within a hard copy employment file held at head office. This may include information relating to: –

  • Personal identification 
  • Contract/s of Employment
  • Payroll services 
  • Career development
  • Grievance and Disciplinary matters
  • Health information
  • Next of kin
  • Job application and references
  • Absence (including Annual Leave)
  • Disclosure and Barring Service records
  • Declarations of Interest/s
  • Photographic images of documentation legally required for employment purposes
  • Reference requests
  • Leaver and termination of Employment details
  1. 4.Member Practices

We process personal information about Shareholding Partners and named ‘points of contact’ in our Member Practices and share such information with our appointed Company Secretary (Thrings LLP) to ensure our compliance with Company law, issue Notices and other communications with Members and Shareholders.

  1. 5.Your Rights

All personal data is processed fairly and lawfully, whether it is received directly from you or from a third party. The different types of personal data / information needed to provide our specific services and for recruitment and staffing purposes may include:

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. 
  • ‘Special Category / sensitive data’ such as medical history, details of appointments / contacts, medication, appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation. 
  • ‘Pseudonymised’ – data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data
  • ‘Anonymised’ – data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified
  • ‘Aggregated’ – anonymised information grouped together so that it doesn’t identify individuals

Why we collect information about you

As a primary care provider, we need to process your information to:

  • Protect your vital interests 
  • Deliver preventative medicine, medical diagnosis, medical research
  • Pursue our legitimate interests as a provider of medical care 
  • Perform tasks in the public’s interest
  • Manage the health and social care system and services. 

How is the information collected?

Your personnel or healthcare records are generally held electronically.  We use a combination of technologies and working practices to ensure that we keep your information secure and confidential. We use secure NHS Mail or electronic transfer over an NHS encrypted network connection.  Most health information is processed directly to your GP patient record and your GP practice remains the Data Controller.  

Who will the information be shared with?

Personal data is treated confidentially and will only be shared internally and as appropriate with staff who need access to perform their roles for the provision of your care, or required to satisfy our statutory function and legal obligations

To deliver and coordinate your health and social care, we may need to share information with the following organisations:

  • Local GP Practices in order to deliver extended primary care services
  • Portsmouth Hospitals NHS Foundation Trust, Southern Health NHS Foundation Trust, Solent NHS Trust, University Hospital Southampton NHS Foundation Trust, Frimley Park Hospital, South Central Ambulance Service NHS Foundation Trust (SCAS)
  • Partnering Health Limited (PHL) to whom we subcontract our contractual obligation to provide the Out-of-Hours GP Home Visiting service as part of our (IPCAS) Integrated Primary Care Access Service contract.
  • When we are contacted by ‘NHS 111’ or ‘999’, patient’s information because they have been clinically triaged to attend an urgent, primary care, ‘Out-of-Hours’ (IPCAS) appointment.
  • Local Social Services and Community Care services
  • Voluntary Support Organisations commissioned to provide services by Hampshire, Southampton and Isle of Wight CCG/ Hampshire Health and Wellbeing Board
  • Pharmacies (prescriptions)

To comply with our legal responsibilities as an Employer, we may share information with external service suppliers including, but not limited to: 

  • the ‘NHS South, Central and West Commissioning Support Unit’ (CSU) to whom we have subcontracted our HR support service requirements
  • NHS Business Services Authority who provide NHS Pensions for SHPCA employees.
  • The Disclosure and Barring Service, the British Medical Association (Performers List) and the Nursing and Midwifery Council to provide employment and professional eligibility checks. 
  • Sensi, our on-line Locum booking platform to enable clinicians (including GPs, Advanced Nurse Practitioners, Practice Nurses, Health Care Assistants, Receptionists) to manage shifts and remuneration for providing patient services.
  • The ‘Medical and Dental Defence Union of Scotland’ (MDDUS) and the Medical Defence Union (MDU) in connection with Corporate, medical indemnity and associated support services that we secure for present and former employees and directors.
  • ‘Afilio Clarity who provide and maintain e-learning training modules and services for our workforce. 
  • Matrix IT Solutions Limited because personal information is necessary to set-up Microsoft SharePoint for employees ( 

To comply with our legal responsibilities as a Company we may share personal information with Thrings LLP in connection with Statutory and Company Secretary services for SHPCA.

How do we maintain the confidentiality of your records and ensure the information you give us is kept securely?

We will only use information that has been collected lawfully and is only used by people who have a right to see it. Every member of staff has a legal obligation to keep information about you confidential.  The NHS Code of Practice on Confidential information applies to all staff and is required to keep your information protected.   We maintain our duty of confidentiality by conducting training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. Your information will not be transferred or stored outside the European Union.

To support the highest standards of security SHPCA appoints a Data Protection Officer, Caldicott Guardian and a Senior Information Risk Owner, all of whom can be contacted via

How we use your information

We use personal information to:

  • Deliver patient services, provide support, advice and services 
  • Check and improve the quality of services and develop future services.
  • Provide statistical reports to those who contract with us to deliver services. Statistics are used in such a way that individuals cannot be identified.
  • Carry out requirements under the law such as health and safety, employment law and the safeguarding of vulnerable children and adults.
  • Deal with payments from those with whom we contract for services and payroll
  • Help investigate any concerns or complaints you make
  • Enable us to safely recruit, engage, employ and contract with, manage, support, train and remunerate our clinical and non-clinical workforce.
  • Provide IT and mobile phone connectivity to support our workforce and patient services.
  • Comply with Company law in respect of our members and shareholders.

We do not pass on your email address to any third party without your express permission.

How long do we keep your personal information?

We keep your personal data in line with our data retention and erasure policy and in accordance with the Records Management Code of Practice for Health and Social Care 2016. We will not keep your information longer than necessary. 

How do you access your personal information? (Subject Access Request)

You can find out what personal information we hold about you by making a ‘subject access request’. You can also ask us to correct any mistakes in the records we hold about you.

Subject access requests should be made to: The Data Protection Officer ( Or E-mail:

Freedom of information 

The Freedom of Information Act 2000 (‘FOIA)’ gives the right to access a range of recorded information held by organisations which are ‘public authorities’ under the FOIA (Schedule 1). For the avoidance of doubt, SHPCA is not a public authority but may be subject to the FOIA in relation to services it provides through a NHS contract. Written requests under the Freedom of Information Act should be sent to  We will normally provide respond within 20 working days from receipt of a request.

What about CCTV images of me?

SHPCA does not use CCTV, however there may be CCTV installed at the location where your appointment is held.  You can ask to see CCTV images by making a Subject Access Request to the individual site.

What is the legal basis for processing the data?

All data is processed in accordance with law enforcement, Information Commissioner’s Office guidelines, The Data Protection Act 2018 and General Data Protection Regulation (2016). The lawful basis for processing data includes:-

  • Article 6(1)a ‘consent’
  • Article 6(1)b ‘contract’
  • Article 9(2) ’preventative or occupational medicine’

What rights does the data subject have?

  • To be informed
  • To access information we hold about you (unless an exemption applies)
  • Rectification
  • Erasure
  • To restrict processing
  • Data portability
  • To object
  • Not to be subject to automated decision-making including profiling 

Should you wish to raise an objection to some, or all the information being processed, please contact The Data Protection Officer (

Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’.  For further information please visit:

There are several forms of opt-outs available at different levels and some examples include:

Type 1 opt-out.  If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in specific circumstances required by law e.g. an outbreak of a pandemic disease.  Patients are only able to register the opt-out at their GP practice.

National data opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.  The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes.   The national data opt-out choice can be viewed or changed at any time by using the online service at 


We collect personal information when we receive and investigate a complaint.  We will only use your information to resolve your complaint. We provide reports to our Board and to those who contract with us on complaints received but not in a way which would identify you. We will keep personal information contained in complaint files in line with our retention policy, which is available on request. Our complaints are stored 

In the event that you feel SHPCA has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Data Protection Officer (see ‘How to contact us’ below).

If you remain dissatisfied with our response you can contact the Information Commissioner’s Office (ICO) at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF – Helpline: 0303 123 1113 or online at

SHPCA is registered with the ICO: ZA292145.

Changes to this privacy policy

We may update this privacy policy at any time. When we do, we will revise the date at the bottom of the page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.

How to Contact us

If you have any questions about this Privacy Policy, the practices of our website, or your dealings with our services, please contact us at:

Address: Southern Hampshire Primary Care Alliance Limited, 35 Pure Offices, One Port Way, Portsmouth, PO6 4TY

E-mail: Tel: 023 92 414 020



35, Pure Offices
One Port Way
Port Solent

Contact Us

Tel: 02392 414020