Data & Privacy

RWT Primary Care Network

A number of pages throughout this site may invite users to complete forms including their personal details. There is no requirement to fill in these forms in order to view general material on this site. If do you wish to complete a form with your details you should note the following:

All information collected on forms will be submitted via email. NHS Wolverhampton and this GP practice operates highly secure Electronic mail systems in line with National Health Service requirements, we are, however, unable to guarantee that your email service provider is able to offer the same level of security.

If you are sending confidential information to this practice  via email we assure you that once it reaches our network we will ensure its confidentiality and security, we cannot offer the same assurance for your email service provider. This means that any email you send is sent unsecured across the internet.

If you have any questions about your own email security please contact your service provider or if you have any questions about this service or NHS confidentiality please contact the Patient Advice and Liaison service on 01902 445378.

Information submitted to the practice  via this web site will be used solely for the purpose for which it is collected, and will not be passed on to other areas of Trusts within the NHS Wolverhampton, nor to any other organisation outside this Community, without your explicit permission. The purpose for which the information is collected will be made clear.

We have implemented security procedures and technical measures to protect any personal data which is kept by the practice from

  • Unauthorised access.
  • Improper use or disclosure.
  • Unauthorised modification.
  • Unlawful destruction or accidental loss.

Practice employees who have access to personal data are obliged to respect confidentiality, they are bound by confidentiality contract clauses and the duties of common law.

NHS Wolverhampton and this practice abides by the Data Protection Act of 1998 in the holding and processing of your personal data. The Practice Manager is happy to answer any enquiries and may be contacted by letter or phone.

If you are using a public computer and do not wish others to be able to go back to view the details you have typed into a form on the web it is advisable to clear the contents of the form and your cache (temporary internet files) before leaving the computer.

Some information is collected automatically by the web server and is used by NHS Wolverhampton, in aggregate form, for statistical analysis of visits to the site.

Further information on Data Protection issues can be found at

We do not use cookies for collecting user information and we will not collect any information about you except that required for system administration of our web server.

Link Policy

All links from this website are selected using our links policy. Links are provided for information and convenience only. We cannot accept responsibility for the sites linked to, or the information found there. A link does not imply an endorsement of a site; likewise, not linking to a particular site does not imply lack of endorsement.

You do not have to ask permission to link directly to pages hosted on this site. However, we do not permit our pages to be loaded into frames on your site. The pages must load into the users entire window. You must not use the NHS logo to link to our site without prior permission.


This website is committed to the highest standards of information quality. Every effort is taken to ensure that the information contained in this website is both accurate and complete. However, NHS Wolverhampton and the practice gives no warranty, either expressed or implied, as to the accuracy of the information on this website and accepts no liability for any loss or inconvenience caused as a result of reliance on such information.

In no way should any of the information found here be a substitute for professional medical care by a qualified doctor or other health care professional.


We cannot guarantee uninterrupted access to this website, or the sites to which it links. We accept no responsibility for any damages arising from the loss of use of this information.

Intellectual Property

The names, images and logos identifying the practice are the proprietary marks of the NHS. Copying our logos and any other third party logos accessed via this website is not permitted without the prior approval of the relevant copyright owner.

Virus Protection

We make every effort to check and test material at all stages of production. It is always wise for you to run an anti-virus programme on all material downloaded from the internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system that may occur while using material derived from this website.

Privacy Notice – Horizon Call Recording Telephony system

This privacy notice explains about our PCN Telephony System, Horizon and partner Gamma who are responsible for the call recording. The core network integration between the Platform and Horizon provides a reliable way to record all incoming, outgoing and internal Horizon calls. Call recordings are stored encrypted for security and can be accessed online via a call recording portal that provides a multi-level permissions-based accessInbound calls, the system will notify you that all telephone calls are recorded for auditing, training and monitoring purpose. Outbound calls will also be recorded for the same reason and this information can be found in this notice, displayed on our website and in the surgery. We lawfully do not require your consent; however, you do have the right to terminate the call if you do not wish for the call to be recorded. All calls made to the practice by a registered patient or from the practice to a registered patient, will be stored securely on Servers hosted by Gamma at their datacentre. All data originates from the caller into the practice or the practice dialing out to the recipient.

Personal data

 When a call is recorded we collect:

  • a digital recording of the telephone conversation
  • the telephone number of both parties (internal and external)
  • Personal data revealed during a telephone call will be digitally recorded for example name and contact details to deliver appropriate services.
  • Occasionally ‘special category’ personal information may be recorded where a customer voluntarily discloses health, religious, ethnicity or criminal information to support their request for advice and/or services.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller

Royal Wolverhampton NHS Trust

Practice Managers and Service Delivery Managers

2) Data Protection Officer

Raz Edwards, Royal Wolverhampton NHS Trust

3) Purpose of the processing Direct Health Care – To enable a safe two-way communication between patient and Surgery.

4) Lawful basis for processing.The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(b) Carrying out of obligations under employment, social security or social protection law, or a collective agreement’

Article 9(2)(c) Vital interests of a data subject who is physically or legally incapable of giving consent.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of

health or social care or treatment or the management of health or social care systems and services…”

*Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

5) Recipient or categories of recipients of the processed data

Data is accessible by the Practice as the Data Controller for this information. Information may be accessed remotely by the supplier for support purposes. Making recordings available for the Practice, patients and other data subjects may request this.

6) Rights to object You have the right to object to some or all the information being

processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance

7) Right to access and correct You have the right to access the data that is being stored and have any inaccuracies corrected. There is no right to have accurate medical

records deleted except when ordered by a court of Law.

8) Retention period The recording data will be retained for 3 months on the Telephony

System hosted by Gamma, before being automatically deleted.

9) Right to Complain. You have the right to complain to the Information Commissioner’s

Office, you can use this link

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.In practice, this means that all patient information, whether held on paper,  computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order

Categories of Personal Data

  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where this is used for identification purposes);
  • health data;
  • sex life; or
  • sexual orientation.

Medical Examiners Programme – Data Sharing Statement

The medical examiner office at our trust has been commissioned by NHS England and NHS Improvement to provide medical examiners to carry out independent scrutiny of the causes of death for non-coronial deaths of patients previously registered under your care. In order to undertake this duty, we will require access to records relating to relevant patients and their next of kin. This statement describes the information governance arrangements in place to facilitate this.

What information will we require and why?

In order to undertake our duties, we will require access to:

  • Medical and clinical records associated with deceased patients, which will be independently reviewed by our medical examiner
  • Contact details for relevant patients’ next of kin, so our medical examiners and medical examiner officers can contact them to ask if they have questions about the causes of death, and about any concerns they may have regarding the care before death.
  • The medical examiner or medical examiner officer will also contact the medical practitioner completing the Medical Certificate of Cause of Death, regarding the proposed causes of death. This interaction can be completed by correspondence (eg email), a verbal discussion is not normally required.

What is our UK GDPR basis for collecting this information?

Medical records associated with deceased patients are outside scope of the UK GDPR. However, next of kin details are within the scope of the UK GDPR. Our Trust is the controller for next of kin’s contact details, which we shall process under Article 6.1(e).

Under Article 6(1)(e) of the GDPR, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller. The information is being processed for the purposes of the medical examiner system, as part of the NHS Patient Safety strategy and within NHS Trust and NHS foundation trust functions for activities carried out in connection with the provision of health services. It is necessary for medical purposes and is undertaken by either a health professional, or a person who, in the circumstances owes a duty of confidentiality to the patient equivalent to that of a health professional. We will be clear with relevant organisations from which the information is requested, the purpose of collecting the information. Only information which is relevant to the medical examiner system will be collected.

How will we set aside the duty of confidence in order to review medical records of deceased patients? 

Secretary of State for Health and Social Care decision

NHS England and NHS Improvement, on behalf of NHS Trusts and NHS foundation trusts, submitted an application under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (‘section 251 support’) to process confidential information without consent.

The Secretary of State for Health and Social Care, having considered the advice from the Confidentiality Advisory Group, supported the application which means that confidential patient information can be shared with medical examiners by health and care organisations for the purpose of the medical examiner programme.

Details of the approved application  (ref: 21/CAG/0032) can be found on the Health Research Authority’s website .

The General Medical Council’s (GMC) Confidentiality Guidance advises that doctors should disclose relevant information about a patient who has died where disclosure is authorised under section 251 of the NHS Act 2006.

Paragraph 137 of the General Medical Council (GMC) guidance advises:

137 – Circumstances in which you should usually disclose relevant information about a patient who has died include:

  • the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality, unless you know the patient has objected

Paragraph 103 to 105 of the GMC guidance advises:

103 – In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.

104 – Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable.

105 – You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.

How will we secure your information?

We have provided a copy of our organisational assurance checklist with this statement, which should provide you with confidence in our ability to process your data in a secure, lawful and transparent manner.

Digitisation of Paper Medical Records – Privacy Notice

The NHS Long Term plan published in 2019 requires the digitisation of all primary care paper medical records, commonly known as ‘Lloyd George’ records or ‘A4 medical records’
Having paper based medical records restricts the use of technology to provide ‘joined up’ services and therefore the current paper records will be transferred to a digital format and then destroyed.
This will involve the current patient paper medical records being scanned and then entered directly into a patient’s electronic medical record. This work will be completed by a third-party supplier, NEC Software Solutions UK Limited (formerly known as Northgate Public Services), whose security standards have been reviewed by NHS Black Country Integrated Care Board (BC ICB).

We are required by Data Protection law to provide you with the following information about how we handle your information.

Data Controller contact details : Royal Wolverhampton Primary Care Network (Alfred Squire Road Coalway Road Surgery, Lea Road Medical Practice, Oxley Surgery, Penn Manor Medical Centre, Thornley Street Surgery, Warstones Health Centre, West Park Surgery)
Data Protection Officer contact details: Daniel Okonofua (Interim Head of Data Security and Protection DPO)
Purpose of the processing: Transferring the current paper medical records into patients’ electronic medical records.
Lawful basis for processing: The following provisions of the General Data Protection Regulation permit us to digitise existing paper medical records:
Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller…’’
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’
Recipient or categories of recipients of the processed data: We will not be sharing your data with a third party. However we will be employing the services of NEC to carry out the scanning and digitisation of the current paper medical records on our behalf.
Right to access and correction: You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website The Royal Wolverhampton Trust Primary Care Network (RWT PCN) (
Retention period: GP medical records will be kept in line with the law and national guidance. Information on how long records can be kept can be found within the NHS Records Management Code of Practice or speak to the Practice. The paper medical records will be destroyed 60 days after they are transferred to an electronic format and written confirmation received from the practice in accordance with national standards.

The practice holds medical records to provide medical treatment and advice and patients have a relationship with a GP in order for them to be provide health and care service to you. We therefore do not require your consent to transfer these papers records to an electronic format.
If you have any questions about this project, please contact Fran Freeman, BCICB Lloyd George Digitisation Project Manager; Tel; 0121 612 4110 (Time-2-Talk).

Please note that information about your rights covered by Data Protection legislation and the complaints procedure are detailed in the Practice’s Main Privacy Notice The Royal Wolverhampton Trust Primary Care Network (RWT PCN) (

Details of Supplier:
NEC Software Solutions UK Limited (formerly known as Northgate Public Services)
Suite 101, 1st Floor iMex Centre
575-599 Maxted Road
Hemel Hempstead
Document scanning that’s secure and efficient – NEC Software Solutions (

General Information