top of page


Privacy & Cookie Notice


Herts Health LTD is bound by the legal requirements set out under the Data Protection Act 1998 (DPA) and the General Data Protection Regulations 2018 (GDPR). Our legal basis for processing of data relies upon Article 6(1)(e) “Official Authority” and upon Article 9(2)(h) “Health & Social Care” of the GDPR Act.  We are a 'data processor'. Your registered GP remains the 'data controller' of your GP practice record. We have notified the Information Commissioner's Office (ICO) that we process personal data. This notice explains why Herts Health GP Federation collects information about you, how we keep it safe and confidential and how that information may be used.

Click here to see our privacy notice summary (aimed at patients aged 13-16)

What is a privacy notice?

A privacy notice is a statement that describes how an organisation collects, uses, retains and discloses personal information. This can also be called a privacy statement or fair processing notice.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

Why we need your data

Herts Health LTD shall only process your data to fulfil your direct medical care. Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. If you are referred to any Herts Health LTD service we will access only the details that are pertinent to your care; and create new records that detail the care you have received from our services.


In the event that you raise a query or complaint with us in person, via telephone, email, letter or our website we may also process your data to ensure that we are able to respond to your query/complaint.

Should you apply for any vacancies with us we will also process your data in order to complete the recruitment process.  Please see our job applicant privacy policy here.

How your data will be used

We collect and hold data for the sole purpose of providing healthcare services to our patients. In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and information such as outcomes of assessments.

Who your data will be shared with

Your data will be shared with those involved directly in your medical care and within the boundaries of statutory discloses of information.

You have the right to be informed about the collection and use of your health and personal data. This is a key transparency legal requirement under the Data Protection Act 2018 (DPA) and the General Data Protection Regulations 2018 (GDPR).


Personal data that we may process includes

  • Health treatment or care you have received previously or else-where (e.g. NHS Hospital Trust, GP Surgery, Out of Hours GP Centre, A&E, Walk in clinic, etc.). These records help to provide you with the best possible healthcare.

  • Details about you, such as your address and next of kin, emergency contacts

  • Your home telephone number, mobile phone number, email address

  • Any previous contact the service has had with you, such as appointments etc.


How we keep your information confidential and safe

All your NHS health records are kept either digitally/electronically or in a secured paper format. Our electronic records database is hosted by EMIS Health Ltd, who is acting as a data processor, and all information is stored on their secure servers in Leeds and is protected by appropriate security and

access is restricted to authorised personnel.


We also make sure that data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. We only contact you regarding matters of medical care, such as appointment reminders.

As an NHS service provider we are required to complete the NHS Data Security and Protection toolkit annually to provide evidence on how we are meeting industry standards in data protection and security. You can find our latest results here.


Your data rights

As a “data subject”, you have the following rights:

  • Right to be informed (Articles 13 and 14)

  • Right of Access (Article 15) – to request a Subject Access Request of all the data and information held on you by Herts Health Ltd.

  • Right of Rectification (Article 16) – to request to have inaccurate or incomplete personal data updated.

  • Right of Erasure (Article 17) – to request to have data erased from our records

  • Right to Restrict Processing (Article 18) – to request processing cease in a certain way

  • Right to Data Portability (Article 20) – right to request a copy of data in paper or electronic copy

  • Right to Object (Article 21) – right to object to use of data

  • Right not to be subject to automated decision-making (Article 22) - right to have human intervention in data processing

Data fair processing activities that Herts Health LTD may perform

General information sharing for direct medical care

  • Routine

  • Emergencies

  • Specific referrals

Access to your GP record

  • Clinical staff

  • Clinical lead auditors

NHS Data Sharing databases

  • The National Summary Care Record (SCR) - Core/Basic

  • The National Summary Care Record (SCR) - Enriched

  • EMIS Web data sharing

  • My Care Record


Data Processors

  • EMIS Health Ltd (our electronic GP records database)

  • Docman Ltd

  • Herts Health Ltd (clinical audits; pseudonymised and anonymised data)

  • Local Authorities (Hertfordshire County Council Social Services)

  • Herts Valleys CCG (anonymised and pseudonymised data)

  • NHS England (anonymised data)



  • Pharmacy collection of FP10 prescriptions

Statutory Disclosures of information

  • CQC

  • The Courts

  • DVLA

  • GMC

  • Health Service Ombudsman

  • HMRC

  • Medical Defence Organisation

  • NHS Counter Fraud

  • NHS Digital

  • The National Diabetes Audit (NDA)

  • Individual GP level data (IGPLD)

  • Female Genital Mutilation data (FGM)

  • Police

  • Public Health

  • Safeguarding

  • Children’s Services

  • s47/s45 Adult SAB

Permissive Disclosures of information

Only with your explicit consent, Herts Health Ltd can release information about you, from your GP record, to relevant organisations. These may include:

  • Your employer

  • Insurance companies

  • Solicitors

Communicating with our patients

  • SMS/Text messages

  • Email (medical purposes)/Email (non-medical purposes)

  • Letter (written correspondence)

What are cookies?

Cookies are small data files that websites place on your computer, laptop or mobile device. They help our website to function properly and enhance your experience of our website. 

Our use of cookies

We use cookies to:

  • make our website work, for example by keeping it secure

  • remember which pop-ups you've seen

  • measure how you use our website, such as which links you click on (analytics cookies)

  • measure how many unique visitors visit our website

What cookies do we use?

Our duty

It is our duty to ensure that your data is kept safe and secure. In the unlikely event that a data breach occurs; or that there has been a suspected attack on our systems which presented a risk to your data security we will seek to inform you via your registered GP practice.


Exercising your rights

Blocking or restricting cookies

You can stop Cookies being used on your device by activating the setting on your browser that allows you to block the deployment of all or some Cookies.

The following links explain how to access cookie settings in various browsers:

Please visit to find out more. Please note, if you use your browser settings to block Cookies you may not be able to access all or parts of our site.

To opt out of being tracked by Google Analytics across all websites, visit this link:


National Data Opt-Out Programme

The national data opt-out is an NHS Digital service which enables patients receiving NHS funded care to opt out from the use of their data for anything other than their individual care or treatment, for example research or planning purposes. Further information on the National Data Opt-Out programme can be found here



If you have any questions/comments/concerns/complaints about our privacy notice or cookie notice please contact us in the first instance to let us know:

Via our website contact form: Here

Via email:

See our complaints policy here.

Subject Access Requests

According to ICO guidance you no longer need to make a subject access request in writing and can do so via any of communication channels - including by phone, by post and in person with any member of our staff.


However, should you wish to make a subject access request (SAR) we kindly request that you complete our SAR form and submit it to in order to provide us with all the information we require to process it.  We may also need to contact you to clarify the nature of your request and your personal details. 

Under GDPR legislation we are obliged to respond to your request without undue delay and within one calendar month (30 days)


We will not charge a fee for fulfilment of your request unless the request is deemed 'manifestly unfounded or excessive' as per guidance from the Information Commissioners Office. In this case we will charge a 'reasonable' fee for the administrative time involved in fulfilment of your request and this will be discussed with you. ​​​

Independent advice

For independent advice about data protection, privacy, and data sharing issues, or if you wish to express your right to lodge a complaint directly to the ICO, please contact:


Information Commissioner’s Office

Wycliffe House

Water Lane




Tel: 0303 123 1113


Changes to our Privacy & Cookies notice

We keep our privacy notice under regular review, and we will place any updates on this page. This notice was last updated on 01/06/2020.


Screenshot 2020-06-01 at 21.15.23.png
Screenshot 2020-06-01 at 21.18.58.png
bottom of page