Privacy Notice

Northern Medical Practitioners Ltd is the data controller for the information described in this Notice. That means we decide what information is processed, why, and how.

• Company name: Northern Medical Practitioners Ltd
• Registered address: 3 Tynedale View, Hexham, NE46 3JG
• Principal place of business: Blaydon Primary Care Centre, Shibdon Road, Blaydon, NE21 5NW
• Companies House number: 15691919
• ICO Data Protection Registration: ZB699505
• Care Quality Commission provider: 1-23497537779

Caldicott Guardian and Information Governance Lead

Our Clinical Director, Dr Mike Fabricius (GMC 6143027), is our Caldicott Guardian and Information Governance Lead. The Caldicott Guardian has particular responsibility for protecting the confidentiality of patient information and enabling appropriate information-sharing for care. You can contact the Caldicott Guardian via hello@northern-medical.co.uk marked for the attention of the Information Governance Lead.

Some of the clinicians working at our clinic are independent practitioners — for example, visiting consultants in urology and pain medicine — who deliver their clinical care under their own professional registration and indemnity. Other clinicians, including the Clinical Director and our employed general practitioners, deliver care as employees of NMP. This is explained in section 2 of our Patient Terms and Conditions.

Irrespective of which clinician sees you, NMP is the single data controller for your clinical record. This is because the record is created and maintained within NMP's own clinical record system, under NMP's control, and NMP is responsible for its accuracy, security, retention, and disclosure. Independent clinicians use NMP's systems as users; they do not hold their own separate record of your NMP care.

This single-controller position keeps things simple for you: there is one organisation to ask about your records, one Privacy Notice to read, and one route for exercising your rights.

Depending on your relationship with us, we may process the following categories of personal information:

3.1 Identity and contact details

• Your name, title, date of birth, sex assigned at birth and gender identity (where clinically relevant or where you wish to tell us);
• Home and postal address, email address, telephone number(s);
• The name and contact details of your NHS GP, where you have one and agree we can correspond;
• Emergency contact details you choose to give us.

3.2 Health information (special category data)

• Medical history, current medications, allergies, relevant family history;
• Clinical findings at consultation, investigation results, diagnoses, treatment plans, operative notes, and aftercare records;
• Images (ultrasound, clinical photographs with your specific consent);
• Pathology and laboratory results (typically via our partner Acculabs);
• Patient-reported outcome measures and questionnaires (via our partner Patient-Watch where applicable);
• Any safeguarding information shared with or disclosed to us in the course of your care.

3.3 Booking, payment, and correspondence

• Your appointments, cancellations, reschedules, and attendance;
• Invoices, payment records, and payment-status information (we do not store your full card details — these are held by our payment processors);
• Emails, texts, telephone call records, and correspondence with you.

3.4 Website and technical information

• Information you submit through the website — enquiry forms, booking forms;
• Technical information about your visit to the website: device type, browser, approximate location, pages visited — only where you have accepted analytics cookies. See our Cookie Policy for detail;
• IP addresses, for security and anti-abuse purposes.

3.5 Where we get information from

Most information comes directly from you. We may also receive information from: your NHS GP or other clinicians (where you authorise sharing); laboratories and imaging providers acting on our clinical requests; and, in limited safeguarding or regulatory circumstances, from third parties acting lawfully.

We only process personal information where we have a clear purpose and a valid legal basis under UK GDPR. The following table summarises the purposes and bases. Health information is special category data and requires a second legal basis under Article 9.

We do not use your personal information for marketing by email or other electronic means without your specific consent.

We share personal information only where necessary for one of the purposes in section 4, or where we are required to do so by law. Every organisation below that processes personal data on our behalf does so under a written data processing agreement that restricts what they can do with the data.

5.1 Processors acting on our behalf

5.2 Other recipients of information

• Your NHS GP, where you consent to us writing to them with relevant clinical information.
• Other clinicians to whom we refer you at your request.
• Regulators — CQC, GMC, NMC, ICO — where lawfully required.
• HMRC and other statutory bodies, where required by law.
• Indemnity providers and legal advisors, where necessary for the defence of a claim or the conduct of a regulatory investigation.
• Safeguarding authorities, where a safeguarding duty arises.
• The courts, where compelled by a court order or equivalent legal process.

5.3 CCTV at the clinic

The building at Blaydon Primary Care Centre has CCTV operated by NHS Property Services, who are the data controller for CCTV recording. NMP is not the controller of CCTV footage. If you wish to make a request about CCTV (for example, a subject access request for footage of yourself), this needs to be directed to NHS Property Services.

Our clinical records are stored in the United Kingdom. Some of our processors are established outside the UK or may sub-process data outside the UK — for example, some Microsoft 365 services use hosting in the European Economic Area, and some website-analytics providers may process data in the United States. Where personal data is transferred outside the UK, we rely on appropriate safeguards: the UK Government's adequacy decisions, Standard Contractual Clauses, or the UK International Data Transfer Agreement, as applicable. You can request copies of the relevant safeguards from the Information Governance Lead.

7.1 We may use an approved AI tool called Heidi to help produce the clinical note from your consultation. Heidi listens to the consultation, produces a draft note, and your clinician reviews, edits, and approves the final note before it is added to your record.

7.2 All decisions about your diagnosis, investigation, and treatment are made by your clinician. AI tools do not make clinical decisions about you.

7.3 We will tell you at the start of a consultation if ambient transcription is in use. You may ask for it to be turned off at any time without affecting your care.

7.4 The audio of your consultation is processed securely under a written data processing agreement and is not used to train AI models.

7.5 We do not use general-purpose AI tools (for example, ChatGPT, Claude, or Gemini) to process information that could identify you.

7.6 Fuller detail, including the governance we apply to AI tools and your rights, is set out in our How We Use AI Tools in Your Care notice and in our internal AI Tools Policy.

We keep your information only for as long as we need to, and no longer. The specific period depends on the category of record — for example, a clinical record is kept far longer than a one-off enquiry email.

Our Records Retention Schedule is the authoritative reference. The main retention periods relevant to you are:

• Your clinical record: 30 years from your last contact with us, or your death plus 10 years, whichever is longer.
• Procedural records — vasectomy, minor surgery, MSK injections, shockwave, and Newcastle Men's Health services: 30 years from the date of the procedure.
• Complaint records: 10 years from closure of the complaint.
• Accounting records, including invoices: 6 years plus the current financial year.
• Website enquiries that do not lead to a booking: 3 years.
• Heidi ambient-scribe audio: deleted by the vendor in line with the agreed retention period (typically short-term) once the clinician has finalised the clinical note.
• Marketing consent records, where applicable: 3 years from withdrawal or last use.

At the end of the retention period, records are securely destroyed — electronically deleted and, if in physical form, cross-cut shredded. Destruction of clinical and sensitive records is logged in our Records Destruction Register.

You have the following rights under UK GDPR:

• Right to be informed — the purpose of this Notice.
• Right of access — you can ask for a copy of the personal information we hold about you. This is known as a Subject Access Request. We respond within one calendar month (which may be extended by two months for complex requests).
• Right to rectification — you can ask us to correct information that is inaccurate or incomplete.
• Right to erasure ("right to be forgotten") — you can ask us to delete information we no longer need. This right is limited for clinical records because of our retention obligations and does not apply where we must keep records for legal, regulatory, or medico-legal reasons.
• Right to restrict processing — you can ask us to suspend processing in specific circumstances.
• Right to data portability — for information you provided under a contract or consent, you can ask us to provide a copy in a structured, commonly used, machine-readable format, or to transfer it to another controller.
• Right to object — you can object to processing we carry out under legitimate interests or for direct marketing. We do not currently carry out direct marketing.
• Rights relating to automated decision-making and profiling — we do not make significant decisions about you using automated decision-making. All clinical decisions are made by clinicians.
• Right to withdraw consent — where we process on the basis of consent (for example, analytics cookies or future marketing), you can withdraw consent at any time.

To exercise any of these rights, contact the Information Governance Lead by email at hello@northern-medical.co.uk. We may ask for evidence of your identity before responding. We will not charge you a fee except in limited cases where the request is manifestly unfounded or excessive.

We take the security of your information seriously. Measures include:

• Role-based access controls on our clinical record system and other business systems.
• Encrypted data in transit and at rest where technically available.
• Multi-factor authentication on clinician and administrative accounts.
• Written data processing agreements with every processor, with due-diligence review of their security before appointment.
• Staff information-governance training, confidentiality clauses, and professional standards (including GMC and NMC obligations on clinicians).
• An incident and breach response process.
• Retention and destruction aligned to our Records Retention Schedule to minimise the risk of holding more data, for longer, than necessary.

Our website uses cookies. The detailed information is in our Cookie Policy. In summary: we use strictly-necessary cookies to operate the site, and analytics cookies only where you have consented via the cookie banner. We do not use marketing or advertising cookies.

If you are not satisfied with how we are handling your personal information, you can:

• Raise a complaint with us — by email to hello@northern-medical.co.uk marked for the attention of the Information Governance Lead. We will acknowledge within five working days and respond within one calendar month.
• Complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. You can do this without raising a complaint with us first, though we would prefer the opportunity to resolve the matter directly.

We review this Notice at least once a year, and whenever our processing activities change materially. The current version is always available on our website, and the version number and date at the top of this Notice show when it was last updated. Where changes are material, we will draw attention to them at the time.