top of page



Primary Healthcare Derby (PHD)


Personal data – what is it?

Personal data relates to an individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).


Who are we & how do we process your personal data?

Primary Healthcare Derby is the data controller (contact details below).  This means we decide how your personal data is processed and for what purposes.


Primary Healthcare Derby complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.


We use your personal data for the following purposes: -

  • To raise the profile of the federation;

  • To inform you of news, events, contracts and services run by Primary Healthcare Derby;

  • To manage our employees;

  • To enable us to provide a service to our member practices

  • To administer membership records;

  • To maintain our own accounts and records (including shareholder records);


What is the legal basis for processing your personal data?

Processing is necessary for carrying out legal obligations in relation employment, shareholder records, or a collective agreement.


Processing is carried out by a not-for-profit organisation: -

  • the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and

  • the processing relates only to employees or former employees (or those who have regular contact with it in connection with those purposes); and

  • there is no disclosure to a third party without consent.


How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 1998 and General Data Protection Regulation 2016

  • Human Rights Act 1998

  • Common Law Duty of Confidentiality

  • Health and Social Care Act 2012

  • NHS Codes of Confidentiality, Information Security and Records Management

  • Information: To Share or Not to Share Review


Every member of staff who works for an NHS organisation has a legal obligation to keep information confidential.


We will only ever use or pass on information about you if others have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations). This decision will be taken by only our designated IG Lead, Jools Roome,


Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • GP’s (Appendix A)

  • NHS Trusts / Foundation Trusts (Appendix B)

  • NHS Derby & Derbyshire Clinical Commissioning Group

  • North of England Commissioning Support Unit

  • Derbyshire County Council & Derby City Council

  • Independent Contractors such as dentists, opticians, pharmacists (where applicable, non-current)

  • East Midlands Ambulance Service

  • Private Sector Providers

  • Voluntary Sector Providers

  • Health and Social Care Information Centre (HSCIC)

  • Derbyshire Fire and Rescue Services

  • Derbyshire Police & Judicial Services

  • Other ‘data processors’ which you will be informed of


You will be informed who your data will be shared with and in some cases asked for explicit consent.


We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.


Access to personal information

You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of what information the company holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
• There may be a charge to have a printed copy of the information held about you
• We are required to respond to you within 40 days
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located.


Change of Details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.



The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

This information is publicly available on the Information Commissioners Office website

The practice is registered with the Information Commissioners Office (ICO).


How do we monitor compliance with GDPR and other Data Protections Laws?

To assure that Primary Healthcare Derby is compliant with GDPR and other data protection laws it will publish the Data Protection Policy (this document), with the next review set for July 2020. Primary Healthcare Derby will ensure there is appropriate awareness raising and training for all employees. Primary Healthcare Derby with its DPO will conduct an annual audit cycle of training, policies and record keeping. Alexin Healthcare will follow the advice of its DPO in regard to matters raised from these audits.


Who is the Data Protection Officer?

The company has a designated Data Protection Officer (DPO).


The DPO has an expert knowledge of data protection law and they monitor compliance of the practice with data protection regulations. However, responsibility for compliance remains with the data controller and data processor.


They are able to act independently to assure compliance. The DPO reports to the highest level of management in Primary Healthcare Derby, the Board. They will co-operate with national supervisory authorities such as the ICO.


The DPO for Primary Healthcare Derby is Paul Couldrey and his email address is:



Should you have any concerns about how your information is managed by the company please contact the Operational Manager at the following address: Jools Roome;


If you are not able to reach a satisfactory resolution with the Operational Manager, you can raise your complaint to the DPO for further review and consideration.


If you remain unhappy following this process by Primary Healthcare Derby, you can then complain to the Information Commissioners Office (ICO)., telephone: 0303 123 1113 (local rate) or 01625 545 745




Appendix A – GP Practices

Alvaston Medical Centre

Brook Medical Centre

Chapel Street Medical Centre

Derby Family Medical Centre

Derwent Medical Centre

Derwent Valley Medical Practice

Friar Gate Surgery

Haven Medical Practice

Hollybrook Medical Practice

Horizon Healthcare

Lister House Peartree

Lister House Chellaston

Macklin Street Surgery

Melbourne & Chellaston Medical Practice

Mickleover Medical Centre

Mickleover Surgery

Osmaston Surgery

Overdale Medical Practice

Park Farm Medical Centre

Park Lane Surgery

Parkfields Surgery

Peartree Medical Centre

St Thomas Road Surgery

The Park Medical Practice

Vernon Street Medical Centre

Village Surgery

Wellbrook Medical Centre

Willington Surgery

Wilson Street Surgery

Appendix B – NHS Trusts

University Hospitals of Derby & Burton

Derbyshire Community Health Services NHS Foundation Trust

bottom of page