Confidentiality & GDPR

Northgate Family Practice Patient Privacy Notice

Northgate Family Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient at the practice.  Northgate Family Practice maintains records about your health and the treatment you receive in an electronic and paper format.  

Lawful Basis for collecting and processing personal data

Processing is necessary in the exercise of official authority for GPs who carry out NHS work. The processing is necessary for the provision of healthcare services.

Processing is necessary for our compliance with legal obligations.

Processing is necessary in the organisation’s and the person’s legitimate interests for us to keep or use your personal data.

Our special category condition for processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

What information do we collect about you?

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

How we will use your information?

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. Our information in the NIECR will not be passed on for research, monitoring or any other purpose; it is there solely to help the doctors, nurses and care workers in Northern Ireland look after you when you need their care.

Any health and social care organisation that you have contact with keeps a record about you. The Northern Ireland Electronic Care Record (NIECR) is being introduced to bring together key information from your health and social care records from throughout Northern Ireland in a single, secure computer system. This means that wherever you go in Northern Ireland for health or social care services, the doctors and nurses looking after you will have some information about you.  

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.

Who are potential recipients of your data?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;



NHS Commissioning Support Units

Independent Contractors such as dentists, opticians, pharmacists

Private Sector Providers

Voluntary Sector Providers

Ambulance Trusts

Clinical Commissioning Groups

Social Care Services – eg we share your data with the Northern Ireland Interpreting Service when a translator is required for a consultation.

Health and Social Care Information Centre (HSCIC)

Local Authorities

Education Services

Fire and Rescue Services

Police & Judicial Services

Voluntary Sector Providers

Private Sector Providers

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen if and when this is required.

We use an external company for shredding, (Shred-it) This company is bound by contractual agreements to ensure information is kept confidential and secure.

Maintaining confidentiality and accessing your records

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the DOH Code of Practice on protecting the confidentiality of service user information, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). In order to request this, you need to do the following:

  • Your request must be made in writing to the Data Protection Officer (DPO).
  • There is no fee for the request; however we may charge a reasonable fee if requests are repetitive, excessive or unfounded.
  • We are required to respond to you within 1 calendar month.
  • You will need to complete an SAR application form which is available to collect at reception. An additional patient leaflet called accessing your medical records is also available.  
  • Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.
  • For hospital information you should write directly to them.


Telephone calls


We record inbound and outbound telephone calls, they are held on a dedicated and secure PC and are only accessed where there are concerns about a call (so if it relates to a complaint, a query raised about clinical advice or where threats are received). Similarly they are shared with indemnity providers where it relates to clinical content and police in the event of extreme threats.




We record CCTV images from different public locations around the inside and outside of the building; they are held on a dedicated and secure PC and are only accessed if concerns are raised about allegations of a criminal offence or patient behaviour towards other members of the public or staff. If a query is raised about damage to premises, car park incidents involving damage or injury or indeed patient behaviour. This evidence maybe used to assist in any investigation. In these circumstances evidence maybe handed over to the police. The police may also approach us for evidence but this will only be released via a court order.



Risk stratification


Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Northgate Family Practice; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.


You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information outside this practice.

Retention periods

In accordance with the Health & Personal Social Services (General Medical Services Contracts) Regulations (NI) 2004, your GP medical records will be returned to the HSCB when you die or when you are no longer a patient of a GP at Northgate Family Practice. The HSCB will retain records for 10 years after you die or if you emigrate.

Who is the Data Controller?


The Data Controller, responsible for keeping your information secure and confidential is:


Northgate Family Practice 36 Duncairn Gdns Belfast BT15 2GH


The Data Protection Officer is: Dr Ivan Beattie


What to do if you have any questions or complaints

If you have any questions about this privacy notice or our processing of information, if you wish to raise a complaint on how we have handled your personal information, or if you wish to exercise any of your rights set out in this notice, please contact the Data Protection Officer at the following address:


Dr I.Beattie

Northgate Family Practice

36 Duncairn Gdns


BT15 2GH

Phone 02890 743184


In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit and select ‘Raising a concern’


Changes to our privacy policy


We regularly review our privacy policy and any updates will be published on our website, on posters to reflect the changes. This policy is effective from the 1st October 2019.

Health and Social CareThis site is brought to you by My Surgery Website