Ruston Street Clinic Patient and Service User Privacy Notice

Ruston Street, Bow
London
E3 2 LR
020 8980 1652

Ruston Street Clinic is a registered healthcare provider with the Care Quality Commission (CQC), dedicated to delivering high-quality patient care. We are located at Ruston Street, Bow, London, E3 2LR. Proudly, we are also part of Bow Health Network, known as Network 5 (NW5).

As a registered patient or service user at Ruston Street Clinic we understand how important it is to keep your personal and healthcare information safe and secure, and we take this very seriously. We have taken steps to make sure your information is looked after in the best possible way, and we review this regularly.

When we use your personal information, we must ensure that the use is lawful, fair and transparent and complies with all the other principles and requirements of the UK General Data Protection Regulation (UK GDPR). Please read this privacy notice carefully, as it contains important information about how we use the personal information we collect about you.

What is a privacy notice?

A privacy notice outlines the personal information (also known as personal data) we collect about our patients and service users, along with how this information is used. Being transparent and providing clear information about how we handle your personal data is a key requirement of the UK GDPR.

Under the UK GDPR, we are required to handle personal information in a fair, lawful, and transparent manner. This applies to all activities involving a patient's personal data. To ensure compliance, our organisation must:

  • Have a valid legal basis for collecting and using personal information.
  • Protect individuals from harm by preventing improper use or sharing of their information (e.g., unauthorised disclosure to third parties).
  • Be transparent about how personal information will be used, providing clear and accessible privacy notices at the point of collection.
  • Adhere to data protection laws and guidance, ensuring personal information is processed securely and responsibly.
  • Avoid misuse or unlawful handling of the information at all times.

By following these principles, we uphold patient trust and comply with data protection law.

Our data controller contacts details

Ruston Street Clinic is the data controller for your personal information. This means we are responsible for collecting, storing, and managing your personal and healthcare data when you register with us as a patient or service user. Details on how we use your information are outlined in this privacy notice.

We are registered with the Information Commissioner’s Office (ICO) under registration number ZA427658.

Our clinic is located at Ruston Street, Bow, London, E3 2LR. If you have any questions or concerns about how your personal information is handled, please feel free to contact us directly.

Data Protection Officer contact details

Our Data Protection Officer (DPO) is the NHS NEL GP DPO and is responsible for monitoring our compliance with data protection requirements.

You can contact our DPO with queries or concerns relating to the use of your personal information.

NHS NEL GP DPO

NHS North East London Integrated Care Board

Unex Tower
4th Floor
5 Station Street
London
E15 1DA

Email: Itservicedesk.nelicb@nhs.net

Telephone: 0300 303 6778

Subject Access Requests (SARs) should be made in writing to Ruston Street Clinic, Bow, London, E3 2LR and this will be handled by the Practice Manager.

Personal information we collect from you

The information we collect from you will include

  • Your contact details (such as your name and email address, including place of work and work contact details)
  • Details and contact numbers of your next of kin or emergency contacts
  • Your date of birth, gender, ethnicity
  • Details in relation to your medical history
  • The reason for your visit to the GP practice
  • Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the GP practice or Primary Care Network involved in your direct healthcare.

Personal information we collect from third parties

When you register with Ruston Street Clinic, located at E3 2LR, Bow, London, we will receive your GP medical records if you were previously registered with another practice.

While you are registered with us, we will also collect personal and healthcare information about you from various sources, including:

  • Hospitals, consultants, or other medical or healthcare professionals involved in your care.
  • Law enforcement agencies, such as the police.
  • Courts, for example, in response to a court order.
  • Border control and immigration authorities.
  • Social services, where relevant to your care and well-being.
  • Insurance companies, when required for healthcare-related matters.

This information helps us provide you with safe, effective, and coordinated care.

Special category information we collect about you

Personal information about your health is classified as special category data because it is particularly sensitive.

When we receive your personal and healthcare information — whether directly from you or from a third party — it may also include other types of special category data.

Special category information refers to personal data that reveals details about your:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (when used for identification purposes)
  • Health
  • Sex life
  • Sexual orientation

How we use your personal information and special category information

We use your personal and healthcare information in the following ways:

  • to provide you direct healthcare.
  • when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or ongoing healthcare.
  • when we receive a complaint or legal claim from you.
  • when we are required by law to share your information to another organisation, such as other organisations within the North East London integrated care system, the police, by court order, solicitors, or immigration enforcement.
  • when we receive data sharing access requests from other organisations for the purposes of your direct healthcare, or for research and planning.

We will never pass on your information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

The legal justification for using your personal information and special category information

Common Law Duty of Confidentiality

When we use your healthcare information, we not only comply with data protection laws but also adhere to the common law duty of confidentiality. This means that any health and care information you share with us in confidence must not be disclosed without legal authority or justification.

To meet this obligation, we rely on your implied consent to provide you with care. We will always seek your explicit consent for any other uses of your information beyond the provision of care.

Third parties mentioned in your GP medical records

Occasionally, we may record information about third parties that you mention during a consultation. We are committed to protecting the rights of these individuals as well. To ensure their confidentiality, we will remove any references that could violate their privacy before sharing any information with other parties, including yourself.

Third parties may include, but are not limited to, spouses, partners, and other family members.

Data sharing

Whenever you access a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to ensure you receive the best possible healthcare and treatment.

This information may be shared with other approved organisations where there is a legal basis, to support the planning of health and care services, improve care, contribute to research for developing new treatments, and help prevent illness. All of this contributes to better care for you, your family, and future generations.

However, as outlined in this privacy notice, confidential information about your health and care is only used where permitted by law, and it will never be used for any other purpose without your explicit consent.

Data sharing with healthcare organisations and people for your direct healthcare

We may share your personal information with the following individuals or organisations, as they may need access to your information to assist in providing your direct healthcare needs. It is essential for these parties to have access to your information to ensure they can deliver their services to you effectively:

  • Hospital professionals, including doctors, consultants, nurses, etc.
  • Other GPs/Doctors involved in your care.
  • Pharmacists.
  • Nurses and other healthcare professionals.
  • Dentists.
  • Any other individuals or organisations involved in providing services related to your general healthcare, including mental health professionals, vaccination/immunisation or screening providers, private sector providers, and pharmaceutical companies, for the provision of medical equipment, dressings, hosiery, and more.

Your summary care record (SCR)

The Summary Care Record (SCR) is a national database that contains essential patient information, including details of current medications, allergies, and any previous adverse reactions to medicines, all derived from your GP medical records. This information can be accessed and used by authorized healthcare staff across different areas of the NHS health and care system who are directly involved in your care.

To learn more about the SCR, please visit the NHS England website at: Summary Care Record - NHS England Digital.

As a registered patient, you will already have a Summary Care Record (SCR), unless you have previously opted out. This record contains key information such as your current medications, allergies, and any adverse reactions to medicines you have experienced in the past.

You also have the option to share additional medical information, including details about:

  • Your significant illnesses and health conditions.
  • Surgeries and vaccinations you've had.
  • Your preferences regarding treatment (e.g., where you would prefer to receive care).
  • The support you may need and who should be contacted for further information about you.

It's important to note that information about your healthcare may not always be routinely shared across different healthcare organisations and systems. In certain situations, you may need to be treated by professionals who are unfamiliar with your medical history. Essential details can be difficult to recall, especially when you are unwell or have complex care needs.

Having an SCR can be extremely helpful. It provides healthcare staff with critical information from your health record, enabling them to make safer and more informed decisions regarding your care.

As a patient, you have the right to opt-out of sharing your SCR with other healthcare organisations. If you would like more information about opting out or have concerns about your record, please contact the Practice Manager.  You can also choose to opt-in again at any time.

GP Connect

We use an NHS IT service called GP Connect to support your direct healthcare. GP Connect enables patient information to be shared with appropriate clinicians when and where it's needed, helping to improve the quality of care and patient outcomes. It is used exclusively for direct care and is not employed for any other purposes.

Authorised clinicians, such as GPs, NHS 111 clinicians, care home nurses (if you reside in a care home), secondary care trusts, and social care clinicians, can access your GP records through GP Connect if they are involved in your care.

Additionally, the NHS 111 service (along with other locally designated services, such as other GP practices within a Primary Care Network) can use GP Connect to book appointments for you at GP practices and other local healthcare services.

To learn more about GP Connect, please visit the NHS England website: GP Connect Transparency Notice - NHS England Digital.

As a patient, you have the right to opt-out of having your healthcare information shared with other providers via GP Connect. If you would like more information about your rights regarding the sharing of your information through GP Connect, please contact the Practice Manager. You can also choose to opt-in again at any time.

Primary Care Network

The goal of Primary Care Networks (PCNs) is to bring together group practices to create more collaborative workforces, easing the pressure on GPs and allowing them to focus more on patient care. Every area in England is covered by a PCN.

PCNs are a key element of the NHS long-term plan. By enabling GP practices to work together at a larger scale, PCNs help address several challenges, including the recruitment and retention of staff, managing financial and estates pressures, providing a broader range of services to patients, and integrating more effectively with the wider health and care system.

All GP practices are organised into geographical networks, covering populations of approximately 30,000 to 50,000 patients. This allows practices to benefit from additional funding provided under the GP contract. These networks are smaller than most GP federations but are similar in size to the primary care homes found in many areas.

As part of a PCN, this organisation may share your information with other practices within the network to ensure you receive the most effective care and treatment.

We are part of the Bow Health Network, also known as Network 5 (NW5). Network 5 comprises five GP practices: St Stephen's Health Centre, Harley Grove Medical Centre, The Tredegar Practice and Grove Road Surgery.

NHS health checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at this organisation will see confidential information about you during the invitation process.

Safeguarding

Our organisation is committed to ensuring that the principles and duties of safeguarding adults and children are consistently and diligently upheld, with the well-being of all individuals at the core of everything we do.

When handling a safeguarding concern or incident, we retain relevant safeguarding information, such as referrals to safeguarding teams. We may share this information, as necessary, with other partners—such as local authorities, the police, or healthcare professionals (e.g., the mental health team)—to fulfil our duty of care and support investigations as required.

Data sharing for non-healthcare purposes

Your personal information may be shared with other organisations for non-direct healthcare purposes, these organisations include:

  • NHS Commissioning Support Units
  • NHS England
  • NHS Integrated Care Boards
  • Multi-agency Safeguarding Hub
  • Local authorities
  • Social care services
  • Education services

Invoice validation

Your personal information may be shared if you have received treatment to determine which Integrated Care Board is responsible for paying for your treatment.

This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

Pseudo-anonymised data extraction by North East London Integrated Care Board (NHS NEL ICB)

NHS NEL ICB (North East London Integrated Care Board) is the organisation responsible for planning and buying health services across northeast London to meet the population’s needs, making sure all parts of the local health system work effectively together.

NHS NEL ICB extracts medical information about you as a patient, but the information we pass to the organisation via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at NHS NEL ICB from ever identifying you when accessing the information. We will never give NHS NEL ICB the information that would enable them to identify you.

There are good reasons why NHS NEL ICB may require this information, these are as follows:

  • To assist in analysing current health services and proposals for developing future services.
  • To develop risk stratification models to help GPs to identify and support patients with long term conditions and to help prevent unplanned hospital admissions or reduce the risk of certain diseases developing, such as diabetes.
  • Using risk stratification to help NHS NEL ICB to understand the health needs of the local population in order to plan and commission the right services. Examples include:
  • Flu vaccination uptake
  • Enhanced access
  • Commissioned services
  • Medicines management (review of prescribed medicines)
  • Childhood Immunisations
  • Risk stratification (such as hospital admission prevention).

To learn more about NHS NEL ICB, please visit the organisation’s website: Home - NHS North East London (icb.nhs.uk)

NHS NEL ICB Privacy Notice: Legal information - NHS North East London (icb.nhs.uk)

NHS NEL ICB Risk Stratification Privacy Notice:  Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer (icb.nhs.uk)

Data sharing with NHS England

We will share structured and coded data from your GP medical records with NHS England as required by law.

To protect your privacy, any information that directly identifies you—such as your NHS number, General Practice Local Patient Number, postcode, date of birth, and, if relevant, date of death—will be replaced with unique codes generated by de-identification software before it is sent to NHS England. This ensures that you cannot be directly identified from the data.

NHS England will collect the following information:

  • Demographic data, including your sex, ethnicity, and sexual orientation.
  • Clinical data, including diagnoses, symptoms, observations, test results, medications, allergies, immunizations, referrals, recalls, and appointments, as well as information about your physical, mental, and sexual health.
  • Information about the healthcare staff who have treated you.

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS England will not collect:

  • Your name and address (except for your postcode in unique coded form)
  • Written notes (free text) such as the details of conversations with doctors and nurses
  • Images, letters and documents
  • Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

Anonymised data

Sometimes we may provide other organisations information in anonymised form. If we do so, then none of the information we provide to any other party will not identify you as an individual and cannot be traced back to you.

Data security and retention

How long we keep your personal information

As an NHS provider, we manage your personal and healthcare information in accordance with the NHS England’s Records Management Code of Practice: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk)

We are the data controller for your GP medical records while you are a registered patient at our GP practices. If you register with a different GP practice, your medical records will be transferred, and the new GP practice will become the data controller. They will be responsible for keeping your records up to date and providing you with access if you submit a Subject Access Request (SAR).

Security and storage of your personal information

We take the security of your personal and healthcare information extremely seriously and are committed to ensuring its protection. We continuously update our processes and systems to maintain the highest standards of security, and we ensure that our staff receive comprehensive and ongoing training. In addition, we conduct regular assessments and audits of the information we hold about you, and we carry out risk assessments and security reviews whenever we provide additional services.

All our staff, contractors, and locums undergo appropriate and regular training to ensure they understand their personal responsibilities. They are bound by legal and contractual obligations to maintain confidentiality, which are enforceable through disciplinary procedures. Furthermore, we ensure that when information is shared with any third party, it is anonymised and cannot be traced back to you as an individual.

How long we keep your personal information

As an NHS provider we keep your personal and healthcare information in line with NHS England’s Records Management Code of Practice: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk)

We are the data controller for your GP medical records whilst you are a registered patient at our GP practices. If you register with another GP practice your medical records will transfer with you, and the new GP practice will be the data controller responsible for keeping your records up to date and giving to you access if you make a subject access request (SAR).

Security and storage of your personal information

We take the security of your personal and healthcare information very seriously and we do everything we can to ensure that it is protected. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out risk assessments and security reviews.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis.

We also have contractual arrangements with all our data processors that covers data protection responsibilities that they must maintain when working with us.

We hold your GP medical records in an electronic patient record system called EMIS Web which is provided by Optum (previously known as EMIS Group). Optum store the information in cloud storage supplied by Amazon Web Services (AWS). The information is stored in the UK and is fully encrypted both in transit and at rest. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the highest levels of security and support. They do not have access to your personal information.

To read Optum’s privacy notice, please click on the link: EMIS Group Privacy Notice | EMIS (emishealth.com).

Auditing of clinical notes

We regularly audit clinical notes as part of our commitment to the effective management of healthcare. Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. We always maintain confidentiality.

Keeping your records up to date

Under the UK GDPR we are legally obliged to protect any personal and healthcare information that we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

Text messaging and emails - contacting you

We may contact you via SMS or email to notify you about appointments and other services related to your direct care. To ensure we are reaching you and not someone else, please make sure we have your most up-to-date contact details.

As we are committed to protecting your confidential information, it is essential that you inform us immediately of any changes to your contact information.

The SMS service operates on an ‘opt-in’ basis. By providing your mobile number, we will assume you consent to receive messages via SMS. If you wish to opt out, please inform Ruston Street Clinic by contacting the reception team on 02089801652.

We are also transitioning to using the email address on your record as the primary method of communication. If you prefer not to be contacted via email, please let us know by contacting the reception team so we can update your preferences.

Telephone call recordings

When you call Ruston Street Clinic, all calls are recorded.

We record calls for purposes of seeking clarification in the event of a dispute with a patient or service user, and for staff training. Our staff access to call recordings is restricted to the practice manager and the partners.

At Ruston Street Clinic call recordings are retained for a year to support the delivery of safe, effective healthcare service.

If you require access to your calls with the practice, you will need to submit a Subject Access Request to the Practice Manager.

Our website and cookies

When you visit our website, cookies are placed on to your computer to optimise your experience. A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. You have the option to decline the use of cookies on your first visit to the website.

CCTV at our GP practice

We use surveillance cameras (CCTV) within and around our practice. This is managed by NHS Property, our landlord. CCTV is used by the practice for security and safety. It helps to:

  • Protect staff, patients, visitors and property and prevent crime
  • Apprehend and prosecute offenders and prosecute offenders and provide evidence to take criminal or civil action in the courts
  • Provide a deterrent effect and reduce unlawful activity
  • Help provide a safer environment for our staff
  • Assist in traffic management and car parking schemes
  • Monitor operational and safety related incidents
  • Assist with the verification of claims.

You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the Practice Manager.

Ruston Street Clinic CCTV recorded footage is stored for a period of 30 days before being automatically deleted or overwritten. This retention period is used for security, safety and monitoring purposes. This is in compliance with data protection Act.

Your right to opt-out

Type 1 opt-out

To stop your registered GP practice from sharing your personal information for research and planning purposes, you will need to fill opt-out form and return it to Ruston Street Clinic, Ruston Street Clinic, Bow, E3 2LR. Please download the form from the NHS England website: Opt out of sharing your health records - NHS (www.nhs.uk).

Please note, if you choose Type 1 Opt-out, Ruston Street Clinic will not share your personal information for research and planning. However, NHS England will still be able to collect and share personal data from other healthcare providers, such as hospitals.

National data opt-out

The national data opt-out (NDOO) is a service that allows patients to opt-out of their confidential patient information used for research and planning purposes. The opt-out choice is recorded and managed by NHS England, and not your registered GP practice.

There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt-out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt-out by using one of the following:

  • Online service – patients registering need to know their NHS number or their postcode as registered at Ruston Street Clinic.
  • Telephone service 02089801652 which is open Monday to Friday between 0800 and 1830

NHS App – for use by patients aged 13 and over, patient needs to download the App. The app can be downloaded from the App Store or Google play.

Patients should download the NHS app and switch the NHS app notification to enable request for their medication and book online appointment when it available.

Your right to complain

If you have any concerns about the use of your personal information, you can make a complaint to the Practice Manager at Ruston Street Clinic using the contact details at the top of this privacy notice.

If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Access to this privacy notice, and where English is not your first language

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Practice Manager

Changes to this privacy notice

We regularly review and update our Privacy Notice to ensure it remains accurate and compliant. The next scheduled review will take place in April 2026.