GDPR Privacy Notice

Privacy Notice – Melrose Medical Centre

Last updated: September 2025

1. Introduction

Melrose Medical Centre is committed to protecting your personal data and respecting your privacy. This privacy notice explains how we collect, use, store and share personal data, and your rights under UK data protection law.

This notice applies to:

  • Patients
  • Staff (including temporary, bank and former staff)
  • Job applicants

This notice has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Information Commissioner’s Office (ICO) guidance on privacy notices and transparency.

2. Who We Are (Data Controller)

Melrose Medical Centre
Address: 38 Melrose Avenue, Billingham, TS232JW
Telephone: 01642 553055
Email: nencicb-tv.a81056@nhs.net

Melrose Medical Centre is the data controller, meaning we decide how and why your personal data is processed.

3. Data Protection Contact

If you have any questions about this privacy notice, how your personal data is used, or wish to exercise your data protection rights, please contact:

Practice Manager / Data Protection Lead
Melrose Medical Centre
Telephone: 01642 553055
Email: nencicb-tv.a81056@nhs.net

4. Personal Data We Collect

The type of personal data we collect depends on your relationship with the practice.

a) Patients

  • Name, address, date of birth, NHS number
  • Contact details
  • Medical records, diagnoses, test results and treatment information
  • Medication, referrals and immunisation records
  • Communication preferences

b) Staff

  • Name, address, date of birth and contact details
  • National Insurance number
  • Employment records, job role, salary and pension information
  • Training, appraisal and disciplinary records
  • Sickness and absence records
  • Occupational health information

c) Job Applicants

  • Name and contact details
  • CVs, qualifications and employment history
  • Interview notes and references
  • Equality and diversity information (where provided)

Health and occupational health data is classed as special category data and receives additional protection under UK GDPR.

5. How We Use Your Personal Data

Patients

We use patient information to:

  • Provide safe, effective and continuous healthcare
  • Maintain accurate medical records
  • Communicate with you about appointments and your care
  • Refer you to other healthcare providers
  • Meet NHS contractual, legal and regulatory requirements

Staff

We use staff information to:

  • Manage employment relationships
  • Pay salaries and manage pensions
  • Meet legal obligations (e.g. HMRC, NHS Pension Scheme)
  • Manage training, performance and workforce planning
  • Ensure health, safety and wellbeing at work

Job Applicants

We use applicant information to:

  • Assess suitability for employment
  • Manage recruitment and selection processes
  • Communicate with candidates
  • Comply with employment and equality legislation

6. Lawful Bases for Processing

We process personal data under the following lawful bases:

Article 6 UK GDPR

  • 6(1)(e) – Public task (delivery of NHS healthcare)
  • 6(1)(c) – Legal obligation
  • 6(1)(b) – Contract (employment relationships)
  • 6(1)(f) – Legitimate interests (recruitment administration)

Article 9 UK GDPR (Special Category Data)

  • 9(2)(h) – Health or social care purposes
  • 9(2)(b) – Employment and social security law
  • 9(2)(g) – Substantial public interest

This reflects the ICO’s requirement to clearly identify lawful bases.

7. Who We Share Information With

We only share personal data where it is lawful and necessary. This may include:

  • NHS organisations (GPs, hospitals, community services)
  • NHS England and NHS Digital (where legally required)
  • Integrated Care Boards (ICBs)
  • Payroll providers and NHS pension administrators
  • HMRC and other statutory bodies
  • Professional advisors and regulatory bodies

All organisations we work with are required to keep information secure and confidential.

8. How Long We Keep Information

We retain personal data in line with the NHS Records Management Code of Practice and employment law:

  • Patient records: retained according to NHS retention schedules
  • Staff records: usually retained for 6 years after employment ends (some records longer where required)
  • Job applicant data: usually retained for up to 12 months after the recruitment process ends

9. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Request correction of inaccurate or incomplete data
  • Request erasure in certain circumstances
  • Restrict or object to processing
  • Data portability where applicable

Requests should be made using the contact details above.

10. Complaints

If you have concerns about how your personal data is handled, please contact Melrose Medical Centre first so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: https://www.ico.org.uk

11. Changes to This Privacy Notice

We may update this privacy notice from time to time. The latest version will always be available on our website.

© Melrose Medical Centre Ltd (Company Registration No. 7091219). All rights reserved. Designed by Webability Design