Connecting your Care

Privacy Notice – Direct Care

Plain English explanation

This privacy notice explains why health and care organisations share information about you and how that information may be used in the Connecting your Care programme.

You can find out more about the organisations that are part of Connecting your Care on our website, along with the answers to some Frequently Asked Questions at:

The health and care professionals who look after you keep their own records in different specialist systems that contain details of any treatment or care you have received or are receiving from them. These records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure.

Connecting your Care provides health and care professionals with a secure electronic summary view of the information that organisations want to share about you. This provides the people looking after you with important information from other services that you use, so that they can quickly assess you and make the best decision or plans about your care.

The information which health and care organisations can share about you might include the following information:

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, scans, x-rays, etc.
  • Relevant information from other health and care professionals, relatives or those who care for you
  • Care and support you may be receiving from Social Care services
  • Urgent care and NHS 111 visits/calls
  • London Ambulance Service calls.

As part of this Privacy Notice we are required by law to provide you with the following information. To help in understanding the terms of this Notice we have provided definitions where indicated.

1) Controller contact details

Mersham Medical Centre
30 Norbury Road
Thornton Heath
0208 653 1869

2) Data Protection Officer contact details

Umar Sabet


3) Purpose of the processing (sharing)

Information will be shared in order to facilitate “direct care” that is delivered to the individual – that is, where a health or care Organisation has direct contact with a patient or service user in order to provide them with immediate care, treatment or services.

Direct Patient Care is defined as:

“a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care”. [Information: To Share or Not To Share? Dame Fiona Caldicott,  April 2013].

4) Lawful basis for processing (sharing)

“Processing involves any operation performed on personal data, whether or not by automated means. This includes collection, use, recording, feeding it to machine learning algorithms.”

The processing (sharing) of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Health and social care services have a  legal obligation to share information about you from their records if it is seen to be in your best interests for the purposes of your direct care.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.

“Common Law Duty of Confidentiality”

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent or, in the absence of consent, a legitimising purpose.

5) The Sources of the Data and the Recipient or categories of recipients of the processed data

Data sources

Information is shared between all the health and care organisations that are part of the Connecting your Care programme.

For the full list of organisations that are part of Connecting your Care please see our website:

Categories of recipients

Only health and care professionals in each of the defined organisations who are providing you directly with care or services can see your information.

This Privacy Notice will be reviewed and updated annually, as required, or in the event of significant change. The list of organisations that are part of Connecting your Care will be updated each time new partners join the programme.

7) Rights to object

You have the right to object to some or all your information being processed (shared)  under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).

You are advised that whilst under this legislation you have the right to raise an objection, this right is not absolute in relation to health and care data being shared for for the purposes of direct care under the lawful bases for sharing as described in section 4 of this Privacy Notice.

All objections will be considered on an individual basis by the Data Controller.

The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website.

8) Right to access and rectification


You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.

If your health or care provider holds information about you, and you make a subject access request they will:

  • Give you a description of it
  • Tell you why it is being held
  • Tell you who it could be shared with
  • Let you have a copy of the information in an intelligible form.

To make a Subject Access Request you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website. Rectification

You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be  made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice.

Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible.

All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed.

There is no right to have accurate medical records deleted except when ordered by a Court of Law.

8) Retention period

Information held about you by each Data Controller  will be retained in line with the law and national guidance.

9)  Right to Complain.

You have the right to complain about the way in which your information is used or shared,  if you think the information has been shared inappropriately. Each provider will have their own complaints process and you will need to contact them directly to register a complaint.

You can find the contact details and information about how to register a complaint on the website.

You can also contact the Information Commissioner’s Office at or call their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).

Frequently Asked Questions

For more information, please view the Connecting Your Care FAQs.