We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Last reviewed: 27th October 2025
Next review due: 26th October 2028
1. Introduction
We are committed to protecting your personal information. This privacy notice explains how we process your personal data when you use the services of College Green Medical Practice, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We also comply with the common-law duty of confidentiality in relation to healthcare records.
2. Who we are
- Data Controller: College Green Medical Practice
- Address: Health and Wellbeing Centre, 1 Bristol Road South, Birmingham, B31 2GH
- Data Protection Officer (DPO): Umar Sabat
- Email: ourhealthpartnership@nhs.net
3. What information we collect
We collect and hold personal information which may include:
- Identifying details: name, address, date of birth, contact information, emergency contact.
- Health and treatment information: medical history, test results, referrals, diagnoses, care plans.
- Administrative and communications records: appointments, emails, SMS messages, telephone calls.
- Security and monitoring data: CCTV recordings on our premises and call recordings if relevant.
- Any other information you provide in the course of your care.
4. Why we process your data
We process your information for the following purposes, with the legal basis as indicated:
- To provide healthcare, diagnose, treat, and manage health and social-care needs: Article 6(1)(c) and Article 9(2)(h) of UK GDPR.
- To comply with legal obligations, e.g., safeguarding children or vulnerable adults.
- To improve patient care, audit, service planning, and for public health purposes.
- For security, monitoring, and premises safety via CCTV.
- To maintain records, respond to complaints or legal claims, and meet regulatory obligations.
5. Who we share your data with
Your data may be shared with:
- Healthcare professionals involved in your care (hospitals, community services, diagnostic centres).
- Local authorities, public-health bodies, safeguarding agencies as required by law.
- Third-party service providers acting as processors (IT services, call-recording services, medical suppliers), under confidentiality agreements.
- Regulatory agencies as required by law.
6. National data opt-out
You may opt out of your confidential patient information being used for purposes beyond your care (e.g., research, planning). Note: opt-out may not apply to certain legally required sharing or direct care scenarios.
7. Telephone calls and CCTV
- Telephone calls to the practice may be recorded for training or service-quality purposes and may become part of your clinical record if relevant.
- CCTV is in operation on the premises for safety; recordings are retained for 31 days unless needed for an investigation.
8. Retention of data
We retain personal information only as long as necessary to meet the purposes for which it was collected, following NHS and national retention guidelines. Data is securely destroyed or anonymised once retention periods expire.
9. Your rights
Under UK GDPR, you have rights including:
- Accessing the personal data we hold (Subject Access Request).
- Correcting inaccurate or incomplete data.
- Objecting to processing in certain circumstances.
- Requesting erasure (limited for health data due to legal obligations).
- Restricting processing or requesting data portability where applicable
- Withdrawing consent (where processing relies on it, without affecting prior processing).
- Lodging a complaint with the ICO if processing is not lawful.
10. Security and confidentiality
We implement technical and organisational measures to protect data from unauthorised access, loss, destruction, or damage. Staff access is restricted to those who require it for patient care. Data breaches with high risk to individuals will be reported to the ICO and affected patients.
11. Electronic systems and online services
We may use electronic health records, e-communications, and video consultations. Please inform us if you prefer alternative communication methods.
12. Children and vulnerable adults
Special safeguards apply when patients are children or lack capacity. Parents, guardians, or carers may be asked to provide proof of authority to act.
13. Changes to this privacy notice
We regularly review this notice. Significant changes will be published on our website or made available in practice. The “Last reviewed” date above shows the latest update.
14. Contact and complaints
For queries or complaints about data processing, or to exercise your rights, contact:
Umar Sabat, DPO, College Green Medical Practice, Health and Wellbeing Centre, 1 Bristol Road South, Birmingham, B31 2GH. Email: ourhealthpartnership@nhs.net
You may also complain to the Information Commissioner’s Office (ICO)