Privacy Notice

BHSF Medical Practice is committed to protecting your data and complying with data protection legislation. BHSF is a data controller. This means that we are responsible for deciding how we hold and use personal information about you. This statement sets out how and why we are processing the information we have on you. It also explains your rights as a data subject.

What is our commitment to you?

Our aim in processing your data is to successfully deliver our service to you with an appropriate level of data sharing whilst recognising the need to protect your fundamental rights to privacy.

BHSF is committed to:-

  • Protecting the confidentiality, integrity and availability of the information it collects, stores, transfers and processes in accordance with the GDPR, and international good practice, and to meet its legal requirements and contractual obligations
  • Explaining why it needs personal information and only asking for the personal information it needs
  • Processing data only in a manner that is compatible with the specified, explicit and lawful purposes
  • Maintaining the accuracy and completeness of data
  • Only sharing personal information with other organisations as necessary, where the person concerned has given their consent to share their personal data, or where another legal basis of sharing the data overrides the need to give consent
  • Ensuring the individual can make requests in relation to their data subject rights
  • Not keeping personal information for longer than necessary or as required by legislation
  • Investigating and reporting data breaches and suspected breaches, and to being open and honest when things have gone wrong
  • Assessing its information security controls annually
  • Applying the above standards to its supply chain and delivery partners
  • Keeping data in a form that permits identification of individuals no longer than necessary for the purposes for which the personal data is processed, in accordance with the BHSF data record
  • Applying appropriate technological and organisational controls to ensure the security of personal data

In order to meet its commitment, BHSF operates a wide range of technical, physical and procedural controls to maintain the confidentiality, integrity and availability of information. BHSF maintains an information security policy which provides further details regarding the minimum standards of control to which it operates.

What are your rights?

At BHSF we recognise that your data is important to you and therefore we are committed to supporting you with your data protection rights. Within legal and regulatory constraints, you have the right to:

  • Have information about how your information is being processed
  • Request a copy of your data at any time (commonly known as a data subject access request)
  • Port (move/transfer) your data to an alternative service provider
  • Have your data rectified or corrected if it is factually inaccurate
  • Be forgotten or have your data erased
  • Restrict the processing of your data, in certain circumstances
  • Object to the processing of your data, in certain circumstances
  • Appropriate decision making

Do you have a right to withdraw consent?

You have the right to withdraw your consent to specific processing at any time. Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis to do so in law.

How can you contact us about your data or your data rights?

If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact our Data Protection Officer at;
DPO, BHSF Group Limited, Gamgee House, 2 Darnley Road, Birmingham, B16 8TE
Telephone: 0800 0744 318

What should you do if you want to make a complaint about the way your data is being processed?

At BHSF we make every endeavour to protect your data. In the unfortunate circumstance that you are not happy with the manner in which we process your data, you may wish to make a complaint. In the first instance, please contact the BHSF Data Protection officer in writing, stating your name, date of birth, contact details and the nature of your complaint against BHSF.

If you are not happy with the response you receive you may also wish to contact the UK data protection regulator, the Information Commissioner, whose contact details are available at

How and why do we process your personal data?

We will only process your personal information for the purpose for which we collected it. If we need to use your information for an unrelated purpose we will contact you and we will explain the legal basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of criminal investigation.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time.

Why are we processing your data?

Under the GDPR, our legal basis for the initial processing of your data is as follows;

Article 6 (1) (f): ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’, and

Article 9 (h): ‘processing necessary for …………the provision of health or social care or treatment of health or social care systems…..’

Our legitimate interests are that as a part of a contract with you to provide medical services, we give you advice and treatment in support of your health and well-being.

Under common law, we will seek your consent before the release of your personal data to a third party.

What kinds of information do we process?

As part of our medical practice provision we process:-

  • Private GP records
  • Lifestyle health screening records
  • Counselling referrals records
  • Physiotherapy referrals records
  • Vaccinations records
  • Appointment records
  • Equipment calibration records
  • Clinical audit records
  • Medical equipment use records
  • Complaints records

Will we share your data with anyone?

We only share your data if it is absolutely necessary for providing you with the medical service agreed with you. To provide the service your data may be shared with your GP or other healthcare practitioners to meet your health requirements. In addition, periodically, your anonymised data may be shared with statutory bodies in order to undertake clinical audits that ensure we continually improve our clinical standards.

We only work with trusted suppliers who have agreed to the terms of our Data Processor Agreement, to treat your information as respectfully as we do, and in accordance with the requirements of the General Data Protection Regulation. Your data will only ever be processed within the United Kingdom. Suppliers may include organisations providing counselling, physiotherapy or blood screening services, for example.

How long will we keep your data for?

At BHSF Medical Practice, we store your data in line with regulatory and contractual requirements. Different types of health data must be retained for different periods of times due to regulatory requirements and potential for litigation. For example, health surveillance data will be kept for up to 40 years in compliance with the Care of Substances Hazardous to Health Regs. 2002. We are committed to storing all your data securely for the full duration of its retention. We are committed to storing all your data securely for the full duration of its retention. We will take appropriate technical and organisational security measures to safeguard information.

Will we use your data to make automated decisions?


Do you have to agree to us processing your data?

As a provider of health services we can legitimately process your data under clause 6(f) and 9(h) of the GDPR without requiring your consent. This processing does not include the release of all or any part of your personal data and your explicit consent will always be sought for this.