Privacy Notice – Social Prescribing Service


Sutton PCN’s primary purpose is to provide the best care possible for you. In order to do this, we need to collect, store and share information about you.

This privacy notice is designed to explain what happens to any personal data that you give us when using our social prescribing service . This includes how your data is held and/or processed by us.

This notice includes:

Who we are and how we use your information

  • The kinds of information we hold and how we process them
  • The legal grounds for processing your personal data, including when it is shared with others
  • What to do if your personal information changes
  • The length of time that your information is stored and retained by us
  • Information about your rights under the 2018 Data Protection Act incorporating the UK General Data Protection Regulations (GDPR)
  • Information about what to do if you have a query or problem

Under the 2018 Data Protection Act incorporating the UK General Data Protection Regulation –(GDPR) Sutton PCN is known as the Data Controller. As such, we are responsible for keeping your data up to date and accurate, as well as storing it safely and sharing it securely. If you have a problem or a question regarding your data, please contact our Data Protection Officer at [email protected]  e-mail  in the first instance.

The information we hold on you

Sutton PCN keeps data on you relating to who you are, where you live, your contact details, your family, details of your ethnicity, occupation – if any – and, religion – if any, plus, possibly, information on your lifestyle, your health problems and diagnoses.  All of this data helps us in providing you with the best possible care by means of the most appropriate referral to  a third party .

All health related data is seen as ‘special category’ or ‘sensitive data’ under the 2018 Data Protection Act which means that it is shared and processed with particular care. This applies to your data whether it is in electronic formats using our Joy system or on paper.

For more information , please see out general Privacy Notice which covers all of the services that we offer

Why we hold and process your data

We hold and process your personal data in order to provide you with direct care by means of a referral to a third party organisation. Together with anonymised and pseudonymised patient data (in other words data that cannot be used to identify you) your personal data is also used to:

  • Improve the quality and standard of care that we and the social prescribing organisations we work with, provide;
  • Monitoring standards of patient safety
  • You also have a choice over whether you wish to use your confidential data – i.e. data that CAN be traced back to you for purposes of:
    • Researching and developing new ways of supporting patients outside of the health service
    • Planning future social prescribing services in the locality.

If you are content with this, then you do not need to do anything. If you are not sure or wish to opt out of sharing your data, please talk to one of our social prescribing link workers,  clinical or administrative staff. Please note that a social prescribing referral depends upon the sharing of your data.

For more information on Opting-Out of Research and Planning, please see the section in the general Privacy Notice

Who do we share information with

As GPs, we cannot provide all your treatment ourselves, so we need to delegate this responsibility to others across our organisation, within your practice and with other organisations such as pharmacies or hospitals. As such, if your care requires treatment outside of the services we provide, we will work with you to make a referral to third party organisations able to offer non-medical support and social connection.

Once you have seen any outside care provider, they will normally send details of your service use back to us . This information is then transferred to the patient record at your GP practice. You have the right to restrict this transfer of your data to your practice.

The sharing of personal data, within Sutton PCN and with those other organisations involving our services , such as Primary Care Networks (PCNs) as well as secondary care organisations and social prescribing organisations is assumed and is allowed by law (including the Data Protection Act 2018). However, we will gladly discuss this with you in more detail if you would like to know more. We keep a register of our Information Assets which also sets out a Record of Processing Activity including the Joy system used for social prescribing.

We have an overriding responsibility to do what is in your best interests under the 2018 Data Protection Act ‘in performance of a public task’ (see legal bases in the summary below). Sutton PCN team (clinicians, administration and reception staff) only access the information they need to allow them to perform their function and fulfil their roles. This summary also contains details of your rights in relation to your data under the Act and how to exercise them.

We do also share anonymised data across our Primary Care Network, the South West London Integrated Care System, Sutton GP Services, Sutton PCNs, Sutton Health & Care, London Integrated Care Systems and NHS England. This data is extracted by secure data extraction tools.

Sutton PCN does NOT share your data with insurance companies or solicitors, except by your specific instruction or consent.

Your data is NOT shared or sold for any marketing purpose.

Communication with Our Patients

Sutton PCN will use your contact details in order to inform you of progress in your treatment or to work with you in managing your health. In terms of our social prescribing service, this is available via your patient record.

For information on how we communicate with you, please see our general Privacy Notice.

Safeguarding and the Caldicott Guardian

Sutton PCNs are dedicated to safeguarding all its patients, including children and vulnerable adults. This means that information will be shared in their best interests. Such decisions are the ultimate responsibility of our Caldicott Guardian. The Caldicott Guardian is the senior person – always a doctor and often a partner within a practice – responsible for protecting the confidentiality of people’s health and care information. The duty to share data for the benefit of individuals can be more important than the duty to protect patient confidentiality, and actions taken as a result of safeguarding concerns will override data protection. The decision of the Caldicott Guardian is final and there is no appeal process.

Research and Planning

Sutton PCN takes part in research that uses anonymised or pseudonymised data. This means that patient data cannot be traced back to individuals and is therefore no longer personal data under the 2018 Data Protection Act.

Anonymised or pseudonymised patient data held by Sutton PCN may also be used to evaluate present services that provide direct care or to plan future ones across Sutton PCNs.

Sometimes, Sutton PCN is contacted to ask whether its patients would consider taking part in research on a particular patient need. In all such cases, where the data used would identify individual patients, data can only be used where patients have given their consent and you will be contacted accordingly.

For information on how Data Opt-Outs (The National Data Opt-out) and Your Right to Object, please see our general Privacy Notice.

How is your information stored?

Sutton PCN stores details of its social prescribing service on its Joy system. The contracted data processor for Joy is Pungo Ltd. They can be contacted via 4, Collingwood House, London, England, N19 4PJ.

How long is the information retained ?

The medical record is retained at the patient’s practice for the lifetime of the patient plus 10 years. The record of the Referral is retained on Joy for a minimum of 8 years.

Summary of Your Rights

Data Controller of Your Data  Sutton PCN
Data Protection OfficerMiles Dagnall at  [email protected].
Purpose of Processing your personal informationThe information that is shared is to enable other social care organisations to provide the most appropriate advice, investigations, treatments, therapies and care.  
Lawful Basis for Processing your personal informationThe processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:   Article 6 (1) (c) – the processing is necessary for compliance with a legal obligation to which the controller (the practice is subject) and/or   Article 6(1)(e) ‘…the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.   Health data is defined as a special kind of personal data and is also processed by Sutton PCN under   Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..’   The sharing of your personal data also takes place in accordance with the common law duty of confidentiality. Performance of this duty does not require consent from the patient where the proposed use of their data is either for individual care or in the public interest.      
Recipient or categories of recipients of your personal dataAccording to the particular course of treatment, your data will be shared with third party Social Prescribers.  
Your right to objectYou have the right to object to some or all of the information being processed, which is detailed under Article 21. Exercising your right to object may well prevent the referral or course of treatment from going ahead. Please contact your practice, Sutton PCNs or provider if you wish to exercise this right.  You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.   You can control how your referral is managed via your Joy app. 
Your right to access and correctionYou have the right to access your data and to have any inaccuracies corrected.   There is no right to have medical records deleted except when ordered by a court of Law.  
How long do we hold your personal data for?We retain your personal data in line with both national guidance and law, which can be found here:  
Your right to complainIf you have a question or wish to complain about the use of your data, please contact the Data Protection Officer at:  [email protected].    The use of personal data is overseen by the Information Commissioners Office, often known as the ICO.   If you wish to complain or raise a concern with the ICO, they can be contacted via their website:  Or you can also call their helpline   Tel: 0303 123 1113 (local rate) 01625 545 745 (national rate)   Or you can write to them at   The ICO, Wycliffe House, Water Ln, Wilmslow SK9 5AF

Members area