-
Your practice should include a privacy notice on your website, any materials given to new patients, and prominently displayed in the practice.
-
The British Medical Association (BMA) has provided a suggested template to ensure that research is sufficiently referenced. You can access this template here: https://w.bma.org.uk/advice-and-support/ethics/confidentiality-and-health-records/gdpr-privacy-notices-for-gp-practices
-
Following the OpenSAFELY changes in September 2025, NHS England has provided some additional text to include in your privacy notice
GP practices should ensure that their privacy notice reflects all the processing of data that happens in relation to patient records. GP practices are therefore advised to add the following paragraphs to their privacy notice, or to draft their own information if they prefer:
Information:
"NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.
Here you can find additional information about OpenSAFELY."