Please click here for our Morningside Medical Practice Privacy Notice

Morningside Medical Practice Privacy Notice



As a data controller, Morningside Medical Practice are committed to protecting the privacy of our patients within our practice. Information collected is kept strictly confidential and used only for the medical and health care of patients.


To ensure patients who receive care from the practice are comfortable in entrusting their health information to the practice. This policy provides information to patients as to how their personal information is collected and used within the practice and the circumstances in which we may disclose it to third parties.


This policy applies to all employees and patients of Morningside Medical Practice.


The Practice will:

    • Ensure staff comply and deal appropriately with inquiries or concerns

    • Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance and deal with inquiries or complaints

    • Collect personal information for the primary purpose of managing a patient’s healthcare and for financial claims and payments

Staff Responsibility

The practice staff will take reasonable steps to ensure patients understand

    • What information has been and is being collected

    • Why the information is being collected and whether this is due to a legal requirement

    • How the information will be used or disclosed

    • Why and when their consent is necessary

    • The Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy

Patient Consent

The practice will only interpret and apply a patient’s consent for the primary purpose for which it was provided. The Practice staff must seek additional consent from the patient if the personal information collected may be used for any other purpose. The consent will be explicit consent and required in writing.


Morningside Medical Practice recognises that the information we collect is often of a highly sensitive nature and ensure personal information is protected.

For administrative we ensure quality and continuity of patient care a patient’s health information is shared between the medical practitioners of Morningside Medical Practice

Collected personal information will include patient’s

    • Names, addresses and contact detail
    • Healthcare identifyer
    • Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors.

A patient’s personal information may be held at the practice in various forms

    • As paper record
    • As electronic record
    • As visuals ie xrays, ct scans, videos & photos

The practice’s procedures for collecting personal information is set out below:

    • Practice staff collect patient’s personal and demographic information via registration when patients present to the practice for the first time.
    • During the course of providing medical services the practice’s healthcare practitioners will consequently collect further personal information
    • Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary) or from other involved healthcare specialists.

The practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy in a secured environment.

Personal information collected by Morningside Medical Practice may be used or disclosed in the following instances:

    • For medical defence purposes
    • As required by law in instances of mandatory reporting of communicable diseases
    • Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impracticable to obtain patient’s consen
    • To assist in locating a missing perso
    • For the purpose the patient was advised during consult with the treating Doctor
    • As required during the normal operation of services provided. i.e. for referral to a medical specialist or other health service provider
    • For the purpose of a confidential dispute resolution proces
    • Some disclosure may occur to third parties engaged by or for the practice for the Practice for business purposes such as accreditation or for the provision of information technology. These third parties are required to comply with this policy
    • Medical research or health management purposes, such as SPIRE (Scottish Primary Care Information Resource In Scotland) and SHARE (The Scottish Health Research Register).

The practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and explicit consent from the patient.

The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s explicit consent.

The practice evaluates all unsolicited information it receives to decide if it should be kept, acted upon or destroyed.

Morningside Medical Practice will employ all reasonable endeavours to ensure that a patient’s personal information is not disclosed without their prior explicit consent.


Patient information collected and retained in our records for the purpose of providing quality health care will be complete, accurate, and up to date at the time of collection. Doctors are reminded to review past medical history at least every 3 years.


All due care will be taken to ensure the protection of patient privacy during the transfer, storage and use of personal health information.

Retention of medical records are retained until death.


The following will apply with regard to accessing personal and private medical information by an individual:

An individual has the right to request access their own personal information and request a copy or part of the whole record and no charge.

    • Individuals have the right to obtain their personal information. Requests must be made in writing. Information will be provided within 30 days
    • Whilst the individual is not required to give a reason for obtaining the information, a patient may be asked to clarify the scope of the request.

    • In some instances the request to obtain information may be denied, in these instances the patient will be advised
    • The material over which a Doctor has copyright might be subject to conditions that prevent or restrict further copying or publication without the doctors permission
    • The practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time the practice will ask patients to verify the personal information held by the practice is correct and up to date
    • Patients may also request the Practice corrects or updates their information
    • Upon request by the patient, the information held by this practice will be made available to another health provider.


To protect the rights of a child’s privacy, access to a child’s medical information may at times be restricted for parents and guardians. Release of information may be referred back to the treating doctor where there professional judgement and the law will be applied.



This is a GP Training Practice attached to the NHS Education for Scotland Specialty GP Training Programme. We are keen to support the training of new GPs and also to develop the skills of our existing GPs and other staff. As part of this, clinicians working in this practice might make recordings of their consultations with patients to help them improve their consultation skills as well as their ability to talk to patients.


Recording patient consultations for teaching purposes is a recognised and valued part of education in general practice (GP) to help both GP trainees and qualified GPs develop their communication and consulting skills. Now that the range of primary care professionals is expanding, the technique may also be increasingly used by other clinicians. This advice is intended to help GP practices maintain this learning activity whilst ensuring they meet their responsibilities within the current guidance for Information Governance, including the recently introduced General Data Protection Regulation (GDPR).



General Principles


  1. All recorded consultations must be accompanied by a valid signed consent form.
  2. Only patients who are competent to consent can have their consultations recorded. Consultations with children require signed parental/guardian consent. Special care will be taken with the consent procedure where there might be issues with competency to consent or potential language barriers.
  3. Recordings of consultations will be handled with the same level of security as patient record files. Recording devices will not be left unattended during the recording process.
  4. Recordings of consultations should only be taken outside the practice for the purpose of being viewed at a training event. A secure encrypted device must be used.
  5. Recordings of consultations will not include any examination of the patient where clothing needs to be removed. Adjustments to clothing may be allowable e.g. removing a hat or rolling up a sleeve but not exposing more intimate body areas.


  Process for obtaining and recording patient consent

    1. Morningside Medical Practice may ask you if we can record your consultation for training purposes. Please see our Privacy Notice in 

        the waiting room or ask at reception for a copy and that there is a choice as you wish to be recorded without that choice impacting on

        the provision of their health care.

    2. GP trainees will identify in advance the times at which they intend to record patient consultations. Last minute arrangements will be discouraged wherever possible.


  1. Wherever possible, the staff will make the patient aware at the time of booking their appointment that, if you agree, the doctor concerned will record the consultation.


  1. The receptionist may give the you information about the purpose for recording your consultation, if you agree, the receptionist will ask you to sign the consent form.


  1. The receptionist will ask you to return to the reception desk after the consultation to sign the consent form again to ensure that you are still happy for the consultation to have been recorded. If, for any reason, this does not happen the recording will be deleted the same day.

  2. Patients can withdraw consent at any time following this, either verbally or in writing, and we will confirm that the consultation has been deleted.
  3. Only patients who are competent to consent can have their consultations recorded. Consultations with children require signed parental/guardian consent. Special care should be taken with the consent procedure where there might be issues with competency to consent or potential language barriers. 
  4. Informed consent means that the you understand that:
  • the recording might be stored on a secure encrypted device until the training event has taken place or for no longer than 3 months, whichever is the shortest period, unless there is a justifiable exception.
  • the recording will only be used for training purposes, including assessment of the doctor, usually within the practice building between trainer and trainee. Sometimes teaching sessions may be held outside the practice in a group setting where the recording may be viewed by other trainers and trainees.
  • that the recording may be used for Trainer skill development in benchmarking their assessments of trainees.
  • if a training session is being held outside the practice, the recording will be transported via a secure, encrypted method. This recording will be deleted after the GP training session.
  • you can request that the recording is stopped at any stage during the consultation.
  • you can withdraw consent at any time even after completion of the consent form.
  • the recording in the practice will be erased after the time period specified above unless written consent is obtained from the patient to extend the specified period.


  1. Individual patient consent forms will be scanned in to the patient’s electronic notes record after the GP trainee has completed their surgery. Additionally, a note will be made about the anticipated retention period for the recording.  


Security of recorded consultations


  1. Recording of consultations will be handled with the same level of security as patient record files. It is recognised that there is a potential risk of breach of confidentiality with any recorded consultation.

  2. The practice will maintain a dedicated recording device for the sole purpose of recording consultations. Personal smart phones must NOT be used.

  3. The practice maintains an asset log detailing all recorded consultations that are being stored on any secure encrypted device or drive.

  4. We comply with current GDPR guidance.


  1. When recording equipment is not in use, this is stored in a lockable container at the practice. Any person accessing that recording equipment should sign it in and out. This advice is intended to prevent theft of the equipment rather than to secure the recorded consultations as they should never be left on the recording equipment.


  1. The GP Trainee is responsible for the recording equipment, including the sign-in and sign-out process, and takes responsibility for deleting any consultations on the recording equipment after use.

  1. The GP Trainer/GP Trainee are responsible for transferring the recorded consultations to our practice server.


  1. The length of time that a recording can be stored on the secure encrypted device is as specified in the previous section.


  1. A secure encrypted device will be used when a GP trainee needs to take a recorded consultation outside the practice. This will only happen for training purposes. After the training session has finished, the consultation will be deleted from the encrypted device.


  1. The GP trainee will be responsible for the erasure of all recorded consultations at the appropriate time interval and should update the practice asset log when that has happened. The GP Trainer oversee this is carried out.


  1. The
  2. GP trainee will follow any additional internal practice procedures as appropriate.



  1. This policy is discussed with every new GP trainee during their induction period so that the trainee is made aware of the practice’s procedures. Both parties will date and sign to indicate that this has happened.


  1. The practice has a procedure in place for following the consent process and for storing/deleting recordings in line with GDPR requirements.


  1. The practice is responsible for providing the appropriate resources to enable patient consultations to be recorded, stored and transported in an appropriate and secure manner.


  1. The practice ensures that the GP trainee is appropriately deleting recorded consultations, both from any recording device and on any secure encrypted storage device.


  1. If there is ever a data breach we have a separate procedure to follow.


  1. The practice has an open and transparent process in place for any patients wishing to exercise their rights under the GDPR in relation to the recording of their consultations. Any requests from patients wishing to exercise these rights should be dealt with appropriately by the designated member of staff for the practice.


  1. The Practice will provide patients consenting with information sheet detailing their procedures if requested regarding recording of consultations including their rights under GDPR (See relevant section in this policy)


  1. Patients have a right to request a copy of the recording and if this is made the practice will comply or prove that the consultation has been deleted (See completed Practice Asset Log).



The management of Morningside Medical Practice understands the importance of confidentiality and discretion with the way we manage and maintain the personal information of our patients. The Practice takes complaints and concerns about the privacy of patient’s personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution process.

All employees of Morningside Medical Practice are required to observe the obligations of confidentiality in the course of their employment and are required to sign Confidentiality Statements.

In the instance where you are dissatisfied with the level of service provided within the practice we encourage you to discuss any concerns relating to the privacy of your information with the Practice Manager/Office Manager or your Doctor.

You also have the right to complain about how we use your information to the Information Commissioners Office (ICO). Details about this are on their website at


Morningside Medical Practice

2 Morningside Place


EH10 5ER

Tel: 0131 452 8406

Registration Reference: Z6620969


NHS ScotlandThis site is brought to you by My Surgery Website