Covering the Care We Provide


Fair Processing Notice

This privacy notice explains why STAHFED Ltd collects information about you, how we keep it safe and confidential and how that information may be used.

What is a Privacy Notice?
A privacy notice is a statement that describes how STAHFED Ltd collects, uses, retains and discloses personal information. This can also be called a privacy statement or fair processing notice.

Who are STAHFED?
STAHFED Ltd is a GP-shareholding company, established in 2016 to provide local health services for patients. Local GP Practices in St Albans & Harpenden joined together in a GP Federation to improve patient care and provide services for patients in the local and wider area.

We provide a number of health services: Extended Access GP services, Covid vaccinations and a Primary Care Mental Health service.

Privacy Notice Information
STAHFED Ltd lawfully relies upon Article 6(1)(e) “Official Authority” and upon Article 9(2)(h) “Health & Social Care” of the GDPR Act to process personal data.
To ensure that we process your personal data fairly and lawfully we are required to inform you:

- Why we need your data

We require your data to fulfil your direct medical care. Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. 

We also require your data if you apply for a paid or voluntary role with us.

- How your data will be used

We collect and hold data for the sole purpose of providing healthcare services to patients. In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services. We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and information such as outcomes of assessments. 

- Who your data will be shared with

Your data will be shared with those involved directly in your medical care and within the boundaries of statutory discloses of information.
You have the right to be informed about the collection and use of your health and personal data. This is a key transparency legal requirement under the Data Protection Act 1998 (DPA) and the General Data Protection Regulations 2018 (GDPR).

Personal data that we may process includes:

- Health treatment or care you have received previously or else-where (e.g. NHS Hospital Trust, GP Surgery, Out of Hours GP Centre, A&E, Walk in clinic, etc.). 
These records help to provide you with the best possible healthcare. 

  • Details about you, such as your address and next of kin, emergency contacts

  • Your home telephone number, mobile phone number, email address

  • Any previous contact the service has had with you, such as appointments etc.

  • Personal details for recruitment purposes, on a need to know basis only.

How we keep your information confidential and safe:

All your NHS health records are kept either digitally/electronically or in a secured paper format. Our electronic records database is hosted by EMIS Health Ltd, who is acting as a data processor, and all information is stored on their secure servers in Leeds and is protected by appropriate security and access is restricted to authorised personnel. 

We also make sure that data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. We only contact you regarding matters of medical care, such as appointment reminders. 

Your data rights:
As a “data subject”, you have the following rights:

  • Right to be informed (Articles 13 and 14)

  • Right of Access (Article 15) – to request a Subject Access Request of all the data and information held on you by STAHFED Ltd. 

  • Right of Rectification (Article 16) – to request to have inaccurate or incomplete personal data updated. 

  • Right of Erasure (Article 17)  – to request to have data erased from our records

  • Right to Restrict Processing (Article 18) – to request processing cease in a certain way

  • Right to Data Portability (Article 20) – right to request a copy of data in paper or electronic copy

  • Right to Object (Article 21) – right to object to use of data

  • Right not to be subject to automated decision-making (Article 22) - right to have human intervention in data processing

Data fair processing activities that STAHFED may perform:

General information sharing for direct medical care

Access to your GP record

NHS Data Sharing databases

Statutory Disclosures of information

Permissive Disclosures of information
Only with your explicit consent, STAHFED Ltd can release information about you, from your GP record, to relevant organisations. 
These may include:

  • Your employer

  • Insurance companies

  • Solicitors

Data Processors


Communicating with our patients

The following section outlines the management of the fair processing of this notice, contact details and other access to information legislation.

Complaints about how we process your personal information
In the first instance, you should contact us:


In writing: STAHFED Ltd, Redbourn Health Centre, Redbourn, St Albans, AL3 7BL

By email:                                  

By telephone: 07377 585932

Please contact us if you have any questions about our privacy notice or information we hold about you.
Our opening hours are: 9am to 5pm Monday to Friday.

Changes to our fair processing notice
We keep our privacy notice under regular review and we will place any updates on our website

This notice was last updated on 10/01/2020.


Data Protection Notification
STAHFED Ltd is a ‘data processor’ under the DPA and the GDPR. The GP remains the ‘data controller’ of the GP Practice record. We have notified the Information Commissioner’s Office (ICO) that we process personal data.

Our Data Protection Officer is Zoe Matthews

For independent advice about data protection, privacy, and data sharing issues, or if you wish to express your right to lodge a complaint directly to the ICO, please contact: 
Information Commissioner’s Office
Wycliffe House
Water Lane
Tel: 0303 123 1113 



As a Provider of community health services, STAHFED Ltd are conscious of our obligations to the security of patient data and take seriously our efforts to safeguard sensitive health and care information.

With our local healthcare services involving data processing of patient's generic (demographic) and health (medical) data, for the purposes of providing health care, we have identified the need for a Data Protection Impact Assessment (DPIA), following the standard guidelines of the ICO.

To read our DPIA for our EA service, please click here

To read our DPIA for our PCMH Service, please click here


For EA, COVID-19 Vaccination or Mental Health Support

You will automatically receive an invitation to attend for your COVID-19 Vaccination, there is no need to contact your practice.

All other appointments can be booked through your registered practice, if you wish to boon an appointment in the Extended Access Service, in the evenings or at weekends, please ask your practice to book this.  

If you think you could benefit from our Primary Care Mental Health Service, you will need to make an appointment to see your GP, who is then able to refer you directly into this service for a telephone or face to face appointment.