Privacy notice
How patient information is handled in modernGP Navigator
This product summary explains what the service records, why it is used, who can access it, and how long routing records are retained.
About this notice
This page is a product privacy summary for modernGP Navigator. It should be read alongside the GP practice's own privacy notice, contact details, and subject access request process.
Who uses this service
modernGP Navigator is used by GP practice teams to route patient contacts safely to the right next step. Reception and admin staff use it to record the routing conversation, not to diagnose or make clinical decisions.
Who is responsible
The GP practice using the service is normally responsible for the patient records it enters. ModernGP provides the hosted service and support where this is covered by the practice's agreed arrangements.
What information is recorded
The service can record the patient's NHS number or local practice number, age or date of birth, presenting complaint, pathway answers, routing outcome, escalation to the duty GP, safety-rule triggers, concern flags, minimal safe-contact instructions for safeguarding handover, staff user, and audit or export history.
Why the information is used
The information is used so the practice can route the patient correctly, evidence what happened during the contact, investigate complaints or incidents, and meet clinical safety, governance, and legal record-keeping duties.
Who can see it
Authorised practice staff can see operational records according to their role. Audit and metrics screens mask identifiers by default. Full identifiers are only available through authorised correction workflows or explicit logged export actions for documented governance reasons. Support or admin access should be limited to agreed support, security, or incident purposes.
How records are protected
Key patient details are stored with field-level encryption, role controls, audit logging, export reason capture, and short-lived encrypted export downloads. CSV exports are prepared to reduce spreadsheet formula-injection risk.
How long records are kept
The product default is to keep triage records for at least 8 years. If the patient was under 18 at the time of contact, the record is kept until the later of 8 years after the event or the patient reaching age 25. Export logs are kept for 8 years. Records are soft-deleted first and then permanently removed after a short grace period, subject to the practice's approved records policy.
Your rights
Patients can ask the GP practice about access to their information, correction of inaccurate records, restriction, objection, and complaints. Subject access requests should be made through the GP practice in the first instance.
Contact and queries
For privacy questions, subject access requests, or concerns about how information is handled, contact your GP practice directly. Practice staff should also refer to the local privacy notice, internal DPIA, Caldicott checklist, retention process, and export-control process once these have been approved for their pilot.